Skip to content

Commit 1b03f12

Browse files
authored
chore: DH-20611: Add dependency constraint on json-smart (deephaven#7288)
This ensures that the transitive dependency of json-smart we inherit from calcite is not vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2024-57699.
1 parent ea57624 commit 1b03f12

3 files changed

Lines changed: 15 additions & 0 deletions

File tree

extensions/flight-sql/build.gradle

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,11 @@ dependencies {
3232
// :sql does not expose calcite as a dependency (maybe it should?); in the meantime, we want to make sure we can
3333
// provide reasonable error messages to the client
3434
implementation libs.calcite.core
35+
constraints {
36+
implementation(libs.json.smart) {
37+
because 'CVE-2024-57699'
38+
}
39+
}
3540

3641
implementation libs.dagger
3742
implementation libs.arrow.flight.sql

gradle/libs.versions.toml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,11 @@ awssdk = "2.29.52"
88
aws-s3-tables-catalog-for-iceberg = "0.1.6"
99
# See dependency matrix for particular gRPC versions at https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty
1010
boringssl = "2.0.61.Final"
11+
12+
# Note: when bumping Calcite version, see if we still need the version constraint for json-smart
1113
calcite = "1.39.0"
14+
json-smart = "2.5.2"
15+
1216
classgraph = "4.8.180"
1317
commons-compress = "1.28.0"
1418
commons-io = "2.20.0"
@@ -131,6 +135,7 @@ s3-tables-catalog-for-iceberg = { module = "software.amazon.s3tables:s3-tables-c
131135
boringssl = { module = "io.netty:netty-tcnative-boringssl-static", version.ref = "boringssl" }
132136

133137
calcite-core = { module = "org.apache.calcite:calcite-core", version.ref = "calcite" }
138+
json-smart = { module = "net.minidev:json-smart", version.ref = "json-smart" }
134139

135140
classgraph = { module = "io.github.classgraph:classgraph", version.ref = "classgraph" }
136141

sql/build.gradle

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,11 @@ description = 'The Deephaven SQL parser'
99
dependencies {
1010
api project(':qst')
1111
implementation libs.calcite.core
12+
constraints {
13+
implementation(libs.json.smart) {
14+
because 'CVE-2024-57699'
15+
}
16+
}
1217

1318
compileOnly project(':util-immutables')
1419
annotationProcessor libs.immutables.value

0 commit comments

Comments
 (0)