Bump most safe dependencies

Author: gbuisson

project.clj

@@ -1,8 +1,8 @@
-(def cheshire-version "5.11.0")
+(def cheshire-version "6.1.0")
 (def clj-http-fake-version "1.0.3")
-(def clj-version "1.12.0")
-(def jackson-version "2.15.2")
-(def jackson-databind-version "2.15.2")
+(def clj-version "1.12.3")
+(def jackson-version "2.20.0")
+(def jackson-databind-version "2.20.0")
 (def logback-version "1.5.16")
 (def metrics-clojure-version "2.10.0")
 (def netty-version "4.1.125.Final")
@@ -11,7 +11,7 @@
 (def slf4j-version "2.0.16")
 (def schema-generators-version "0.1.5")
 (def test-check-version "1.1.1")
-(def test-chuck-version "0.2.13")
+(def test-chuck-version "0.2.15")
 (def trapperkeeper-version "3.2.0")
 
 ;; TODO we could add -dev here when it works
@@ -61,66 +61,70 @@
   :jvm-opts ["-Djava.awt.headless=true"
              "-Dlog.console.threshold=INFO"
              "-server"]
-  :exclusions [log4j/log4j ;; handled by org.slf4j/log4j-over-slf4j
+  :exclusions [log4j/log4j    ;; handled by org.slf4j/log4j-over-slf4j
                io.netty/netty ;; moved to io.netty/netty-all
                org.slf4j/slf4j-log4j12
                org.slf4j/slf4j-nop] ;; Removed in favor of logback
   ;; use `lein pom; mvn dependency:tree -Dverbose -Dexcludes=org.clojure:clojure`
   ;; to inspect conflicts.
 
+  :managed-dependencies [[potemkin "0.4.7"]
+                         [org.tukaani/xz "1.9"]]
+
   :dependencies [[org.clojure/clojure ~clj-version]
                  [clj-time "0.15.2"]
-                 [org.threeten/threeten-extra "1.2"]
-                 [clojure.java-time "1.1.0"]
-                 [org.clojure/core.async "1.5.648"]
-                 [org.clojure/core.memoize "1.0.257"]
-                 [org.clojure/tools.logging "1.2.4"]
-                 [org.clojure/tools.cli "1.0.194"]
-                 [pandect "0.6.1"]
-                 [org.clojure/math.combinatorics "0.1.6"]
-                 [version-clj "2.0.1"]
+                 [org.threeten/threeten-extra "1.8.0"]
+                 [clojure.java-time "1.4.3"]
+                 [org.clojure/core.async "1.8.741"]
+                 [org.clojure/core.memoize "1.1.266"]
+                 [org.clojure/tools.logging "1.3.0"]
+                 [org.clojure/tools.cli "1.2.245"]
+                 [pandect "1.0.2"]
+                 [org.clojure/math.combinatorics "0.3.0"]
+                 [version-clj "2.0.3"]
+
 
                  ;; Trapperkeeper
                  [puppetlabs/trapperkeeper ~trapperkeeper-version]
                  [puppetlabs/kitchensink ~trapperkeeper-version]
-                 [prismatic/plumbing "0.5.5"] ;; upgrade puppetlabs/trapperkeeper
-                 [clj-commons/clj-yaml "1.0.26"] ;; upgrade snakeyaml dep
+                 [prismatic/plumbing "0.6.0"] ;; upgrade puppetlabs/trapperkeeper
+                 [clj-commons/clj-yaml "1.0.29"] ;; upgrade snakeyaml dep
 
                  ;; Schemas
                  [prismatic/schema "1.4.1"]
                  [metosin/schema-tools "0.13.1"]
-                 [threatgrid/flanders "1.0.2"]
-                 [threatgrid/ctim "1.3.26"]
-                 [instaparse "1.4.10"] ;; com.gfredericks/test.chuck > threatgrid/ctim
-                 [threatgrid/clj-momo "0.3.5"]
+                 [threatgrid/flanders "1.1.0"]
+                 [threatgrid/ctim "1.3.27"]
+                 [instaparse "1.5.0"] ;; com.gfredericks/test.chuck > threatgrid/ctim
+                 [threatgrid/clj-momo "0.4.1"]
                  [threatgrid/ductile "0.5.0"]
 
                  [com.arohner/uri "0.1.2"]
 
