From 9caaa6a5a6e3c729ca2100118e66e795646fc57a Mon Sep 17 00:00:00 2001
From: lilai <lilai23@foxmail.com>
Date: Mon, 30 Dec 2024 19:25:49 +0800
Subject: [PATCH] resolve cve of third party dependencies

Signed-off-by: lilai <lilai23@foxmail.com>
---
 pom.xml                                       | 13 +++++++++---
 .../sermant-agentcore-implement/pom.xml       |  2 +-
 sermant-backend/pom.xml                       | 11 +++++++---
 sermant-package/pom.xml                       |  2 +-
 .../flowcontrol-plugin/pom.xml                |  2 --
 .../dubbo-registry-service/pom.xml            |  6 ------
 .../dubbo/registry/RegistryServiceTest.java   | 20 +++++++++++++++++--
 .../sermant-service-registry/pom.xml          |  3 +--
 .../springboot-registry-service/pom.xml       |  1 -
 .../tag-transmission-grpc-plugin/pom.xml      |  2 +-
 10 files changed, 40 insertions(+), 22 deletions(-)

diff --git a/pom.xml b/pom.xml
index 4f9acc467e..7350ac21b0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,5 +1,5 @@
 <project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>io.sermant</groupId>
     <artifactId>sermant</artifactId>
@@ -43,8 +43,8 @@
         <http.client.version>4.5.13</http.client.version>
         <http.core.version>4.4.13</http.core.version>
         <Java-WebSocket.version>1.5.1</Java-WebSocket.version>
-        <netty.version>4.1.108.Final</netty.version>
-        <protobuf.version>3.19.6</protobuf.version>
+        <netty.version>4.1.115.Final</netty.version>
+        <protobuf.version>3.25.5</protobuf.version>
         <fastjson.version>1.2.83</fastjson.version>
         <xml.apis.version>1.4.01</xml.apis.version>
         <xerces.version>2.12.1</xerces.version>
@@ -55,6 +55,7 @@
         <common.io.version>2.7</common.io.version>
         <org.jacoco.version>0.8.11</org.jacoco.version>
         <simpleclient.version>0.16.0</simpleclient.version>
+        <guava.version>32.1.3-jre</guava.version>
 
         <slf4j.version>1.7.35</slf4j.version>
         <log4j2.version>2.17.2</log4j2.version>
@@ -298,6 +299,11 @@
                 <artifactId>frontend-maven-plugin</artifactId>
                 <version>${frontend.plugin.version}</version>
             </dependency>
+            <dependency>
+                <groupId>com.google.guava</groupId>
+                <artifactId>guava</artifactId>
+                <version>${guava.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <profiles>
@@ -313,6 +319,7 @@
                 <module>sermant-backend</module>
                 <module>sermant-injector</module>
                 <module>report</module>
+                <module>sermant-package</module>
             </modules>
             <build>
                 <plugins>
diff --git a/sermant-agentcore/sermant-agentcore-implement/pom.xml b/sermant-agentcore/sermant-agentcore-implement/pom.xml
index 5970467654..0eb544e93c 100644
--- a/sermant-agentcore/sermant-agentcore-implement/pom.xml
+++ b/sermant-agentcore/sermant-agentcore-implement/pom.xml
@@ -55,7 +55,7 @@
         <gpg.plugin.version>3.0.1</gpg.plugin.version>
         <javadoc.plugin.version>3.3.2</javadoc.plugin.version>
         <nexus.staging.plugin.version>1.6.7</nexus.staging.plugin.version>
-        <nacos.version>2.1.2</nacos.version>
+        <nacos.version>2.3.3</nacos.version>
         <jackson-databind.version>2.13.4.2</jackson-databind.version>
         <envoyproxy.controlplane.version>0.1.32</envoyproxy.controlplane.version>
         <micrometer.version>1.9.5</micrometer.version>
diff --git a/sermant-backend/pom.xml b/sermant-backend/pom.xml
index 8311f7bb9f..f1051f3c1c 100644
--- a/sermant-backend/pom.xml
+++ b/sermant-backend/pom.xml
@@ -15,8 +15,8 @@
         <jdk.version>1.8</jdk.version>
         <spring-boot.version>2.7.18</spring-boot.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <io.netty.version>4.1.108.Final</io.netty.version>
-        <protobuf-java.version>3.19.6</protobuf-java.version>
+        <io.netty.version>4.1.115.Final</io.netty.version>
+        <protobuf-java.version>3.25.5</protobuf-java.version>
         <lombok.version>1.18.22</lombok.version>
         <fastjson.version>1.2.83</fastjson.version>
         <commons-lang.version>2.6</commons-lang.version>
@@ -32,7 +32,7 @@
         <aspectjweaver.version>1.8.4</aspectjweaver.version>
         <tomcat-embed.version>9.0.95</tomcat-embed.version>
         <spring-framework.version>5.3.39</spring-framework.version>
-        <nacos-client-version>2.2.1</nacos-client-version>
+        <nacos-client-version>2.3.3</nacos-client-version>
         <webapp.path>${project.basedir}/src/main/webapp/frontend</webapp.path>
     </properties>
 
