Fix vulnerabilities

snowplow · Nov 3, 2023 · 0927180 · 0927180
1 parent fea6397
commit 0927180
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 8 deletions.
diff --git a/project/BuildSettings.scala b/project/BuildSettings.scala
@@ -41,6 +41,7 @@ object BuildSettings {
         Dependencies.Libraries.kinesis,
         Dependencies.Libraries.sts,
         Dependencies.Libraries.sqs,
+
         // integration tests dependencies
         Dependencies.Libraries.IT.specs2,
         Dependencies.Libraries.IT.specs2CE,
@@ -65,6 +66,8 @@ object BuildSettings {
       libraryDependencies ++= Seq(
         Dependencies.Libraries.catsRetry,
         Dependencies.Libraries.fs2PubSub,
+        Dependencies.Libraries.pubsub,
+
         // integration tests dependencies
         Dependencies.Libraries.IT.specs2,
         Dependencies.Libraries.IT.specs2CE,
@@ -79,6 +82,7 @@ object BuildSettings {
       libraryDependencies ++= Seq(
         Dependencies.Libraries.kafkaClients,
         Dependencies.Libraries.mskAuth,
+
         // integration tests dependencies
         Dependencies.Libraries.IT.specs2,
         Dependencies.Libraries.IT.specs2CE
@@ -111,7 +115,6 @@ object BuildSettings {
       formatting ++
       dynVerSettings ++
       addExampleConfToTestCp
-//      Seq(excludeDependencies ++= Dependencies.commonExclusions)
 
   lazy val buildInfoSettings = Seq(
     buildInfoKeys := Seq[BuildInfoKey](name, moduleName, dockerAlias, version),

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
@@ -27,6 +27,7 @@ object Dependencies {
     val rabbitMQ     = "5.15.0"
     val jackson      = "2.12.7" // force this version to mitigate security vulnerabilities
     val thrift       = "0.15.0" // force this version to mitigate security vulnerabilities
+    val pubsub       = "1.125.11" // force this version to mitigate security vulnerabilities
 
     // Scala
     val collectorPayload = "0.0.0"
@@ -63,6 +64,7 @@ object Dependencies {
     val slf4j          = "org.slf4j"                        % "slf4j-simple"            % V.slf4j
     val log4j          = "org.apache.logging.log4j"         % "log4j-core"              % V.log4j
     val rabbitMQ       = "com.rabbitmq"                     % "amqp-client"             % V.rabbitMQ
+    val pubsub         = "com.google.cloud"                 % "google-cloud-pubsub"     % V.pubsub
 
     // Scala
     val collectorPayload  = "com.snowplowanalytics" % "collector-payload-1"                    % V.collectorPayload
@@ -95,11 +97,4 @@ object Dependencies {
       val http4sClient   = "org.http4s"       %% "http4s-blaze-client"        % V.blaze          % IntegrationTest
     }
   }
-
-  lazy val commonExclusions = Seq(
-    "org.apache.tomcat.embed" % "tomcat-embed-core", // exclude for security vulnerabilities introduced by libthrift
-    // Avoid duplicate .proto files brought in by akka and google-cloud-pubsub.
-    // We don't need any akka serializers because collector runs in a single JVM.
-    "com.typesafe.akka" % "akka-protobuf-v3_2.12"
-  )
 }