GUACAMOLE-1807: Merge update to latest compatible versions for Java dependencies and JDBC drivers.

2026-03-21 13:11:37 +00:00 · 2023-07-11 11:28:08 -07:00
parent 7e236daf2f bbf67521f3
commit e7e78f05bb
53 changed files with 173 additions and 102 deletions
@@ -50,6 +50,11 @@ RUN apt-get update && apt-get install -y firefox
 # as well: `--build-arg MAVEN_ARGUMENTS="-P lgpl-extensions -DskipTests=false"`.
 ARG MAVEN_ARGUMENTS="-DskipTests=false"

+# Versions of JDBC drivers to bundle within image
+ARG MSSQL_JDBC_VERSION=12.2.0
+ARG MYSQL_JDBC_VERSION=8.0.33
+ARG PGSQL_JDBC_VERSION=42.6.0
+
 # Build environment variables
 ENV \
    BUILD_DIR=/tmp/guacamole-docker-BUILD
@@ -122,7 +122,7 @@
 	<dependency>
 		<groupId>org.slf4j</groupId>
 		<artifactId>slf4j-simple</artifactId>
-		<version>2.0.6</version>
+		<version>2.0.7</version>
 	</dependency>


@@ -0,0 +1,8 @@
+Caffeine (https://github.com/ben-manes/caffeine)
+------------------------------------------------
+
+    Version: 2.9.3
+    From: 'Ben Manes' (https://github.com/ben-manes)
+    License(s):
+        Apache v2.0
+
@@ -0,0 +1 @@
+com.github.ben-manes.caffeine:caffeine:jar:2.9.3
@@ -1 +0,0 @@
-org.checkerframework:checker-qual:jar:3.12.0
@@ -1,8 +1,8 @@
 Checker Framework qualifiers (https://checkerframework.org/)
 ------------------------------------------------------------

-    Version: 3.12.0
+    Version: 3.33.0
    From: 'Checker Framework developers' (https://checkerframework.org/)
    License(s):
-        MIT (bundled/checker-qual-3.12.0/LICENSE.txt)
+        MIT (bundled/checker-qual-3.33.0/LICENSE.txt)

@@ -0,0 +1 @@
+org.checkerframework:checker-qual:jar:3.33.0
@@ -1 +0,0 @@
-org.apache.directory.api:api-all:jar:2.1.2
@@ -1,5 +1,5 @@
 Apache Directory LDAP API
-Copyright 2003-2021 The Apache Software Foundation
+Copyright 2003-2022 The Apache Software Foundation

 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
@@ -1,7 +1,7 @@
 Apache Directory LDAP API (http://directory.apache.org)
 -------------------------------------------------------

-    Version: 2.1.2
+    Version: 2.1.3
    From: 'Apache Software Foundation' (https://www.apache.org/)
    License(s):
        Apache v2.0
@@ -0,0 +1 @@
+org.apache.directory.api:api-all:jar:2.1.3
@@ -1,4 +1,4 @@
-Copyright 2001-2016 (C) MetaStuff, Ltd. and DOM4J contributors. All Rights Reserved.
+Copyright 2001-2023 © MetaStuff, Ltd. and DOM4J contributors. All Rights Reserved.

 Redistribution and use of this software and associated documentation
 ("Software"), with or without modification, are permitted provided
@@ -1,8 +1,8 @@
 DOM4J (https://dom4j.github.io/)
 --------------------------------

-    Version: 2.1.3
+    Version: 2.1.4
    From: 'MetaStuff, Ltd. and DOM4J contributors'
    License(s):
-        DOM4J License (bundled/dom4j-2.1.3/LICENSE)
+        DOM4J License (bundled/dom4j-2.1.4/LICENSE)

@@ -1 +1 @@
-org.apache.servicemix.bundles:org.apache.servicemix.bundles.dom4j:jar:2.1.3_1
+org.apache.servicemix.bundles:org.apache.servicemix.bundles.dom4j:jar:2.1.4_1
@@ -1 +0,0 @@
-com.google.errorprone:error_prone_annotations:jar:2.11.0
@@ -1,7 +1,7 @@
 Error Prone (https://errorprone.info/)
 --------------------------------------

-    Version: 2.11.0
+    Version: 2.18.0
    From: 'Google Inc.' (http://www.google.com/)
    License(s):
        Apache v2.0
@@ -0,0 +1 @@
+com.google.errorprone:error_prone_annotations:jar:2.18.0
@@ -1,7 +1,7 @@
 Guava: Google Core Libraries for Java (https://github.com/google/guava)
 -----------------------------------------------------------------------

