Skip to content

Commit c14ee89

Browse files
Switch from json-path 2.9.0 to latest json-smart
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
1 parent 5f25d6c commit c14ee89

File tree

2 files changed

+4
-12
lines changed

2 files changed

+4
-12
lines changed

build.gradle

+2-6
Original file line numberDiff line numberDiff line change
@@ -269,12 +269,8 @@ dependencies {
269269
runtimeOnly group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
270270
runtimeOnly group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
271271
runtimeOnly group: 'org.json', name: 'json', version: '20231013'
272-
// json-path 2.9.0 depends on slf4j 2.0.11, which conflicts with the version used by OpenSearch core.
273-
// Excluding slf4j here since json-path is only used for testing, and logging failures in this context are acceptable.
274-
runtimeOnly('com.jayway.jsonpath:json-path:2.9.0') {
275-
// OpenSearch core is using slf4j 1.7.36. Therefore, we cannot change the version here.
276-
exclude group: 'org.slf4j', module: 'slf4j-api'
277-
}
272+
// migrated from json-path 2.9.0 to json-smart because json-path does not have a fix for CVE https://advisories.opensearch.org/advisories/CVE-2024-57699
273+
runtimeOnly group: 'net.minidev', name: 'json-smart', version: "2.5.2"
278274
runtimeOnly("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
279275
runtimeOnly("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
280276
testFixturesImplementation "org.opensearch:common-utils:${version}"

qa/build.gradle

+2-6
Original file line numberDiff line numberDiff line change
@@ -40,12 +40,8 @@ dependencies {
4040
compileOnly fileTree(dir: knnJarDirectory, include: "opensearch-knn-${opensearch_build}.jar")
4141
compileOnly group: 'com.google.guava', name: 'guava', version:'32.1.3-jre'
4242
compileOnly group: 'commons-lang', name: 'commons-lang', version: '2.6'
43-
// json-path 2.9.0 depends on slf4j 2.0.11, which conflicts with the version used by OpenSearch core.
44-
// Excluding slf4j here since json-path is only used for testing, and logging failures in this context are acceptable.
45-
testRuntimeOnly('com.jayway.jsonpath:json-path:2.9.0') {
46-
// OpenSearch core is using slf4j 1.7.36. Therefore, we cannot change the version here.
47-
exclude group: 'org.slf4j', module: 'slf4j-api'
48-
}
43+
// migrated from json-path 2.9.0 to json-smart because json-path does not have a fix for CVE https://advisories.opensearch.org/advisories/CVE-2024-57699
44+
testRuntimeOnly group: 'net.minidev', name: 'json-smart', version: "2.5.2"
4945
api "org.apache.logging.log4j:log4j-api:${versions.log4j}"
5046
api "org.apache.logging.log4j:log4j-core:${versions.log4j}"
5147
api "junit:junit:${versions.junit}"

0 commit comments

Comments
 (0)