api-manager Third-party Dependency Upgrades for APIM 4.4.0

Description

This issue is created to track the third-party dependency upgrades for the APIM 4.4.0 release. Each upgraded dependency will be mentioned in the comments.

Affected Component

APIM

Version

4.4.0

Related Issues

No response

Suggested Labels

No response

Sep 10 '24 06:09 YasasRangika

[STATUS UPDATE]

Provided a docker image of the APIM-4.4.0-m2 pack to the security team for the JFrog Analysis report.

Sep 10 '24 07:09 YasasRangika

Refer https://github.com/wso2/api-manager/issues/3014

Sep 11 '24 07:09 npamudika

[STATUS UPDATE]

Upgrade CXF version from 3.6.3 to 3.6.4:

https://github.com/wso2/carbon-apimgt/pull/12556 https://github.com/wso2/product-apim/pull/13530 https://github.com/wso2/carbon-deployment/pull/401

Sep 11 '24 09:09 YasasRangika

[STATUS UPDATE]

Upgrade bcprov-jdk18on and bcpkix-jdk18on Bouncy Castle dependencies from 1.77.0.wso2v1 to 1.78.1.wso2v1. Also, upgrade the bc-fips version from 1.0.2.4 to 1.0.2.5.

carbon-multitenancy PR: https://github.com/wso2/carbon-multitenancy/pull/270 wso2-synapse PR: https://github.com/wso2/wso2-synapse/pull/2217 carbon-apimgt PR: https://github.com/wso2/carbon-apimgt/pull/12567 carbon-kernel PR: https://github.com/wso2/carbon-kernel/pull/4074 product-apim PR: https://github.com/wso2/product-apim/pull/13532

Sep 18 '24 10:09 YasasRangika

[STATUS UPDATE]

Upgraded the Tomcat versions from 9.0.85.wso2v1 to 9.0.94.wso2v1 and tested the portals with the major REST APIs.

Orbit PR: https://github.com/wso2/orbit/pull/1132 carbon-kernel PR: https://github.com/wso2/carbon-kernel/pull/4075

Sep 19 '24 12:09 YasasRangika

[STATUS UPDATE]

Upgraded the swagger-parser version from 2.1.18 and 2.1.20 (both versions were packed from the 4.3.0 release) to version 2.1.22.

Orbit bundles: https://github.com/wso2/orbit/pull/1133 carbon-mediation PR: https://github.com/wso2/carbon-mediation/pull/1733 carbon-apimgt PR: https://github.com/wso2/carbon-apimgt/pull/12586 product-apim PR: https://github.com/wso2/product-apim/pull/13540

Sep 24 '24 04:09 YasasRangika

[STATUS UPDATE]

Upgraded the protobuf-java version from 3.21.12 to non-vulnerable 3.25.5. Tested basic flows and thoroughly tested the streaming APIs.

carbon-business-messaging PR: https://github.com/wso2/carbon-business-messaging/pull/726 carbon-apimgt PR: https://github.com/wso2/carbon-apimgt/pull/12642 product-apim PR: https://github.com/wso2/product-apim/pull/13559

Oct 07 '24 13:10 YasasRangika

[STATUS UPDATE]

Upgraded the swagger-parser version from 2.1.20.wso2v1 to 2.1.20.wso2v2 to resolve packing vulnerable version 2.11.0 of commons.io.

Orbit bundles: https://github.com/wso2/orbit/pull/1140 carbon-mediation PR: https://github.com/wso2/carbon-mediation/pull/1734 carbon-apimgt PR: https://github.com/wso2/carbon-apimgt/pull/12651

Oct 11 '24 09:10 YasasRangika

[STATUS UPDATE]

Upgraded the commons-text version from 1.6.0 to 1.10.0.

carbon-mediation PR: https://github.com/wso2/carbon-mediation/pull/1735 carbon-kernel PR: https://github.com/wso2/carbon-kernel/pull/4087

Oct 11 '24 09:10 YasasRangika

[STATUS UPDATE]

Upgraded the Jettison version from 1.3.4 to 1.5.4.

carbon-kernel PR: https://github.com/wso2/carbon-kernel/pull/4089

Oct 14 '24 04:10 YasasRangika

[STATUS UPDATE]

Upgraded the graphQL version from 19.6 to 19.11.

Orbit PR: https://github.com/wso2/orbit/pull/1143 carbon-apimgt PR: https://github.com/wso2/carbon-apimgt/pull/12663

Oct 14 '24 10:10 YasasRangika