-    Version: 31.1-jre
+    Version: 32.1.1-jre
    From: 'Google Inc.' (http://www.google.com/)
    License(s):
        Apache v2.0
@@ -1,3 +1,3 @@
 com.google.guava:failureaccess:jar:1.0.1
-com.google.guava:guava:jar:31.1-jre
+com.google.guava:guava:jar:32.1.1-jre
 com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava
@@ -1 +0,0 @@
-com.google.j2objc:j2objc-annotations:jar:1.3
@@ -1,7 +1,7 @@
 Java to Objective-C Annotations (https://github.com/google/j2objc)
 ------------------------------------------------------------------

-    Version: 1.3
+    Version: 2.8
    From: 'Google Inc.' (http://www.google.com/)
    License(s):
        Apache v2.0
@@ -0,0 +1 @@
+com.google.j2objc:j2objc-annotations:jar:2.8
@@ -1,7 +1,7 @@
 Jackson (https://github.com/FasterXML/jackson)
 ----------------------------------------------

-    Version: 2.15.0
+    Version: 2.15.2
    From: 'FasterXML, LLC' (https://github.com/FasterXML)
    License(s):
        Apache v2.0
@@ -1,4 +1,4 @@
-com.fasterxml.jackson.core:jackson-core:jar:2.15.0
-com.fasterxml.jackson.core:jackson-annotations:jar:2.15.0
-com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.0
-com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.0
+com.fasterxml.jackson.core:jackson-core:jar:2.15.2
+com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2
+com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.2
+com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2
@@ -1 +0,0 @@
-com.fasterxml.jackson.core:jackson-databind:jar:2.15.0
@@ -1,7 +1,7 @@
 Jackson-databind (https://github.com/FasterXML/jackson-databind)
 ----------------------------------------------

-    Version: 2.15.0
+    Version: 2.15.2
    From: 'FasterXML, LLC' (https://github.com/FasterXML)
    License(s):
        Apache v2.0
@@ -0,0 +1 @@
+com.fasterxml.jackson.core:jackson-databind:jar:2.15.2
@@ -1 +0,0 @@
-org.javassist:javassist:jar:3.29.0-GA
@@ -1,7 +1,7 @@
 Javassist (https://www.javassist.org/)
 --------------------------------------

-    Version: 3.29.0-GA
+    Version: 3.29.2-GA
    From: 'Shigeru Chiba' (https://github.com/chibash)
    License(s):
        Apache v2.0
@@ -0,0 +1 @@
+org.javassist:javassist:jar:3.29.2-GA
@@ -1,7 +0,0 @@
-org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.39.1
-org.glassfish.jersey.core:jersey-common:jar:2.39.1
-org.glassfish.jersey.core:jersey-server:jar:2.39.1
-org.glassfish.jersey.core:jersey-client:jar:2.39.1
-org.glassfish.jersey.inject:jersey-hk2:jar:2.39.1
-org.glassfish.jersey.media:jersey-media-json-jackson:jar:2.39.1
-org.glassfish.jersey.ext:jersey-entity-filtering:jar:2.39.1
@@ -1,8 +1,8 @@
 Jersey (https://jersey.java.net/)
 ---------------------------------

-    Version: 2.39.1
+    Version: 2.40
    From: 'Eclipse Foundation' (https://www.eclipse.org/)
    License(s):
-        EPL v2.0 (bundled/jersey-2.39.1/LICENSE.md)
+        EPL v2.0 (bundled/jersey-2.40/LICENSE.md)

@@ -0,0 +1,7 @@
+org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.40
+org.glassfish.jersey.core:jersey-common:jar:2.40
+org.glassfish.jersey.core:jersey-server:jar:2.40
+org.glassfish.jersey.core:jersey-client:jar:2.40
+org.glassfish.jersey.inject:jersey-hk2:jar:2.40
+org.glassfish.jersey.media:jersey-media-json-jackson:jar:2.40
+org.glassfish.jersey.ext:jersey-entity-filtering:jar:2.40
@@ -1,5 +0,0 @@
-org.jetbrains.kotlin:kotlin-reflect:jar:1.8.20
-org.jetbrains.kotlin:kotlin-stdlib:jar:1.8.20
-org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.8.20
-org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.8.20
-org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.8.20
@@ -1,7 +1,7 @@
 Kotlin (https://kotlinlang.org/)
 --------------------------------

-    Version: 1.8.20
+    Version: 1.9.0
    From: 'JetBrains s.r.o and respective authors and developers'
    License(s):
        Apache v2.0
@@ -0,0 +1,5 @@
+org.jetbrains.kotlin:kotlin-reflect:jar:1.9.0
+org.jetbrains.kotlin:kotlin-stdlib:jar:1.9.0
+org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.9.0
+org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.9.0
+org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.9.0
@@ -1 +0,0 @@
-com.keepersecurity.secrets-manager:core:jar:16.5.3
@@ -2,8 +2,8 @@ Keeper Secrets Manager Java SDK
 (https://github.com/Keeper-Security/secrets-manager)
 ----------------------------------------------------

