From d3e6efe4dc7c4b9c18b07e2007e6a3c6ab792a17 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com> Date: Fri, 10 Nov 2023 08:21:44 -0500 Subject: [PATCH 1/6] Bumps spotbugs-gradle-plugin to 5.2.3 (#3676) ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Darshit Chanpura --- build.gradle | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index c3ff4bfb4b..ef4a33edb0 100644 --- a/build.gradle +++ b/build.gradle @@ -66,7 +66,7 @@ plugins { id 'com.netflix.nebula.ospackage' version "11.5.0" id "org.gradle.test-retry" version "1.5.6" id 'eclipse' - id "com.github.spotbugs" version "5.2.1" + id "com.github.spotbugs" version "5.2.3" id "com.google.osdetector" version "1.7.3" } @@ -480,7 +480,6 @@ configurations { force "io.netty:netty-handler:${versions.netty}" force "io.netty:netty-transport:${versions.netty}" force "io.netty:netty-transport-native-unix-common:${versions.netty}" - force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4 force "com.github.luben:zstd-jni:${versions.zstd}" force "org.xerial.snappy:snappy-java:1.1.10.5" force "com.google.guava:guava:${guava_version}" From b504ca4303280d9275f49660981fdca85a497fe5 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Fri, 10 Nov 2023 12:05:24 -0600 Subject: [PATCH 2/6] Fix the association of code coverage results with source code (#3668) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Description Fix the association of code coverage results with source code. You'll have seen how this was broken because we stopped getting the comment on PRs with coverage information. My apologies for breaking this in the most recent change to centralized the CC runs. ### Issues Resolved - Resolves https://github.com/opensearch-project/security/issues/2649 ### Testing ✅ Inspection CC report on this PR, see [[link]](https://github.com/opensearch-project/security/pull/3668#issuecomment-1802489151). ### Check List - [ ] ~New functionality includes testing~ - [ ] ~New functionality has been documented~ - [X] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Peter Nied --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 009cfc8fe5..399dec5e48 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,6 +73,7 @@ jobs: - "integration-tests" runs-on: ubuntu-latest steps: + - uses: actions/checkout@v4 - uses: actions/download-artifact@v3 with: path: downloaded-artifacts @@ -101,7 +102,6 @@ jobs: with: | token: ${{ secrets.CODECOV_TOKEN }} fail_ci_if_error: true - directory: downloaded-artifacts verbose: true From ea2f9b21a90bec2678ad31c113c847872c955ea8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 08:05:20 -0500 Subject: [PATCH 3/6] Bump org.junit.jupiter:junit-jupiter-api from 5.10.0 to 5.10.1 (#3681) Bumps [org.junit.jupiter:junit-jupiter-api](https://github.com/junit-team/junit5) from 5.10.0 to 5.10.1.
Release notes

Sourced from org.junit.jupiter:junit-jupiter-api's releases.

JUnit 5.10.1 = Platform 1.10.1 + Jupiter 5.10.1 + Vintage 5.10.1

See Release Notes.

Full Changelog: https://github.com/junit-team/junit5/compare/r5.10.0...r5.10.1

Commits
  • e5f50d8 Release 5.10.1
  • ac86d18 Fix typo in AfterAll documentation
  • 388c5be Harmonize application of method and field filters in search algorithms
  • f82dd1e Apply field predicate before searching type hierarchy
  • 1d1eb85 Polishing
  • 5ce280e Update picocli to 4.7.5 and enable help width computation
  • fea05c3 Fix ConsoleLauncherTests and StandaloneTests
  • c556735 Use same expected files for all JDK versions
  • 808493a Run StandaloneTests for Java 8 under Java 8
  • 9ec5766 Unify messages about exit codes in StandaloneTests
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.junit.jupiter:junit-jupiter-api&package-manager=gradle&previous-version=5.10.0&new-version=5.10.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index ef4a33edb0..96a5fbf33c 100644 --- a/build.gradle +++ b/build.gradle @@ -681,7 +681,7 @@ dependencies { testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.13' testImplementation 'org.springframework:spring-beans:5.3.30' testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0' - testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0' + testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.1' // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available if (osdetector.classifier in ["osx-x86_64", "osx-aarch_64", "linux-x86_64", "linux-aarch_64", "windows-x86_64"]) { testImplementation "io.netty:netty-tcnative-classes:2.0.61.Final" From af149372b8b59259811625dcccadb402c5c32bd5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 08:06:57 -0500 Subject: [PATCH 4/6] Bump com.google.googlejavaformat:google-java-format from 1.17.0 to 1.18.1 (#3684) Bumps [com.google.googlejavaformat:google-java-format](https://github.com/google/google-java-format) from 1.17.0 to 1.18.1.
Release notes

Sourced from com.google.googlejavaformat:google-java-format's releases.

v1.18.1

Changes

  • Fixed version number for Eclipse plugin (#744)

Full Changelog: https://github.com/google/google-java-format/compare/v1.18.0...v1.18.1

v1.18.0

Changes

Full Changelog: https://github.com/google/google-java-format/compare/v1.17.0...v1.18.0

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.google.googlejavaformat:google-java-format&package-manager=gradle&previous-version=1.17.0&new-version=1.18.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 96a5fbf33c..b455721ebe 100644 --- a/build.gradle +++ b/build.gradle @@ -732,7 +732,7 @@ dependencies { integrationTestImplementation "org.apache.httpcomponents:httpasyncclient:4.1.5" //spotless - implementation('com.google.googlejavaformat:google-java-format:1.17.0') { + implementation('com.google.googlejavaformat:google-java-format:1.18.1') { exclude group: 'com.google.guava' } } From 20d196ba46996ecaafacb638f85856a2d0de313f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 13:23:56 +0000 Subject: [PATCH 5/6] Bump com.nimbusds:nimbus-jose-jwt from 9.37 to 9.37.1 (#3682) Bumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 9.37 to 9.37.1.
Changelog

