Update dependencies to mitigate vulnerabilities

common/transform/build.gradle

@@ -6,6 +6,7 @@ dependencies {
     implementation group: 'ai.h2o', name: 'mojo2-runtime-impl'
     implementation group: 'com.google.guava', name: 'guava'
     implementation group: 'org.slf4j', name: 'slf4j-api'
+    implementation group: 'org.yaml', name: 'snakeyaml'
     // FIXME(MM): this should not be required, since the dependency should be provided
     // by mojo2-runtime-impl. The problem is that mojo2 does not expose that dependency
     // as compile time dependency for consumers.
@@ -14,13 +15,13 @@ dependencies {
     // end of fixme
 
     testImplementation group: 'com.google.truth.extensions', name: 'truth-java8-extension'
-    testImplementation group: 'org.mockito', name: 'mockito-inline', version: '3.4.0'
-    testImplementation group: 'org.mockito', name : 'mockito-core', version: '3.4.0'
+    testImplementation group: 'org.mockito', name: 'mockito-inline'
+    testImplementation group: 'org.mockito', name : 'mockito-core'
     testImplementation group: 'org.mockito', name: 'mockito-junit-jupiter'
     testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api'
     testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-params'
     testRuntimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine'
-    testImplementation group: 'org.junit-pioneer', name: 'junit-pioneer', version: jupiterPioneerVersion
+    testImplementation group: 'org.junit-pioneer', name: 'junit-pioneer'
 }
 
 test {

gradle.properties

@@ -5,33 +5,34 @@ version = 1.1.21-SNAPSHOT
 
 # Internal dependencies:
 h2oVersion = 3.40.0.3
-mojoRuntimeVersion = 2.8.2
+mojoRuntimeVersion = 2.8.3
 
 # External dependencies:
 awsLambdaCoreVersion = 1.2.0
 awsLambdaEventsVersion = 2.2.3
 awsSdkS3Version = 1.11.445
 javaxAnnotationVersion = 1.3.2
 gsonVersion = 2.8.9
-jupiterPioneerVersion = 0.6.0
-jupiterVersion = 5.4.0
-jupiterSystemStubsVersion = 1.2.0
-mockitoVersion = 3.4.0
+jupiterPioneerVersion = 1.9.1
+jupiterVersion = 5.7.2
+mockitoVersion = 4.11.0
+snakeYamlVersion = 2.2
 springFoxVersion = 3.0.0
 swaggerCodegenVersion = 3.0.46
 swaggerCoreVersion = 2.2.11
 swaggerCoreSpringVersion = 1.6.11
 shadowJarVersion = 4.0.4
-slf4jVersion = 1.7.30
-log4jVersion = 2.17.1
+slf4jVersion = 1.7.36
+log4jVersion = 2.22.0
 apacheCommonsCliVersion = 1.4
 truthVersion = 0.42
-guavaVersion = 30.1.1-jre
+guavaVersion = 32.0.0-jre
 googleStorageVersion = 1.112.0
 sparkVersion = 2.4.4
 scalaVersion = 2.12.15
 sparklingWaterVersion = 3.30.1.3-1-3.0
 configVersion = 1.3.4
+tomcatEmbedVersion = 9.0.75
 
 # External plugins:
 springBootPluginVersion = 2.7.12
@@ -49,8 +50,8 @@ errorproneVersion = 2.3.3
 # Docker settings
 dockerRepositoryPrefix = harbor.h2o.ai/opsh2oai/h2oai/
 dockerIncludePython = true
-# Digest of eclipse-temurin:17.0.5_8-jdk-alpine
-javaBaseImage = eclipse-temurin@sha256:1451b2df3a00e2ab14c4c63c6c9f8211c318f450954971bb8763bb100ce248c1
+# Digest of eclipse-temurin:17.0.9_9-jdk-alpine
+javaBaseImage = eclipse-temurin@sha256:24643c2dd329ef482ecd042b59cbfb7fe13716342e22674a0abd763559c8a1dd
 
 # Increase timeouts to avoid read error from OSS Nexus
 # See:

gradle/mixins/dependencies.gradle

@@ -21,6 +21,8 @@ dependencyManagement {
         dependency group: 'com.google.truth.extensions', name: 'truth-java8-extension', version: truthVersion
         dependency group: 'com.google.cloud', name: 'google-cloud-storage', version: googleStorageVersion
         dependency group: 'io.springfox', name: 'springfox-boot-starter', version: springFoxVersion
+        // https://nvd.nist.gov/vuln/detail/CVE-2022-1471
+        dependency group: 'org.yaml', name: 'snakeyaml', version: snakeYamlVersion
         dependency group: 'io.swagger', name: 'swagger-annotations', version: swaggerCoreSpringVersion
         dependency group: 'io.swagger.core.v3', name: 'swagger-annotations', version: swaggerCoreVersion
         dependency group: 'io.swagger.codegen.v3', name: 'swagger-codegen-cli', version: swaggerCodegenVersion
@@ -30,9 +32,11 @@ dependencyManagement {
             entry 'junit-jupiter-engine'
             entry 'junit-jupiter-params'
         }
+        dependency group: 'org.junit-pioneer', name: 'junit-pioneer', version: jupiterPioneerVersion
         dependencySet(group: 'org.mockito', version: mockitoVersion) {
             entry 'mockito-core'
             entry 'mockito-junit-jupiter'
+            entry 'mockito-inline'
         }
         dependency group: 'commons-cli', name: 'commons-cli', version: apacheCommonsCliVersion
         dependency group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion
@@ -49,7 +53,6 @@ dependencyManagement {
         dependency group: 'org.scala-lang', name: 'scala-library', version: scalaVersion
         dependency group: 'ai.h2o', name: 'sparkling-water-scoring_2.12', version: sparklingWaterVersion
         dependency group: 'com.typesafe', name:'config', version: configVersion
-        dependency group: 'uk.org.webcompere', name: 'system-stubs-jupiter', version: jupiterSystemStubsVersion
 
     }
 }

local-rest-scorer/build.gradle

@@ -14,17 +14,18 @@ dependencies {
     implementation group: 'ai.h2o', name: 'mojo2-runtime-impl'
     implementation group: 'io.springfox', name: 'springfox-boot-starter', version: springFoxVersion
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'
-    implementation group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '9.0.63'
+    implementation group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: tomcatEmbedVersion
 
     implementation group: 'com.google.guava', name: 'guava', version: guavaVersion
+    implementation group: 'org.yaml', name: 'snakeyaml'
 
     testImplementation group: 'org.springframework.boot', name: 'spring-boot-starter-test'
     testImplementation group: 'com.google.truth.extensions', name: 'truth-java8-extension'
     testImplementation group: 'org.mockito', name: 'mockito-inline'
     testImplementation group: 'org.mockito', name : 'mockito-core'
     testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api'
     testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-params'
-    testImplementation group: 'org.junit-pioneer', name: 'junit-pioneer', version: jupiterPioneerVersion
+    testImplementation group: 'org.junit-pioneer', name: 'junit-pioneer'
     testRuntimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine'
 }