-    Version: 16.5.3
+    Version: 16.5.4
    From: 'Keeper Security' (https://www.keepersecurity.com/)
    License(s):
-        MIT (bundled/ksm-sdk-16.5.3/LICENSE)
+        MIT (bundled/ksm-sdk-16.5.4/LICENSE)

@@ -0,0 +1 @@
+com.keepersecurity.secrets-manager:core:jar:16.5.4
@@ -1,2 +0,0 @@
-ch.qos.logback:logback-classic:jar:1.3.7
-ch.qos.logback:logback-core:jar:1.3.7
@@ -1,8 +1,8 @@
 Logback (http://logback.qos.ch/)
 --------------------------------

-    Version: 1.3.7
+    Version: 1.3.8
    From: 'QOS.ch Sàrl' (http://qos.ch/)
    License(s):
-        EPL v1.0 (bundled/logback-1.3.7/LICENSE.txt)
+        EPL v1.0 (bundled/logback-1.3.8/LICENSE.txt)

@@ -0,0 +1,2 @@
+ch.qos.logback:logback-classic:jar:1.3.8
+ch.qos.logback:logback-core:jar:1.3.8
@@ -51,41 +51,11 @@
        <dependency>
            <groupId>org.apache.directory.api</groupId>
            <artifactId>api-all</artifactId>
-            <version>2.1.2</version>
+            <version>2.1.3</version>
            <exclusions>
-
-                <!-- Resolve version conflict (see below - transitive
-                    dependencies of api-all disagree on 3.12.0 vs. 3.11) -->
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-lang3</artifactId>
-                </exclusion>
-
-                <!-- Use latest version of commons-text -->
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-text</artifactId>
-                </exclusion>
-
            </exclusions>
        </dependency>

-        <!-- Force use of version 3.12.0 (transitive dependencies of
-            api-all disagree on 3.12.0 vs. 3.11) -->
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-            <version>3.12.0</version>
-        </dependency>
-
-        <!-- Force latest version of commons-text (transitive dependency from
-        Apache Directory API -->
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>1.10.0</version>
-        </dependency>
-
        <!-- Guice -->
        <dependency>
            <groupId>com.google.inject</groupId>
@@ -38,7 +38,7 @@
    </parent>

    <properties>
-        <kotlin.version>1.8.20</kotlin.version>
+        <kotlin.version>1.9.0</kotlin.version>
    </properties>

    <dependencies>
@@ -60,7 +60,7 @@
        <dependency>
            <groupId>com.keepersecurity.secrets-manager</groupId>
            <artifactId>core</artifactId>
-            <version>16.5.3</version>
+            <version>16.5.4</version>

            <!-- Correct version conflict (different versions across transitive
                dependencies) -->
@@ -83,7 +83,7 @@ tar -xzf extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-dist/target/
 #

 echo "Downloading MySQL Connector/J ..."
-curl -L "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.0.32.tar.gz" | \
+curl -L "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-$MYSQL_JDBC_VERSION.tar.gz" | \
 tar -xz                        \
    -C "$DESTINATION/mysql/"   \
    --wildcards                \
@@ -97,7 +97,8 @@ tar -xz                        \
 #

 echo "Downloading PostgreSQL JDBC driver ..."
-curl -L "https://jdbc.postgresql.org/download/postgresql-42.3.8.jar" > "$DESTINATION/postgresql/postgresql-42.3.8.jar"
+curl -L "https://jdbc.postgresql.org/download/postgresql-$PGSQL_JDBC_VERSION.jar" \
+    > "$DESTINATION/postgresql/postgresql-$PGSQL_JDBC_VERSION.jar"

 #
 # Copy SSO auth extensions
@@ -115,14 +116,8 @@ tar -xzf extensions/guacamole-auth-sso/modules/guacamole-auth-sso-dist/target/*.
 #

 echo "Downloading SQL Server JDBC driver ..."
-curl -L "https://go.microsoft.com/fwlink/?linkid=2183223&clcid=0x409" | \
-tar -xz                        \
-    -C "$DESTINATION/sqlserver/"   \
-    --wildcards                \
-    --no-anchored              \
-    --no-wildcards-match-slash \
-    --strip-components=2       \
-    "mssql-jdbc-*.jre8.jar"
+curl -L "https://github.com/microsoft/mssql-jdbc/releases/download/v$MSSQL_JDBC_VERSION/mssql-jdbc-$MSSQL_JDBC_VERSION.jre8.jar" \
+    > "$DESTINATION/sqlserver/mssql-jdbc-$MSSQL_JDBC_VERSION.jre8.jar"   \

 #
 # Copy LDAP auth extension and schema modifications
@@ -36,15 +36,15 @@
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