@@ -280,6 +280,11 @@
             <artifactId>nacos-client</artifactId>
             <version>${nacos-client-version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>${guava.version}</version>
+        </dependency>
     </dependencies>
 
     <profiles>
diff --git a/sermant-package/pom.xml b/sermant-package/pom.xml
index c9093b6a0f..c52225021f 100644
--- a/sermant-package/pom.xml
+++ b/sermant-package/pom.xml
@@ -40,7 +40,7 @@
         <script.append.source>${sermant.basedir}/${package.resources.dir}/${license.binary.suffix.file}</script.append.source>
         <script.append.target>${package.temp.dir}/LICENSE</script.append.target>
         <product.output.dir>${sermant.basedir}</product.output.dir>
-        <product.output.name>${sermant.name}-${project.version}</product.output.name>
+        <product.output.name>sermant-${project.version}</product.output.name>
     </properties>
     <build>
         <finalName>${product.output.name}</finalName>
diff --git a/sermant-plugins/sermant-flowcontrol/flowcontrol-plugin/pom.xml b/sermant-plugins/sermant-flowcontrol/flowcontrol-plugin/pom.xml
index 845236171d..4a85d723e8 100644
--- a/sermant-plugins/sermant-flowcontrol/flowcontrol-plugin/pom.xml
+++ b/sermant-plugins/sermant-flowcontrol/flowcontrol-plugin/pom.xml
@@ -26,7 +26,6 @@
         <jakarta.annotation-api.version>1.3.5</jakarta.annotation-api.version>
         <netflix-core.version>1.4.7.RELEASE</netflix-core.version>
         <spring.cloud.context.version>2.2.0.RELEASE</spring.cloud.context.version>
-        <google.guava>31.1-jre</google.guava>
         <apache-httpclient.version>4.5.13</apache-httpclient.version>
         <okhttp.version>4.11.0</okhttp.version>
         <okhttp.sq.version>2.7.5</okhttp.sq.version>
@@ -111,7 +110,6 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>${google.guava}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
diff --git a/sermant-plugins/sermant-service-registry/dubbo-registry-service/pom.xml b/sermant-plugins/sermant-service-registry/dubbo-registry-service/pom.xml
index e02bfd9c28..75c7c8021a 100644
--- a/sermant-plugins/sermant-service-registry/dubbo-registry-service/pom.xml
+++ b/sermant-plugins/sermant-service-registry/dubbo-registry-service/pom.xml
@@ -119,12 +119,6 @@
             <artifactId>mockito-inline</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.sermant</groupId>
-            <artifactId>sermant-agentcore-implement</artifactId>
-            <version>${project.version}</version>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <build>
diff --git a/sermant-plugins/sermant-service-registry/dubbo-registry-service/src/test/java/io/sermant/dubbo/registry/RegistryServiceTest.java b/sermant-plugins/sermant-service-registry/dubbo-registry-service/src/test/java/io/sermant/dubbo/registry/RegistryServiceTest.java
index 535f436617..0df956b78c 100644
--- a/sermant-plugins/sermant-service-registry/dubbo-registry-service/src/test/java/io/sermant/dubbo/registry/RegistryServiceTest.java
+++ b/sermant-plugins/sermant-service-registry/dubbo-registry-service/src/test/java/io/sermant/dubbo/registry/RegistryServiceTest.java
@@ -30,7 +30,6 @@
 import io.sermant.dubbo.registry.service.GovernanceService;
 import io.sermant.dubbo.registry.service.RegistryService;
 import io.sermant.dubbo.registry.service.RegistryServiceImpl;
-import io.sermant.implement.operation.converter.YamlConverterImpl;
 import io.sermant.registry.config.RegisterConfig;
 import io.sermant.registry.config.RegisterServiceCommonConfig;
 