Sourced from com.nimbusds:nimbus-jose-jwt's changelog.

version 1.0 (2012-03-01)

  • First version based on the OpenInfoCard JWT, JWS and JWE code base.

version 1.1 (2012-03-06)

  • Introduces type-safe enumeration of the JSON Web Algorithms (JWA).
  • Refactors the JWT class.

version 1.2 (2012-03-08)

  • Moves JWS and JWE code into separate classes.

version 1.3 (2012-03-09)

  • Switches to Apache Commons Codec for Base64URL encoding and decoding
  • Consolidates the crypto utilities within the package.
  • Introduces a JWT content serialiser class.

version 1.4 (2012-03-09)

  • Refactoring of JWT class and JUnit tests.

version 1.5 (2012-03-18)

  • Switches to JSON Smart for JSON serialisation and parsing.
  • Introduces claims set class with JSON objects, string, Base64URL and byte array views.

version 1.6 (2012-03-20)

  • Creates class for representing, serialising and parsing JSON Web Keys (JWK).
  • Introduces separate class for representing JWT headers.

version 1.7 (2012-04-01)

  • Introduces separate classes for plain, JWS and JWE headers.
  • Introduces separate classes for plain, signed and encrypted JWTs.
  • Removes the JWTContent class.
  • Removes password-based (PE820) encryption support.

version 1.8 (2012-04-03)

  • Adds support for the ZIP JWE header parameter.
  • Removes unsupported algorithms from the JWA enumeration.

version 1.9 (2012-04-03)

  • Renames JWEHeader.{get|set}EncryptionAlgorithm() to JWEHeader.{get|set}EncryptionMethod().

version 1.9.1 (2012-04-03)

  • Upgrades JSON Smart JAR to 1.1.1.

version 1.10 (2012-04-14)

  • Introduces serialize() method to base abstract JWT class.

version 1.11 (2012-05-13)

  • JWT.serialize() throws checked JWTException instead of

... (truncated)

Commits
  • 60caa26 [maven-release-plugin] prepare for next development iteration
  • 82a03c7 Fixes README.md MD list formatting
  • ac64737 Updates README.md formatting
  • 75960bf Updates README.md OpenID Federation 1.0 ref
  • 8d9e6f1 Fixes Payload JavaDoc
  • 02aacf0 Expands JWTClaimsSet tests
  • dbd5de4 exclude GSON's module-info.class from shaded jar
  • 61f93de Merged in master (pull request #110)
  • cf557b0 Merge branch 'master' of ssh://bitbucket.org/connect2id/nimbus-jose-jwt
  • a682550 Adds change log entry for iss #496 fix (PR)
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.nimbusds:nimbus-jose-jwt&package-manager=gradle&previous-version=9.37&new-version=9.37.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index b455721ebe..a23d5aad88 100644 --- a/build.gradle +++ b/build.gradle @@ -572,7 +572,7 @@ dependencies { implementation 'commons-cli:commons-cli:1.6.0' implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}" implementation 'org.ldaptive:ldaptive:1.2.3' - implementation 'com.nimbusds:nimbus-jose-jwt:9.37' + implementation 'com.nimbusds:nimbus-jose-jwt:9.37.1' //JWT implementation "io.jsonwebtoken:jjwt-api:${jjwt_version}" From 6f0f4d0c34c40c3abc45ecd4126c2819bbd077cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 15:25:27 +0000 Subject: [PATCH 6/6] Bump org.junit.jupiter:junit-jupiter from 5.10.0 to 5.10.1 (#3683) Bumps [org.junit.jupiter:junit-jupiter](https://github.com/junit-team/junit5) from 5.10.0 to 5.10.1.
Release notes

Sourced from org.junit.jupiter:junit-jupiter's releases.

JUnit 5.10.1 = Platform 1.10.1 + Jupiter 5.10.1 + Vintage 5.10.1

See Release Notes.

Full Changelog: https://github.com/junit-team/junit5/compare/r5.10.0...r5.10.1

Commits
  • e5f50d8 Release 5.10.1
  • ac86d18 Fix typo in AfterAll documentation
  • 388c5be Harmonize application of method and field filters in search algorithms
  • f82dd1e Apply field predicate before searching type hierarchy
  • 1d1eb85 Polishing
  • 5ce280e Update picocli to 4.7.5 and enable help width computation
  • fea05c3 Fix ConsoleLauncherTests and StandaloneTests
  • c556735 Use same expected files for all JDK versions
  • 808493a Run StandaloneTests for Java 8 under Java 8
  • 9ec5766 Unify messages about exit codes in StandaloneTests
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.junit.jupiter:junit-jupiter&package-manager=gradle&previous-version=5.10.0&new-version=5.10.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index a23d5aad88..dcc8171263 100644 --- a/build.gradle +++ b/build.gradle @@ -680,7 +680,7 @@ dependencies { testImplementation 'commons-validator:commons-validator:1.7' testImplementation 'org.springframework.kafka:spring-kafka-test:2.9.13' testImplementation 'org.springframework:spring-beans:5.3.30' - testImplementation 'org.junit.jupiter:junit-jupiter:5.10.0' + testImplementation 'org.junit.jupiter:junit-jupiter:5.10.1' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.1' // Only osx-x86_64, osx-aarch_64, linux-x86_64, linux-aarch_64, windows-x86_64 are available if (osdetector.classifier in ["osx-x86_64", "osx-aarch_64", "linux-x86_64", "linux-aarch_64", "windows-x86_64"]) {