        <!-- Dependency versions -->
-        <guava.version>31.1-jre</guava.version>
+        <guava.version>32.1.1-jre</guava.version>
        <guice.version>5.1.0</guice.version>
        <hk2.version>2.6.1</hk2.version>
-        <jackson.version>2.15.0</jackson.version>
-        <jackson-databind.version>2.15.0</jackson-databind.version>
-        <jersey.version>2.39.1</jersey.version>
-        <junit.version>5.9.2</junit.version>
+        <jackson.version>2.15.2</jackson.version>
+        <jackson-databind.version>2.15.2</jackson-databind.version>
+        <jersey.version>2.40</jersey.version>
+        <junit.version>5.9.3</junit.version>
        <junit4.version>4.13.2</junit4.version>
-        <logback.version>1.3.7</logback.version>
+        <logback.version>1.3.8</logback.version>
        <slf4j.version>2.0.7</slf4j.version>

        <!-- The directory that should receive all generated dependency lists
@@ -57,6 +57,13 @@
            or missing license headers). -->
        <ignoreLicenseErrors>false</ignoreLicenseErrors>

+        <!-- Set to "true" to perform automated checks for available dependency
+            updates, including whether the declared versions of any
+            dependencies have associated CVEs in NVD. Beware that both checks
+            may produce false positives and false negatives. Updates need to be
+            checked for compatibility and any changes in license information. -->
+        <checkDependencies>false</checkDependencies>
+
    </properties>

    <modules>
@@ -475,6 +482,91 @@
            </build>
        </profile>

+        <!-- Perform automated dependency checks if "checkDependencies" is set to "true" -->
+        <profile>
+            <id>check-dependencies</id>
+            <activation>
+                <property>
+                    <name>checkDependencies</name>
+                    <value>true</value>
+                </property>
+            </activation>
+            <build>
+                <plugins>
+
+                    <!-- Checks for availability of likely-compatibile updates to
+                        dependencies -->
+                    <plugin>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>versions-maven-plugin</artifactId>
+                        <version>2.16.0</version>
+                        <configuration>
+                            <allowMajorUpdates>false</allowMajorUpdates>
+                            <dependencyExcludes>*:*:*:*:*:provided,*:*:*:*:*:system</dependencyExcludes>
+                            <outputFile>${project.build.directory}/dependency-update-report.txt</outputFile>
+                            <ruleSet>
+                                <ignoreVersions>
+                                    <ignoreVersion>
+                                        <type>regex</type>
+                                        <version>(.+-SNAPSHOT|.+-(M|RC)\d+)</version>
+                                    </ignoreVersion>
+                                    <ignoreVersion>
+                                        <type>regex</type>
+                                        <version>.+-(alpha|beta)\b.*?</version>
+                                    </ignoreVersion>
+                                </ignoreVersions>
+                                <rules>
+                                    <rule>
+                                        <groupId>ch.qos.logback</groupId>
+                                        <artifactId>logback-classic</artifactId>
+                                        <ignoreVersions>
+                                            <ignoreVersion>
+                                                <type>regex</type>
+                                                <version>1\.4\..+</version>
+                                            </ignoreVersion>
+                                        </ignoreVersions>
+                                    </rule>
+                                </rules>
+                            </ruleSet>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <id>check-dependency-updates</id>
+                                <phase>validate</phase>
+                                <goals>
+                                    <goal>display-dependency-updates</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+
+                    <!-- Checks for possible known CVEs against dependencies
+                        NOTE: This WILL produce false positives!!! -->
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>8.3.1</version>
+                        <configuration>
+                            <skipProvidedScope>true</skipProvidedScope>
+                            <skipSystemScope>true</skipSystemScope>
+                            <skipTestScope>true</skipTestScope>
+                            <nodeAuditAnalyzerUrl>/-/npm/v1/security/advisories/bulk</nodeAuditAnalyzerUrl>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <id>check-dependency-updates</id>
+                                <phase>validate</phase>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+
+                </plugins>
+            </build>
+        </profile>
+
    </profiles>

 </project>
				`@@ -0,0 +1 @@`
				`com.github.ben-manes.caffeine:caffeine:jar:2.9.3`
				`@@ -1 +0,0 @@`
				`org.checkerframework:checker-qual:jar:3.12.0`
				`@@ -1 +0,0 @@`
				`com.google.errorprone:error_prone_annotations:jar:2.11.0`
				`@@ -1 +0,0 @@`
				`com.google.j2objc:j2objc-annotations:jar:1.3`
				`@@ -1 +0,0 @@`
				`com.fasterxml.jackson.core:jackson-databind:jar:2.15.0`
				`@@ -1 +0,0 @@`
				`com.keepersecurity.secrets-manager:core:jar:16.5.3`