                  ;; Web server
-                 [metosin/compojure-api "1.1.13"]
-                 [ring-middleware-format "0.7.4"]
+                 [metosin/compojure-api "1.1.14"]
+                 [ring-middleware-format "0.7.5"]
                  ;; optional ring-middleware-format dep (Note: ring-middleware-format is also a transitive dep for compojure-api)
                  ;; see: https://github.com/ngrunwald/ring-middleware-format/issues/74
-                 [com.ibm.icu/icu4j "65.1"]
+                 [com.ibm.icu/icu4j "77.1"]
                  [metosin/ring-swagger "1.0.0"]
                  [metosin/ring-swagger-ui "3.24.3"]
                  [ring/ring-core ~ring-version] ;ring/ring-jetty-adapter > metosin/ring-swagger
                  [ring/ring-jetty-adapter ~ring-version]
                  [ring/ring-devel ~ring-version]
                  [ring-cors "0.1.13"]
-                 [commons-codec "1.15"] ;ring/ring* > threatgrid/ctim, threatgrid/clj-momo, clj-http
-                 [ring/ring-codec "1.1.3"]
-                 [threatgrid/clj-jwt "0.5.0"]
+                 [commons-codec "1.19.0"] ;ring/ring* > threatgrid/ctim, threatgrid/clj-momo, clj-http
+                 [ring/ring-codec "1.3.0"]
+                 [threatgrid/clj-jwt "0.5.1"]
                  [threatgrid/ring-turnstile-middleware "0.1.1"]
                  [threatgrid/ring-jwt-middleware "1.1.7"]
-                 [org.clojure/data.json "1.0.0"] ;; threatgrid/ring-jwt-middleware > threatgrid/ctim
-                 [scopula "0.1.4"]
-                 [org.clojure/tools.reader "1.3.6"] ;; org.clojure/tools.namespace > ring-middleware-format
+                 [org.clojure/data.json "2.5.1"] ;; threatgrid/ring-jwt-middleware > threatgrid/ctim
+                 [scopula "0.2.0"]
+                 [org.clojure/tools.reader "1.5.2"] ;; org.clojure/tools.namespace > ring-middleware-format
 
                  ;; clients
-                 [clj-http "3.12.3"]
-                 [com.taoensso/carmine "2.19.1" #_"2.20.0-RC1"]
+                 [clj-http "3.13.1"]
+                 [com.taoensso/carmine "3.4.1" #_"2.20.0-RC1"]
                  [cheshire ~cheshire-version] ;; upgrade threatgrid/ring-jwt-middleware, puppetlabs/kitchensink (+ a dozen others)
 
                  ;; Metrics
@@ -133,14 +137,14 @@
                  [io.netty/netty-all ~netty-version] ;bump org.onyxplatform/onyx-kafka, metrics-clojure-riemann, zookeeper-clj
                  [io.netty/netty-codec ~netty-version] ;bump org.apache.zookeeper/zookeeper, riemann-clojure-client
                  [io.netty/netty-resolver ~netty-version] ;bump riemann-clojure-client, org.apache.zookeeper/zookeeper
-                 [com.google.protobuf/protobuf-java "3.25.5"] ;; address CVE-2024-7254
-                 [riemann-clojure-client "0.5.1"]
+                 [com.google.protobuf/protobuf-java "4.32.1"]
+                 [riemann-clojure-client "0.5.4"]
                  ;; https://stackoverflow.com/a/43574427
-                 [jakarta.xml.bind/jakarta.xml.bind-api "2.3.2"]
+                 [jakarta.xml.bind/jakarta.xml.bind-api "4.0.4"]
 
                  ;; Docs
-                 [markdown-clj "1.10.1"]
-                 [hiccup "2.0.0-alpha2"]
+                 [markdown-clj "1.12.4"]
+                 [hiccup "2.0.0"]
 
                  ;; Encryption
                  [lock-key "1.5.0"]
@@ -149,8 +153,8 @@
                  [threatgrid/redismq "0.1.1"]
 
                  [org.apache.zookeeper/zookeeper "3.8.4"] ; override zookeeper-clj, org.onyxplatform/onyx-kafka
-                 [commons-io "2.14.0"] ;; address CVE-2024-47554
-                 [args4j "2.33"] ;bump org.onyxplatform/onyx-kafka, threatgrid/ctim
+                 [commons-io "2.20.0"]
+                 [args4j "2.37"] ;bump org.onyxplatform/onyx-kafka, threatgrid/ctim
                  [com.stuartsierra/component "1.1.0"] ;org.onyxplatform/onyx-kafka internal override
                  [org.onyxplatform/onyx-kafka "0.14.5.0"]
                  ;; Notes on jackson-databind:
@@ -164,7 +168,7 @@
                  [zookeeper-clj "0.9.4"]
 
