Add parsson-media dependency to force the required version in depende…

…ncy tree (ce/main -> ce/23.09 @106102) Job: job.9.20240113012920.6037 [git-p4: depot-paths = "//dev/coherence-ce/release/coherence-ce-v23.09/": change = 106107]
oracle · Jan 14, 2024 · 615e8a6 · 615e8a6
1 parent c8bc110
commit 615e8a6
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 16 deletions.
diff --git a/prj/coherence-dependencies/pom.xml b/prj/coherence-dependencies/pom.xml
@@ -206,6 +206,7 @@
     eclipse.mp.metrics.version
     netty.version ???
     grpc.version ???
+    parrson-media.version ??
     This is not always possible if we need to bump versions for CVE's
     -->
     <helidon.version>3.2.5</helidon.version>
@@ -254,6 +255,8 @@
     <opentracing.version>0.33.0</opentracing.version>
     <opentracing.tracerresolver.version>0.1.8</opentracing.tracerresolver.version>
     <oracle.db.version>11.2.0.3.0</oracle.db.version>
+    <!-- make sure this version of parsson-media is in sync with Helidon -->
+    <parsson-media.version>1.0.5</parsson-media.version>
     <protobuf.version>3.21.12</protobuf.version>
     <resin.version>3.0</resin.version>
     <rxjava.version>3.0.2</rxjava.version>
@@ -924,6 +927,17 @@
         <artifactId>micrometer-registry-prometheus</artifactId>
         <version>${micrometer.version}</version>
       </dependency>
+
+      <!-- parsson-media dependency to force usage of the version specified
+      here. This is to get around pulling in older version of this artifact
+      as third party dependency of
+      org.glassfish.jersey.media:jersey-media-json-processing:jar
+      This dependency comes from Helidon -->
+      <dependency>
+        <groupId>org.eclipse.parsson</groupId>
+        <artifactId>parsson-media</artifactId>
+        <version>${parsson-media.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

diff --git a/prj/etc/dependency-check-suppression.xml b/prj/etc/dependency-check-suppression.xml
@@ -451,20 +451,6 @@
     <cve>CVE-2023-4586</cve>
   </suppress>
 
-  <!-- COH-28822 - Address CVE-2023-4043 for org.eclipse.parsson/[email protected],
-  org.eclipse.parsson/[email protected], org.eclipse.parsson/[email protected]
-  -->
-  <suppress>
-    <notes><![CDATA[
-    file name: parsson-1.0.2.jar
-    file name: parsson-media-1.0.2.jar
-    file name: parsson-media-1.0.3.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.eclipse\.parsson/parsson.*@.*$</packageUrl>
-    <cpe>cpe:2.3:a:eclipse:parsson</cpe>
-    <cve>CVE-2023-4043</cve>
-  </suppress>
-
   <!-- Supress this since its coming from Bedrock. Its a test dependency
   COH-28873 - Address CVE-2023-5763 from jakarta.el-5.0.0-M1.jar
    -->

diff --git a/prj/examples/tutorials/500-graphql/complete/pom.xml b/prj/examples/tutorials/500-graphql/complete/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2021, 2023 Oracle and/or its affiliates.
+  ~ Copyright (c) 2021, 2024 Oracle and/or its affiliates.
   ~
   ~ Licensed under the Universal Permissive License v 1.0 as shown at
   ~ https://oss.oracle.com/licenses/upl.
@@ -22,6 +22,8 @@
     <coherence.group.id>com.oracle.coherence.ce</coherence.group.id>
     <coherence.version>${project.version}</coherence.version>
     <helidon.version>3.2.5</helidon.version>
+    <!-- make sure this version of parsson-media is in sync with Helidon -->
+    <parsson-media.version>1.0.5</parsson-media.version>
 
     <java.version>17</java.version>
 
@@ -81,6 +83,12 @@
       <artifactId>coherence-cdi-server</artifactId>
     </dependency>
 
+    <dependency>
+      <groupId>org.eclipse.parsson</groupId>
+      <artifactId>parsson-media</artifactId>
+      <version>${parsson-media.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-api</artifactId>

diff --git a/prj/examples/tutorials/500-graphql/initial/pom.xml b/prj/examples/tutorials/500-graphql/initial/pom.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2021, 2023 Oracle and/or its affiliates.
+  ~ Copyright (c) 2021, 2024 Oracle and/or its affiliates.
   ~
   ~ Licensed under the Universal Permissive License v 1.0 as shown at
   ~ https://oss.oracle.com/licenses/upl.
@@ -22,6 +22,8 @@
     <coherence.group.id>com.oracle.coherence.ce</coherence.group.id>
     <coherence.version>${project.version}</coherence.version>
     <helidon.version>3.2.5</helidon.version>
+    <!-- make sure this version of parsson-media is in sync with Helidon -->
+    <parsson-media.version>1.0.5</parsson-media.version>
 
     <java.version>17</java.version>
 
@@ -77,6 +79,12 @@
       <artifactId>helidon-microprofile-metrics</artifactId>
     </dependency>
     <!-- end::deps2[] -->
+    <dependency>
+      <groupId>org.eclipse.parsson</groupId>
+      <artifactId>parsson-media</artifactId>
+      <version>${parsson-media.version}</version>
+    </dependency>
+
 
     <dependency>
       <groupId>org.junit.jupiter</groupId>