From 10d2a0a38f3f15326cfa408c4912b2e0e5b12550 Mon Sep 17 00:00:00 2001
From: David Venable <dlv@amazon.com>
Date: Wed, 29 Nov 2023 10:37:37 -0600
Subject: [PATCH] Require nimbus-jose-jwt 9.37.1 which fixes CVE-2021-31684 and
 CVE-2023-1370 by using a newer shaded version of json-smart.

Signed-off-by: David Venable <dlv@amazon.com>
---
 data-prepper-plugins/parquet-codecs/build.gradle | 9 +++++++++
 data-prepper-plugins/s3-sink/build.gradle        | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle
index 7fa162c8dd..44a17fdaca 100644
--- a/data-prepper-plugins/parquet-codecs/build.gradle
+++ b/data-prepper-plugins/parquet-codecs/build.gradle
@@ -16,6 +16,15 @@ dependencies {
     implementation 'org.apache.parquet:parquet-common:1.13.1'
     implementation 'org.apache.parquet:parquet-hadoop:1.13.1'
     testImplementation project(':data-prepper-test-common')
+
+    constraints {
+        implementation('com.nimbusds:nimbus-jose-jwt') {
+            version {
+                require '9.37.1'
+            }
+            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+        }
+    }
 }
 
 test {
diff --git a/data-prepper-plugins/s3-sink/build.gradle b/data-prepper-plugins/s3-sink/build.gradle
index a7d09d77b6..6e7c20cab4 100644
--- a/data-prepper-plugins/s3-sink/build.gradle
+++ b/data-prepper-plugins/s3-sink/build.gradle
@@ -31,6 +31,15 @@ dependencies {
     testImplementation testLibs.slf4j.simple
     testImplementation 'software.amazon.awssdk:s3-transfer-manager'
     testImplementation 'software.amazon.awssdk.crt:aws-crt:0.25.0'
+
+    constraints {
+        implementation('com.nimbusds:nimbus-jose-jwt') {
+            version {
+                require '9.37.1'
+            }
+            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+        }
+    }
 }
 
 test {