                  ;; firehose
-                 [software.amazon.awssdk/firehose "2.17.232" :exclusions
+                 [software.amazon.awssdk/firehose "2.34.7" :exclusions
                   [io.netty/netty
                    io.netty/netty-all
                    io.netty/netty-buffer
@@ -186,13 +190,13 @@
 
                  ;; GraphQL
                  [base64-clj "0.1.1"]
-                 [threatgrid/ring-graphql-ui "0.1.1"]
+                 [threatgrid/ring-graphql-ui "0.1.3"]
                  [com.graphql-java/graphql-java "24.3"]
 
                  ;; Logging
                  [org.slf4j/log4j-over-slf4j ~slf4j-version]
                  [org.slf4j/slf4j-api ~slf4j-version]
-                 [net.logstash.logback/logstash-logback-encoder "7.4"]
+                 [net.logstash.logback/logstash-logback-encoder "8.1"]
                  [ch.qos.logback/logback-classic ~logback-version]
                  [ch.qos.logback/logback-core ~logback-version]]
 
@@ -224,14 +228,14 @@
                                   [clj-http-fake ~clj-http-fake-version]
                                   [prismatic/schema-generators ~schema-generators-version]
                                   [circleci/circleci.test "0.5.0"]
-                                  [org.clojure/math.combinatorics "0.1.6"]
-                                  [org.clojure/data.priority-map "1.1.0"]
-                                  [org.clojure/tools.namespace "1.2.0"]]
+                                  [org.clojure/math.combinatorics "0.3.0"]
+                                  [org.clojure/data.priority-map "1.2.0"]
+                                  [org.clojure/tools.namespace "1.5.0"]]
                    :pedantic? :warn
                    :source-paths ["dev"]}
              :ci {:pedantic? :abort
                   :global-vars {*warn-on-reflection* true}
-                  :jvm-opts [;; actually print stack traces instead of useless
+                  :jvm-opts [ ;; actually print stack traces instead of useless
                              ;; "Full report at: /tmp/clojure-8187773283812483853.edn"
                              "-Dclojure.main.report=stderr"
                              "-XX:-OmitStackTraceInFastThrow"]}
@@ -243,7 +247,7 @@
                               "-Dcom.sun.management.jmxremote.authenticate=false"
                               "-Dcom.sun.management.jmxremote.ssl=false"]}
              :bench {:dependencies [[perforate ~perforate-version]
-                                    [criterium "0.4.5"]
+                                    [criterium "0.4.6"]
                                     [org.clojure/test.check ~test-check-version]
                                     [com.gfredericks/test.chuck ~test-chuck-version]
                                     [prismatic/schema-generators ~schema-generators-version]]

src/ctia/init.clj

@@ -8,6 +8,7 @@
    [ctia.lib.metrics.console :as console]
    [ctia.lib.utils :as utils]
    [ctia.lib.riemann-service :as riemann-svc]
+   [ctia.lib.json :as json]
    [ctia.events-service :as events-svc]
    [ctia.features-service :as features-svc]
    [ctia.logging :as event-logging]
@@ -95,6 +96,9 @@
   Returns the Trapperkeeper app."
   ([] (start-ctia! {}))
   ([{:keys [services config]}]
+   ;; Initialize JSON encoders before anything else
+   (json/init!)
+   
    (log/info "starting CTIA version: "
              (version/current-version))
 

src/ctia/lib/json.clj

@@ -0,0 +1,19 @@
+(ns ctia.lib.json
+  "JSON encoding configuration for CTIA."
+  (:require [cheshire.generate :as generate])
+  (:import [com.fasterxml.jackson.core JsonGenerator]))
+
+(defn register-charsequence-encoder!
+  "Register a custom encoder for CharSequence to serialize as strings.
+   
+   Fixes Jackson 2.18+ treating CharSequence as JavaBeans on Java 15+."
+  []
+  (generate/add-encoder
+   CharSequence
+   (fn [^CharSequence obj ^JsonGenerator json-generator]
+     (.writeString json-generator (.toString obj)))))
+
+(defn init!
+  "Initialize JSON encoding configuration."
+  []
+  (register-charsequence-encoder!))