diff --git a/build.gradle b/build.gradle index d7d6ec57d5..084c20be3b 100644 --- a/build.gradle +++ b/build.gradle @@ -59,6 +59,7 @@ allprojects { JavaCompile compile -> compile.options.incremental = true // Gradle 3.4 compile.options.encoding = 'UTF-8' + compile.options.compilerArgs << '-parameters' // Preserve method parameter names for Spring AI reflection } } @@ -314,6 +315,9 @@ allprojects { force "net.java.dev.jna:jna:${jnaVersion}" force "net.java.dev.jna:jna-platform:${jnaVersion}" + // Spring AI 2.0 and Duo SDK bring in different versions + force "net.bytebuddy:byte-buddy:${byteBuddyVersion}" + // Reactor - transitive dependency via azure-core; force for version consistency across modules force "io.projectreactor:reactor-core:${reactorCoreVersion}" @@ -375,6 +379,21 @@ allprojects { // Force consistency for dependencies from pipeline and query force "org.dom4j:dom4j:${dom4jVersion}" + // Force spring-ai components to bring in spring-* versions that match the rest of spring + force "org.springframework:spring-context-support:${springVersion}" + force "org.springframework:spring-messaging:${springVersion}" + force "org.springframework:spring-webflux:${springVersion}" + + // Force spring-ai components to bring in the latest AssertJ version to avoid CVEs. Note that + // spring-ai 2.0.0-M3 probably pulled this in by mistake. https://github.com/spring-projects/spring-ai/issues/5646 + force "org.assertj:assertj-core:${assertjVersion}" + + // spring-ai 2.0.0-M3 was compiled against jsonschema-generator 4.38.0 (Jackson 2.x) but + // its pom mistakenly declares 5.0.0 (Jackson 3.x/tools.jackson), causing NoSuchMethodError + force "com.github.victools:jsonschema-generator:${jsonschemaGeneratorVersion}" + force "com.github.victools:jsonschema-module-jackson:${jsonschemaGeneratorVersion}" + force "com.github.victools:jsonschema-module-swagger-2:${jsonschemaGeneratorVersion}" + // Force consistency between pipeline's ActiveMQ and cloud's jClouds dependencies force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}" @@ -390,6 +409,9 @@ allprojects { // Force latest hadoop-hdfs-client for CVE-2021-37404, CVE-2022-25168, CVE-2022-26612, CVE-2021-25642, CVE-2021-33036, CVE-2023-26031 force "org.apache.hadoop:hadoop-hdfs-client:${hadoopHdfsClientVersion}" + // Spring AI 2.0 brings in Jackson3. Force it to match embedded and mitigate CVEs. + force "tools.jackson.core:jackson-core:${jackson3Version}" + dependencySubstitution { // Because the client api artifact name is not the same as the directory structure, we use // Gradle's dependency substitution so the dependency will appear correctly in the pom files that diff --git a/gradle.properties b/gradle.properties index 2b26e3b577..0b24150068 100644 --- a/gradle.properties +++ b/gradle.properties @@ -107,6 +107,10 @@ apacheTomcatVersion=11.0.18 # tika asmVersion=9.9.1 +# Also defined in testAutomation/gradle.properties +# This was probably added to spring-ai by mistake: https://github.com/spring-projects/spring-ai/issues/5646 +assertjVersion=3.27.7 + # Microsoft library for sending OAuth2-authenticated notification emails via the Microsoft Graph API azureIdentityVersion=1.18.2 @@ -117,6 +121,8 @@ batikVersion=1.19 bouncycastlePgpVersion=1.83 bouncycastleVersion=1.83 +byteBuddyVersion=1.18.7 + cglibNodepVersion=2.2.3 checkerQualVersion=3.53.0 @@ -305,10 +311,14 @@ slf4jLog4jApiVersion=2.0.17 snappyJavaVersion=1.1.10.8 # Also, update apacheTomcatVersion above to match Spring Boot's Tomcat dependency version -springBootVersion=4.0.3 +springBootVersion=4.0.4 # This usually matches the Spring Framework version dictated by springBootVersion -springVersion=7.0.5 -springAiVersion=2.0.0-M2 +springVersion=7.0.6 +springAiVersion=2.0.0-M3 + +# spring-ai 2.0.0-M3 was compiled against 4.38.0 but its pom mistakenly declares 5.0.0, which uses +# Jackson 3.x (tools.jackson) instead of Jackson 2.x (com.fasterxml.jackson), causing NoSuchMethodError +jsonschemaGeneratorVersion=4.38.0 sqliteJdbcVersion=3.51.2.0