We have a CVE reported CVE-2023-3635 which requires the package com.squareup.okio_okio to be upgraded to 3.4.0.
I have explicitly pinned this version in pom.xml
ex:
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>3.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-hdfs</artifactId>
<version>3.3.6</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
<version>3.3.6</version>
<exclusions>
<exclusion>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-mapreduce-client-core</artifactId>
<version>3.3.6</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<exclusions>
<exclusion>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
</exclusion>
</exclusions>
<version>3.3.6</version>
</dependency>
mvn dependency tree shows 3.4.0 however when I extract the jar I see okio 1.6.0 is still included.
META-INF/maven/org.apache.hadoop/hadoop-client-api/pom.xml: <!-- okio declares a top level package instead of nested -->
META-INF/maven/org.apache.hadoop/hadoop-client-api/pom.xml: <pattern>okio/</pattern>
META-INF/maven/org.apache.hadoop/hadoop-client-api/pom.xml: <shadedPattern>${shaded.dependency.prefix}.okio.</shadedPattern>
META-INF/maven/com.squareup.okio/okio/pom.properties:groupId=com.squareup.okio
META-INF/maven/com.squareup.okio/okio/pom.properties:artifactId=okio
cat META-INF/maven/com.squareup.okio/okio/pom.properties
#Generated by Maven
#Tue Aug 25 19:59:48 EDT 2015
version=1.6.0
groupId=com.squareup.okio
artifactId=okio
How do I avoid including this 1.6.0 version and always pick up latest 3.4.0?
Thanks in advance
