address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 (#3575) (#3578)

* address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699

Signed-off-by: Jing Zhang <[email protected]>

* add exact version 2.5.2 for json-smart
hardcode awssdk version to 2.30.18

Signed-off-by: Jing Zhang <[email protected]>

---------

Signed-off-by: Jing Zhang <[email protected]>
(cherry picked from commit 4d95466)

Co-authored-by: Jing Zhang <[email protected]>

Author: opensearch-trigger-bot[bot]

common/build.gradle

@@ -35,7 +35,10 @@ dependencies {
         exclude group: 'com.google.j2objc', module: 'j2objc-annotations'
         exclude group: 'com.google.guava', module: 'listenablefuture'
     }
-    compileOnly 'com.jayway.jsonpath:json-path:2.9.0'
+    compileOnly ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    compileOnly ('net.minidev:json-smart:2.5.2')
     compileOnly("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     compileOnly("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     compileOnly group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'

memory/build.gradle

@@ -43,7 +43,10 @@ dependencies {
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
-    testImplementation 'com.jayway.jsonpath:json-path:2.9.0'
+    testImplementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    testImplementation('net.minidev:json-smart:2.5.2')
 }
 
 test {

ml-algorithms/build.gradle

@@ -67,21 +67,24 @@ dependencies {
         }
     }
 
-    implementation platform('software.amazon.awssdk:bom:2.29.12')
-    api 'software.amazon.awssdk:auth:2.29.12'
+    implementation platform('software.amazon.awssdk:bom:2.30.18')
+    api 'software.amazon.awssdk:auth:2.30.18'
     implementation 'software.amazon.awssdk:apache-client'
     implementation ('com.amazonaws:aws-encryption-sdk-java:2.4.1') {
         exclude group: 'org.bouncycastle', module: 'bcprov-ext-jdk18on'
     }
     implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
 
-    compileOnly group: 'software.amazon.awssdk', name: 'aws-core', version: '2.29.12'
-    compileOnly group: 'software.amazon.awssdk', name: 's3', version: '2.29.12'
-    compileOnly group: 'software.amazon.awssdk', name: 'regions', version: '2.29.12'
+    compileOnly group: 'software.amazon.awssdk', name: 'aws-core', version: "2.30.18"
+    compileOnly group: 'software.amazon.awssdk', name: 's3', version: "2.30.18"
+    compileOnly group: 'software.amazon.awssdk', name: 'regions', version: "2.30.18"
 
-    implementation 'com.jayway.jsonpath:json-path:2.9.0'
+    implementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    implementation('net.minidev:json-smart:2.5.2')
     implementation group: 'org.json', name: 'json', version: '20231013'
-    implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: "2.30.18"
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
@@ -94,7 +97,7 @@ lombok {
 configurations.all {
     resolutionStrategy.force 'com.google.protobuf:protobuf-java:3.25.5'
     resolutionStrategy.force 'org.apache.commons:commons-compress:1.26.0'
-    resolutionStrategy.force 'software.amazon.awssdk:bom:2.29.12'
+    resolutionStrategy.force 'software.amazon.awssdk:bom:2.30.18'
 }
 
 

plugin/build.gradle

@@ -54,15 +54,15 @@ dependencies {
     implementation project(':opensearch-ml-memory')
     compileOnly "com.google.guava:guava:32.1.3-jre"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-core', version: '2.29.12'
-    implementation group: 'software.amazon.awssdk', name: 's3', version: '2.29.12'
-    implementation group: 'software.amazon.awssdk', name: 'regions', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-core', version: "2.30.18"
+    implementation group: 'software.amazon.awssdk', name: 's3', version: "2.30.18"
+    implementation group: 'software.amazon.awssdk', name: 'regions', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-xml-protocol', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-xml-protocol', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-query-protocol', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-query-protocol', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'protocol-core', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'protocol-core', version: "2.30.18"
 
     zipArchive group: 'org.opensearch.plugin', name:'opensearch-job-scheduler', version: "${opensearch_build}"
     compileOnly "org.opensearch:opensearch-job-scheduler-spi:${opensearch_build}"
@@ -84,7 +84,10 @@ dependencies {
     implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.19.0"
     testImplementation group: 'commons-io', name: 'commons-io', version: '2.15.1'
     implementation group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
-    implementation 'com.jayway.jsonpath:json-path:2.9.0'
+    implementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    implementation('net.minidev:json-smart:2.5.2')
 }
 
 publishing {