@@ -55,6 +54,7 @@
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 
+import java.io.Reader;
 import java.lang.reflect.Field;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -63,6 +63,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 
@@ -112,7 +113,22 @@ public static void mock() {
         MOCKED_STATICS.add(mockConfigManager);
         MockedStatic<OperationManager> operationManagerMockedStatic = Mockito.mockStatic(OperationManager.class);
         operationManagerMockedStatic.when(() -> OperationManager.getOperation(YamlConverter.class))
-            .thenReturn(new YamlConverterImpl());
+            .thenReturn(new YamlConverter() {
+                @Override
+                public <T> Optional<T> convert(String source, Class<? super T> type) {
+                    return Optional.empty();
+                }
+
+                @Override
+                public <T> Optional<T> convert(Reader reader, Class<? super T> type) {
+                    return Optional.empty();
+                }
+
+                @Override
+                public String dump(Object data) {
+                    return null;
+                }
+            });
         MOCKED_STATICS.add(operationManagerMockedStatic);
     }
 
diff --git a/sermant-plugins/sermant-service-registry/pom.xml b/sermant-plugins/sermant-service-registry/pom.xml
index 4a4017ee88..c45d6af58b 100644
--- a/sermant-plugins/sermant-service-registry/pom.xml
+++ b/sermant-plugins/sermant-service-registry/pom.xml
@@ -15,8 +15,7 @@
         <sermant.basedir>${pom.basedir}/../../..</sermant.basedir>
         <package.plugin.name>service-registry</package.plugin.name>
         <service-center-version>2.7.6</service-center-version>
-        <guava.version>32.1.3-jre</guava.version>
-        <nacos.version>2.0.4</nacos.version>
+        <nacos.version>2.1.2</nacos.version>
     </properties>
     <profiles>
         <profile>
diff --git a/sermant-plugins/sermant-springboot-registry/springboot-registry-service/pom.xml b/sermant-plugins/sermant-springboot-registry/springboot-registry-service/pom.xml
index 15f2e2e0aa..d66ab5805a 100644
--- a/sermant-plugins/sermant-springboot-registry/springboot-registry-service/pom.xml
+++ b/sermant-plugins/sermant-springboot-registry/springboot-registry-service/pom.xml
@@ -20,7 +20,6 @@
         <package.plugin.type>service</package.plugin.type>
         <cloud.zk.version>3.1.0</cloud.zk.version>
         <jackson.version>2.13.4.2</jackson.version>
-        <guava.version>31.1-jre</guava.version>
         <nacos.version>2.3.3</nacos.version>
         <!--Curator 2.x.x is compatible with Zookeeper's 3.4.x and 3.5.x
             Curator 3.x.x only compatible with Zookeeper 3.5.x -->
diff --git a/sermant-plugins/sermant-tag-transmission/tag-transmission-grpc-plugin/pom.xml b/sermant-plugins/sermant-tag-transmission/tag-transmission-grpc-plugin/pom.xml
index 1cc461e7c0..de64c92e0a 100644
--- a/sermant-plugins/sermant-tag-transmission/tag-transmission-grpc-plugin/pom.xml
+++ b/sermant-plugins/sermant-tag-transmission/tag-transmission-grpc-plugin/pom.xml
@@ -17,7 +17,7 @@
         <config.skip.flag>false</config.skip.flag>
         <package.plugin.type>plugin</package.plugin.type>
         <grpc.version>1.52.1</grpc.version>
-        <protobuf.version>3.19.6</protobuf.version>
+        <protobuf.version>3.25.5</protobuf.version>
     </properties>
 
     <dependencies>