From 793b70ee4a455c44b5f605c51729d6254952afc2 Mon Sep 17 00:00:00 2001
From: Keerthana Srikanth <ksrikanth@confluent.io>
Date: Thu, 30 Nov 2023 15:31:26 +0530
Subject: [PATCH] Upgrade Jackson and Google GSON to address CVEs (#15461)

Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003, CVE-2022-42004 which affects jackson-databind.
Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1) since 2.2.4 is affected by CVE-2022-25647.
---
 licenses.yaml                           |  4 ++--
 owasp-dependency-check-suppressions.xml | 17 -----------------
 pom.xml                                 |  4 ++--
 3 files changed, 4 insertions(+), 21 deletions(-)

diff --git a/licenses.yaml b/licenses.yaml
index aba4eee96895..45de078000e7 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -264,7 +264,7 @@ name: Jackson
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.12.7
+version: 2.12.7.1
 libraries:
   - com.fasterxml.jackson.core: jackson-databind
 notice: |
@@ -2378,7 +2378,7 @@ name: Gson
 license_category: binary
 module: hadoop-client
 license_name: Apache License version 2.0
-version: 2.2.4
+version: 2.10.1
 libraries:
   - com.google.code.gson: gson
 
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 21dd5211fd81..1dd8a75e620d 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -71,23 +71,6 @@
     <cve>CVE-2022-45688</cve>
   </suppress>
 
-  <suppress>
-    <!--
-      the suppressions here aren't currently applicable, but can be resolved once we update the version
-      -->
-    <notes><![CDATA[
-   file name: jackson-databind-2.10.5.1.jar
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-    <!-- CVE-2022-42003 and CVE-2022-42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use
-    https://nvd.nist.gov/vuln/detail/CVE-2022-42003
-    https://nvd.nist.gov/vuln/detail/CVE-2022-42004
-     -->
-    <cve>CVE-2022-42003</cve>
-    <cve>CVE-2022-42004</cve>
-  </suppress>
-
-
   <suppress>
     <!-- Not much for us to do as a user of the client lib, and no patch is available,
      see https://github.com/kubernetes/kubernetes/issues/97076 -->
diff --git a/pom.xml b/pom.xml
index 268f48ccf36c..79daf2a1ed34 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,7 +79,7 @@
         <apache.kafka.version>3.5.1</apache.kafka.version>
         <apache.ranger.version>2.4.0</apache.ranger.version>
         <gson.version>2.10.1</gson.version>
-        <apache.ranger.gson.version>2.2.4</apache.ranger.gson.version>
+        <apache.ranger.gson.version>2.10.1</apache.ranger.gson.version>
         <scala.library.version>2.13.11</scala.library.version>
         <avatica.version>1.23.0</avatica.version>
         <avro.version>1.11.3</avro.version>
@@ -99,7 +99,7 @@
         <hamcrest.version>1.3</hamcrest.version>
         <jetty.version>9.4.53.v20231009</jetty.version>
         <jersey.version>1.19.4</jersey.version>
-        <jackson.version>2.12.7</jackson.version>
+        <jackson.version>2.12.7.20221012</jackson.version>
         <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
         <log4j.version>2.18.0</log4j.version>
         <mysql.version>5.1.49</mysql.version>