CVE patches

[mluds]

Upgrade various gradle dependencies to fix CVEs.

Description

The following CVEs were patched. Shown are the versions before and after the patch.

https://nvd.nist.gov/vuln/detail/CVE-2015-5237 com.google.protobuf:protobuf-java 3.3.1 -> 3.14.0
https://nvd.nist.gov/vuln/detail/CVE-2017-18640 org.yaml:snakeyaml 1.23 -> 1.27
https://nvd.nist.gov/vuln/detail/CVE-2018-8023 org.apache.mesos:mesos 1.2.3 -> 1.4.3
https://nvd.nist.gov/vuln/detail/CVE-2018-20200 com.squareup.okhttp3:okhttp 3.12.0 -> 3.12.12
https://nvd.nist.gov/vuln/detail/CVE-2020-7014 org.elasticsearch.client:elasticsearch-rest-client 6.7.2 -> 6.8.13
https://nvd.nist.gov/vuln/detail/CVE-2020-11612 io.netty:netty-buffer (and others) 4.1.45.Final -> 4.1.55.Final
https://nvd.nist.gov/vuln/detail/CVE-2020-13956 org.apache.httpcomponents:httpclient 4.5.5 -> 4.5.13
https://nvd.nist.gov/vuln/detail/CVE-2020-25649 com.fasterxml.jackson.core:jackson-databind 2.10.1 -> 2.10.5.1
https://nvd.nist.gov/vuln/detail/CVE-2019-0201 org.apache.zookeeper:zookeeper 3.4.11 -> 3.4.14

Related issue and scope

• I opened an issue to propose and discuss this change (#????)

My changes affect the following components

• API
• Controller
• Message Bus (e.g., Kafka)
• Loadbalancer
• Invoker
• Intrinsic actions (e.g., sequences, conductors)
• Data stores (e.g., CouchDB)
• Tests
• Deployment
• CLI
• General tooling
• Documentation

Types of changes

• Bug fix (generally a non-breaking change which closes an issue).
• Enhancement or new feature (adds new functionality).
• Breaking change (a bug fix or enhancement which changes existing behavior).

Checklist:

• I signed an Apache CLA.
• I reviewed the style guides and followed the recommendations (Travis CI will check :).
• I added tests to cover my changes.
• My changes require further changes to the documentation.
• I updated the documentation where necessary.

[codecov-io]

Codecov Report

Merging #5034 (0549a5d) into master (4babe39) will decrease coverage by 47.78%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           master    #5034       +/-   ##
===========================================
- Coverage   83.77%   35.98%   -47.79%     
===========================================
  Files         202      202               
  Lines        9818     9818               
  Branches      416      416               
===========================================
- Hits         8225     3533     -4692     
- Misses       1593     6285     +4692     

Impacted Files	Coverage Δ
...a/org/apache/openwhisk/common/ConfigMapValue.scala	0.00% <0.00%> (-100.00%)	⬇️
.../apache/openwhisk/core/controller/Namespaces.scala	0.00% <0.00%> (-100.00%)	⬇️
...pache/openwhisk/core/controller/CorsSettings.scala	0.00% <0.00%> (-100.00%)	⬇️
...che/openwhisk/core/entitlement/RateThrottler.scala	0.00% <0.00%> (-100.00%)	⬇️
...he/openwhisk/core/entitlement/KindRestrictor.scala	0.00% <0.00%> (-100.00%)	⬇️
...penwhisk/core/database/cosmosdb/CosmosDBUtil.scala	0.00% <0.00%> (-100.00%)	⬇️
.../openwhisk/core/entitlement/ActionCollection.scala	0.00% <0.00%> (-100.00%)	⬇️
.../openwhisk/core/entitlement/LocalEntitlement.scala	0.00% <0.00%> (-100.00%)	⬇️
...nwhisk/core/database/cosmosdb/CosmosDBConfig.scala	0.00% <0.00%> (-100.00%)	⬇️
...openwhisk/core/entitlement/PackageCollection.scala	0.00% <0.00%> (-100.00%)	⬇️
... and 132 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4babe39...0549a5d. Read the comment docs.

[rabbah]

Thanks @mluds for these patches!

[style95]

Hi @mluds.
Could you rebase the codes?
We were at the stage to migrate to travis-ci.com and not it has been done.

If you rebase the codes, the CI pipeline would work as expected.

[rabbah]

I don't understand the reason for these new dependencies being introduced here.

[bdoyle0182]

They appear to be transitive dependencies from actual dependencies we declare.

I started this pr yesterday to clear all known CVE's before realizing this one existed. I think we can upgrade the actual dependencies rather than pin transitive dependencies. I'll take what I can from here, but I'm probably going to do things in multiple PR's so I'm not disrupting too much at once until I have cleared everything. I would much rather upgrade dependencies where I can and then pin transitive dependency versions as a last resort.

#5373

[rabbah]

And here.

[codecov-commenter]

Codecov Report

Merging #5034 (907138f) into master (096dba4) will decrease coverage by 0.46%.
The diff coverage is n/a.

❗ Current head 907138f differs from pull request most recent head 19ec479. Consider uploading reports for the commit 19ec479 to get more accurate results

@@            Coverage Diff             @@
##           master    #5034      +/-   ##
==========================================
- Coverage   66.46%   66.01%   -0.46%     
==========================================
  Files         240      233       -7     
  Lines       14569    14305     -264     
  Branches      642      638       -4     
==========================================
- Hits         9684     9443     -241     
+ Misses       4885     4862      -23     

Impacted Files	Coverage Δ
...pache/openwhisk/core/invoker/InvokerReactive.scala	53.84% <0.00%> (-17.70%)	⬇️
...rg/apache/openwhisk/common/ForcibleSemaphore.scala	88.46% <0.00%> (-7.70%)	⬇️
.../org/apache/openwhisk/core/connector/Message.scala	59.82% <0.00%> (-4.02%)	⬇️
...nwhisk/core/monitoring/metrics/KamonRecorder.scala
...pache/openwhisk/core/monitoring/metrics/Main.scala
.../core/monitoring/metrics/PrometheusEventsApi.scala
...hisk/core/monitoring/metrics/OpenWhiskEvents.scala
...nwhisk/core/monitoring/metrics/EventConsumer.scala
...k/core/monitoring/metrics/PrometheusRecorder.scala
...penwhisk/core/monitoring/metrics/MetricNames.scala
... and 2 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more