Move json-smart to dependencyManagement (#3029)

microsoft · Apr 28, 2023 · b652112 · b652112
1 parent aa96968
commit b652112
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/agent/azure-monitor-exporter/build.gradle.kts b/agent/azure-monitor-exporter/build.gradle.kts
@@ -19,12 +19,6 @@ dependencies {
  implementation("com.azure:azure-core")
  implementation("com.azure:azure-identity")
 
- // CVE-2023-1370 - https://github.com/advisories/GHSA-493p-pfq6-5258
- // Transitive dependency: json-smart -> com.microsoft.azure:msal4j:1.13.5 -> com.azure:azure-identity
- // -> azure-monitor-exporter
- // upstream fix: https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/612
- implementation("net.minidev:json-smart:2.4.10")
-
  compileOnly("io.opentelemetry:opentelemetry-sdk")
  compileOnly("io.opentelemetry:opentelemetry-sdk-metrics")
  compileOnly("io.opentelemetry:opentelemetry-sdk-logs")

diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
@@ -72,7 +72,12 @@ val CORE_DEPENDENCIES = listOf(
  "io.opentelemetry.javaagent:opentelemetry-javaagent-tooling:${otelInstrumentationAlphaVersion}",
  // temporarily overriding transitive dependency from azure-core until next azure-bom release
  // which targets at least reactor-netty-http:1.1.1
- "io.projectreactor.netty:reactor-netty-http:1.1.6"
+ "io.projectreactor.netty:reactor-netty-http:1.1.6",
+ // CVE-2023-1370 - https://github.com/advisories/GHSA-493p-pfq6-5258
+ // Transitive dependency: json-smart -> com.microsoft.azure:msal4j:1.13.5 -> com.azure:azure-identity
+ // -> azure-monitor-exporter
+ // upstream fix: https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/612
+ "net.minidev:json-smart:2.4.10"
 )
 
 val DEPENDENCIES = listOf(