Upgrade aws-sdk to v2 along with a few other dependencies for vulns

common/scala/build.gradle

@@ -109,7 +109,7 @@ dependencies {
         exclude group: 'com.fasterxml.jackson.core'
         exclude group: 'com.fasterxml.jackson.dataformat'
     }
-    api "com.amazonaws:aws-java-sdk-cloudfront:1.12.792" // Upgraded to remove ion-java dependency (CVE-2024-21634)
+    api "software.amazon.awssdk:cloudfront:2.46.17" // Upgraded to remove ion-java dependency (CVE-2024-21634)
 
     api ("com.azure:azure-storage-blob:12.18.0") {
         exclude group: "com.azure", module: "azure-core-test"
@@ -159,8 +159,8 @@ dependencies {
 
         api("org.apache.commons:commons-lang3:3.18.0")
 
-        api("io.projectreactor.netty:reactor-netty-core:1.2.8")
-        api("io.projectreactor.netty:reactor-netty-http:1.2.8")
+        api("io.projectreactor.netty:reactor-netty-core:1.2.18")
+        api("io.projectreactor.netty:reactor-netty-http:1.2.18")
 
         api("io.grpc:grpc-api:${gradle.grpc.version}") {
             version { strictly gradle.grpc.version }

common/scala/src/main/scala/org/apache/openwhisk/core/database/s3/CloudFrontSigner.scala

@@ -20,13 +20,10 @@ import java.io.ByteArrayInputStream
 import java.nio.charset.StandardCharsets.UTF_8
 import java.security.PrivateKey
 import java.time.Instant
-import java.util.Date
-
 import org.apache.pekko.http.scaladsl.model.Uri
-import com.amazonaws.auth.PEM
-import com.amazonaws.services.cloudfront.CloudFrontUrlSigner
-import com.amazonaws.services.cloudfront.util.SignerUtils
-import com.amazonaws.services.cloudfront.util.SignerUtils.Protocol
+import software.amazon.awssdk.services.cloudfront.CloudFrontUtilities
+import software.amazon.awssdk.services.cloudfront.internal.auth.Pem
+import software.amazon.awssdk.services.cloudfront.model.CannedSignerRequest
 
 import scala.concurrent.duration._
 
@@ -37,18 +34,25 @@ case class CloudFrontConfig(domainName: String,
 
 case class CloudFrontSigner(config: CloudFrontConfig) extends UrlSigner {
   private val privateKey = createPrivateKey(config.privateKey)
+  private val cloudFrontUtils = CloudFrontUtilities.create();
 
   override def getSignedURL(s3ObjectKey: String): Uri = {
-    val resourcePath = SignerUtils.generateResourcePath(Protocol.https, config.domainName, s3ObjectKey)
-    val date = Date.from(Instant.now().plusSeconds(config.timeout.toSeconds))
-    val url = CloudFrontUrlSigner.getSignedURLWithCannedPolicy(resourcePath, config.keyPairId, privateKey, date)
-    Uri(url)
+    val resourceUrl = s"https://${config.domainName}/$s3ObjectKey"
+    val date = Instant.now().plusSeconds(config.timeout.toSeconds)
+    val cannedRequest = CannedSignerRequest
+      .builder()
+      .resourceUrl(resourceUrl)
+      .privateKey(privateKey)
+      .keyPairId(config.keyPairId)
+      .expirationDate(date)
+      .build()
+    Uri(cloudFrontUtils.getSignedUrlWithCannedPolicy(cannedRequest).url())
   }
 
   override def toString: String = s"CloudFront Signer - ${config.domainName}"
 
   private def createPrivateKey(keyContent: String): PrivateKey = {
     val is = new ByteArrayInputStream(keyContent.getBytes(UTF_8))
-    PEM.readPrivateKey(is)
+    Pem.readPrivateKey(is)
   }
 }

settings.gradle

@@ -104,9 +104,9 @@ gradle.ext.pekko_kafka = [version : '1.1.0']
 gradle.ext.pekko_http = [version : '1.1.0']
 gradle.ext.pekko_management = [version : '1.1.1']
 gradle.ext.pekko_grpc = [version : '1.1.1']
-gradle.ext.grpc = [version : '1.75.0']
+gradle.ext.grpc = [version : '1.82.1']
 
 gradle.ext.curator = [version : '5.7.0']
 gradle.ext.kube_client = [version: '4.10.3']
-gradle.ext.jackson = [version: '2.21.1']
+gradle.ext.jackson = [version: '2.21.4']
 gradle.ext.netty = [version : '4.1.135.Final']

tests/build.gradle

@@ -254,7 +254,7 @@ dependencies {
     implementation "io.fabric8:kubernetes-server-mock:${gradle.kube_client.version}"
     implementation "org.rogach:scallop_${gradle.scala.depVersion}:3.3.2"
 
-    implementation "com.amazonaws:aws-java-sdk-s3:1.12.395"
+    implementation "software.amazon.awssdk:s3:2.46.17"
     implementation "com.microsoft.azure:azure-cosmos:3.7.6"
     implementation 'org.testcontainers:elasticsearch:1.17.6'
     implementation 'org.testcontainers:mongodb:1.17.1'

tests/src/test/scala/org/apache/openwhisk/core/database/s3/S3Minio.scala

@@ -17,19 +17,19 @@
 
 package org.apache.openwhisk.core.database.s3
 
-import java.net.ServerSocket
-
+import java.net.{ServerSocket, URI}
 import actionContainers.ActionContainer
 import org.apache.pekko.actor.ActorSystem
-import com.amazonaws.auth.{AWSStaticCredentialsProvider, BasicAWSCredentials}
-import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration
-import com.amazonaws.services.s3.AmazonS3ClientBuilder
 import com.typesafe.config.ConfigFactory
 import common.{SimpleExec, StreamLogging}
 import org.scalatest.BeforeAndAfterAll
 import org.scalatest.flatspec.AnyFlatSpec
 import org.apache.openwhisk.common.{Logging, TransactionId}
 import org.apache.openwhisk.core.database.{AttachmentStore, DocumentSerializer}
+import software.amazon.awssdk.auth.credentials.{AwsBasicCredentials, StaticCredentialsProvider}
+import software.amazon.awssdk.regions.Region
+import software.amazon.awssdk.services.s3.S3Client
+import software.amazon.awssdk.services.s3.model.CreateBucketRequest
 
 import scala.concurrent.duration._
 import scala.reflect.ClassTag
@@ -89,14 +89,16 @@ trait S3Minio extends AnyFlatSpec with BeforeAndAfterAll with StreamLogging {
   }
 
   def createTestBucket(): Unit = {
-    val endpoint = new EndpointConfiguration(s"http://localhost:$port", "us-west-2")
-    val client = AmazonS3ClientBuilder.standard
-      .withPathStyleAccessEnabled(true)
-      .withEndpointConfiguration(endpoint)
-      .withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials(accessKey, secretAccessKey)))
-      .build
+    val client = S3Client
+      .builder()
+      .forcePathStyle(true)
+      .endpointOverride(URI.create(s"http://localhost:$port"))
+      .region(Region.US_WEST_2)
+      .credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create(accessKey, secretAccessKey)))
+      .build()
 
-    org.apache.openwhisk.utils.retry(client.createBucket(bucket), 6, Some(1.minute))
+    org.apache.openwhisk.utils
+      .retry(client.createBucket((b: CreateBucketRequest.Builder) => b.bucket(bucket)), 6, Some(1.minute))
     println(s"Created bucket $bucket")
   }