From 9489bd19050bd42659a6ef38d8cdda607388cd05 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 May 2023 20:17:42 +0000
Subject: [PATCH 1/8] Bump sqlite-jdbc from 3.7.2 to 3.41.2.2 in
 /MapHttpService

Bumps [sqlite-jdbc](https://github.com/xerial/sqlite-jdbc) from 3.7.2 to 3.41.2.2.
- [Release notes](https://github.com/xerial/sqlite-jdbc/releases)
- [Changelog](https://github.com/xerial/sqlite-jdbc/blob/master/CHANGELOG)
- [Commits](https://github.com/xerial/sqlite-jdbc/compare/sqlite-jdbc-3.7.2...3.41.2.2)

---
updated-dependencies:
- dependency-name: org.xerial:sqlite-jdbc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 MapHttpService/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MapHttpService/pom.xml b/MapHttpService/pom.xml
index bc41465..14186d0 100644
--- a/MapHttpService/pom.xml
+++ b/MapHttpService/pom.xml
@@ -62,7 +62,7 @@
         <dependency>
             <groupId>org.xerial</groupId>
             <artifactId>sqlite-jdbc</artifactId>
-            <version>3.7.2</version>
+            <version>3.41.2.2</version>
         </dependency>
 
         <!-- HikariCP -->

From 1249d660e3f4ac7b165123f2506fc430d212f4ad Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Jun 2023 22:36:54 +0000
Subject: [PATCH 2/8] Bump guava from 30.0-jre to 32.0.0-jre in /WebGisDemo

Bumps [guava](https://github.com/google/guava) from 30.0-jre to 32.0.0-jre.
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 WebGisDemo/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WebGisDemo/pom.xml b/WebGisDemo/pom.xml
index 64e8cca..a6e2c82 100644
--- a/WebGisDemo/pom.xml
+++ b/WebGisDemo/pom.xml
@@ -24,7 +24,7 @@
         <jackson.version>2.14.0</jackson.version>
         <swagger.version>3.0.0</swagger.version>
         <lombok.version>1.18.16</lombok.version>
-        <guava.version>30.0-jre</guava.version>
+        <guava.version>32.0.0-jre</guava.version>
         <hikaricp.version>3.4.5</hikaricp.version>
         <mysql.version>8.0.28</mysql.version>
     </properties>

From 49af5cdc921c8b83f6df0e86b84d13d4f9174d92 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Jun 2023 22:42:02 +0000
Subject: [PATCH 3/8] Bump guava from 30.1-jre to 32.0.0-jre in /MapHttpService

Bumps [guava](https://github.com/google/guava) from 30.1-jre to 32.0.0-jre.
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 MapHttpService/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MapHttpService/pom.xml b/MapHttpService/pom.xml
index bc41465..78cc537 100644
--- a/MapHttpService/pom.xml
+++ b/MapHttpService/pom.xml
@@ -18,7 +18,7 @@
         <maven.compiler.encoding>UTF-8</maven.compiler.encoding>
         <slf4j.version>1.7.31</slf4j.version>
         <netty.version>4.1.42.Final</netty.version>
-        <guava.version>30.1-jre</guava.version>
+        <guava.version>32.0.0-jre</guava.version>
         <hikaricp.version>3.4.5</hikaricp.version>
         <mysql.version>8.0.28</mysql.version>
     </properties>

From a6c6214dd5c0da83495e0c3b485158477cbb770e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Jun 2023 22:42:10 +0000
Subject: [PATCH 4/8] Bump guava from 30.1-jre to 32.0.0-jre in /LogCollector

Bumps [guava](https://github.com/google/guava) from 30.1-jre to 32.0.0-jre.
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 LogCollector/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LogCollector/pom.xml b/LogCollector/pom.xml
index f30544a..8f26ffb 100644
--- a/LogCollector/pom.xml
+++ b/LogCollector/pom.xml
@@ -21,7 +21,7 @@
         <lombok.version>1.18.16</lombok.version>
         <es.version>7.14.0</es.version>
         <jackson.version>2.14.0</jackson.version>
-        <guava.version>30.1-jre</guava.version>
+        <guava.version>32.0.0-jre</guava.version>
         <gson.version>2.8.9</gson.version>
         <junit.version>4.13.1</junit.version>
     </properties>

From 945c78df71b197fe0011bc23b6d2bf1f4f25a3e1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Jun 2023 22:42:25 +0000
Subject: [PATCH 5/8] Bump guava from 30.1-jre to 32.0.0-jre in /NettyMqService

