Logback 1.4.12 in performance test project to fix CVE-2023-6378 (#3746)

Use Logback 1.4.12 in the performance test project to fix CVE-2023-6378. Resolves #3729 Use Logback 1.4.12 in the sample analytics project to fix CVE-2023-6378. Resolves #3729 Signed-off-by: David Venable <[email protected]>
opensearch-project · Dec 6, 2023 · ea8e330 · ea8e330
1 parent 824b72b
commit ea8e330
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle b/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle
@@ -30,6 +30,9 @@ configurations.all {
         } else if (details.requested.group == 'org.apache.tomcat.embed') {
             details.useVersion '10.1.14'
             details.because('Fixes CVE-2023-44487')
+        } else if (details.requested.group == 'ch.qos.logback') {
+            details.useVersion '1.4.12'
+            details.because('Fixes CVE-2023-6378')
         }
     }
 }

diff --git a/performance-test/build.gradle b/performance-test/build.gradle
@@ -24,6 +24,18 @@ dependencies {
     testRuntimeOnly testLibs.junit.engine
 
     constraints {
+        gatling('ch.qos.logback:logback-classic') {
+            version {
+                require '1.4.12'
+            }
+            because 'Fixes CVE-2023-6378'
+        }
+        gatling('ch.qos.logback:logback-core') {
+            version {
+                require '1.4.12'
+            }
+            because 'Keeps the version synced with logback-classic.'
+        }
         zinc('org.scala-sbt:io_2.13') {
             version {
                 require '1.9.7'