From c2247df2cf6138383ea979acbe6ea3d924ac8c85 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Thu, 15 Feb 2024 09:22:54 -0500
Subject: [PATCH] [Manual backport of #4049] Force logback to version 1.2.13 to
 resolve CVE-2023-6378 (#4051)

### Description
This change forces is a manual backport of the same type of change in
#4049 . Instead of excluding the the logback-classic and logback-core
transient dependencies we now just force them to be versions 1.2.13.
This resolves CVE-2023-6378

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index 9c50389621..0313abdf76 100644
--- a/build.gradle
+++ b/build.gradle
@@ -89,6 +89,7 @@ configurations.all {
         force "org.apache.bcel:bcel:6.6.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
         force "org.xerial.snappy:snappy-java:1.1.10.5"
         force "org.apache.zookeeper:zookeeper:3.9.1"
+        force "ch.qos.logback:logback-core:1.2.13"
         force "ch.qos.logback:logback-classic:1.2.13"
     }
 }