Switch from json-path 2.9.0 to latest json-smart

martin-gaievski · martin-gaievski · commit c14ee891cd34 · 2025-03-11T09:13:18.000-07:00
Signed-off-by: Martin Gaievski &lt;gaievski@amazon.com&gt;
diff --git a/build.gradle b/build.gradle
@@ -269,12 +269,8 @@ dependencies {
     runtimeOnly group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
     runtimeOnly group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
     runtimeOnly group: 'org.json', name: 'json', version: '20231013'
-    // json-path 2.9.0 depends on slf4j 2.0.11, which conflicts with the version used by OpenSearch core.
-    // Excluding slf4j here since json-path is only used for testing, and logging failures in this context are acceptable.
-    runtimeOnly('com.jayway.jsonpath:json-path:2.9.0') {
-        // OpenSearch core is using slf4j 1.7.36. Therefore, we cannot change the version here.
-        exclude group: 'org.slf4j', module: 'slf4j-api'
-    }
+    // migrated from json-path 2.9.0 to json-smart because json-path does not have a fix for CVE https://advisories.opensearch.org/advisories/CVE-2024-57699
+    runtimeOnly group: 'net.minidev', name: 'json-smart', version: "2.5.2"
     runtimeOnly("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     runtimeOnly("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testFixturesImplementation "org.opensearch:common-utils:${version}"
diff --git a/qa/build.gradle b/qa/build.gradle
@@ -40,12 +40,8 @@ dependencies {
     compileOnly fileTree(dir: knnJarDirectory, include: "opensearch-knn-${opensearch_build}.jar")
     compileOnly group: 'com.google.guava', name: 'guava', version:'32.1.3-jre'
     compileOnly group: 'commons-lang', name: 'commons-lang', version: '2.6'
-    // json-path 2.9.0 depends on slf4j 2.0.11, which conflicts with the version used by OpenSearch core.
-    // Excluding slf4j here since json-path is only used for testing, and logging failures in this context are acceptable.
-    testRuntimeOnly('com.jayway.jsonpath:json-path:2.9.0') {
-        // OpenSearch core is using slf4j 1.7.36. Therefore, we cannot change the version here.
-        exclude group: 'org.slf4j', module: 'slf4j-api'
-    }
+    // migrated from json-path 2.9.0 to json-smart because json-path does not have a fix for CVE https://advisories.opensearch.org/advisories/CVE-2024-57699
+    testRuntimeOnly group: 'net.minidev', name: 'json-smart', version: "2.5.2"
     api "org.apache.logging.log4j:log4j-api:${versions.log4j}"
     api "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     api "junit:junit:${versions.junit}"