Bumps [guava](https://github.com/google/guava) from 30.1-jre to 32.0.0-jre.
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 NettyMqService/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NettyMqService/pom.xml b/NettyMqService/pom.xml
index 09c472e..7180ccc 100644
--- a/NettyMqService/pom.xml
+++ b/NettyMqService/pom.xml
@@ -18,7 +18,7 @@
         <maven.compiler.encoding>UTF-8</maven.compiler.encoding>
         <slf4j.version>1.7.31</slf4j.version>
         <netty.version>4.1.42.Final</netty.version>
-        <guava.version>30.1-jre</guava.version>
+        <guava.version>32.0.0-jre</guava.version>
     </properties>
 
     <dependencies>

From cf2b9bf7b8eaf33fab07ea4cd2d878f92c894d1a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 22 Nov 2023 20:58:35 +0000
Subject: [PATCH 6/8] Bump org.elasticsearch:elasticsearch in /LogCollector

Bumps [org.elasticsearch:elasticsearch](https://github.com/elastic/elasticsearch) from 7.14.0 to 7.17.14.
- [Release notes](https://github.com/elastic/elasticsearch/releases)
- [Changelog](https://github.com/elastic/elasticsearch/blob/main/CHANGELOG.md)
- [Commits](https://github.com/elastic/elasticsearch/compare/v7.14.0...v7.17.14)

---
updated-dependencies:
- dependency-name: org.elasticsearch:elasticsearch
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 LogCollector/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LogCollector/pom.xml b/LogCollector/pom.xml
index 8f26ffb..2cd3ab3 100644
--- a/LogCollector/pom.xml
+++ b/LogCollector/pom.xml
@@ -19,7 +19,7 @@
         <java.version>1.8</java.version>
         <spring-boot.version>2.5.12</spring-boot.version>
         <lombok.version>1.18.16</lombok.version>
-        <es.version>7.14.0</es.version>
+        <es.version>7.17.14</es.version>
         <jackson.version>2.14.0</jackson.version>
         <guava.version>32.0.0-jre</guava.version>
         <gson.version>2.8.9</gson.version>

From 7352c5837ab30d3658ff9079d3af78c3e8a9e8b1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 22 Nov 2023 20:58:50 +0000
Subject: [PATCH 7/8] Bump org.elasticsearch:elasticsearch in /WebGisDemo

Bumps [org.elasticsearch:elasticsearch](https://github.com/elastic/elasticsearch) from 7.14.0 to 7.17.14.
- [Release notes](https://github.com/elastic/elasticsearch/releases)
- [Changelog](https://github.com/elastic/elasticsearch/blob/main/CHANGELOG.md)
- [Commits](https://github.com/elastic/elasticsearch/compare/v7.14.0...v7.17.14)

---
updated-dependencies:
- dependency-name: org.elasticsearch:elasticsearch
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 WebGisDemo/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WebGisDemo/pom.xml b/WebGisDemo/pom.xml
index a6e2c82..2f03362 100644
--- a/WebGisDemo/pom.xml
+++ b/WebGisDemo/pom.xml
@@ -19,7 +19,7 @@
         <spring-boot.version>2.5.12</spring-boot.version>
         <mybatis.spring-boot.version>2.2.2</mybatis.spring-boot.version>
         <pagehelper.spring-boot.version>1.4.2</pagehelper.spring-boot.version>
-        <es.version>7.14.0</es.version>
+        <es.version>7.17.14</es.version>
         <log4j2.version>2.18.0</log4j2.version>
         <jackson.version>2.14.0</jackson.version>
         <swagger.version>3.0.0</swagger.version>

From 1b5532e0f999dec193f50346e2a532a64b16cf53 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Sun, 17 Dec 2023 23:55:45 +0000
Subject: [PATCH 8/8] vuln-fix: Use HTTPS instead of HTTP to resolve deps
 CVE-2021-26291

This fixes a security vulnerability in this project where the `pom.xml`
files were configuring Maven to resolve dependencies over HTTP instead of
HTTPS.

Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Severity: High
CVSS: 8.1
Detection: CodeQL & OpenRewrite (https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-maven-non-https-url/) & OpenRewrite (https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8


Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/IfHkrYfxx?organizationId=QWxsIEdpdEh1Yg%3D%3D

Co-authored-by: Moderne <team@moderne.io>
---
 WebGisDemo/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/WebGisDemo/pom.xml b/WebGisDemo/pom.xml
index a6e2c82..151e41e 100644
--- a/WebGisDemo/pom.xml
+++ b/WebGisDemo/pom.xml
@@ -32,7 +32,7 @@
     <repositories>
         <repository>
             <id>redshift</id>
-            <url>http://redshift-maven-repository.s3-website-us-east-1.amazonaws.com/release</url>
+            <url>https://redshift-maven-repository.s3-website-us-east-1.amazonaws.com/release</url>
         </repository>
     </repositories>