Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(build): force update dependency of k8s java-client to fix high CVEs #5402

Merged
merged 1 commit into from Mar 4, 2024
Merged

fix(build): force update dependency of k8s java-client to fix high CVEs #5402

merged 1 commit into from Mar 4, 2024

Conversation

lc525
Copy link
Member

@lc525 lc525 commented Mar 4, 2024
edited

What this PR does / why we need it:
In the dataflow component we use io.kubernetes:client-java for fetching k8s secrets needed for Kafka SaaS auth.
The library has org.apache.commons:commons-compress as a dependency.

  • The fix forces org.apache.commons:commons-compress update from 1.24.0 to 1.26.0 by defining an explicit gradle build dependency constraint

See https://docs.gradle.org/current/userguide/dependency_constraints.html for a description of how gradle may handle transitive dependency updates. This comes with its own disadvantages:

  • because we force the update ourselves, we have to test that our dependency indeed works with the updated package and delivers the same functionality we need

  • we need to remove the build constraint once the dependency updates its dependency, so that we don't "pin" that to an old version unnecessarily (this is why we have the following TODO)

  • TODO(future): remove gradle constraint when io.kubernetes:client-java gets updated to a version directly depending on 1.26.0 or higher

Fixes:

Special notes for your reviewer:

  • Tested that following the update, dataflow can still connect to k8s and fetch the kafka auth secret for communicating with Kafka SaaS

@lc525
fix(build) force update dependency of k8s java-client to fix high CVEs
534aee7 
- we use io.kubernetes:client-java, which has
   org.apache.commons:commons-compress as a dependency
- fix forces org.apache.commons:commons-compress update from 1.24.0 to 1.26.0
- TODO(future): remove gradle constraint when io.kubernetes:client-java
   gets updated to a version directly depending on 1.26.0 or higher

Fixes high CVEs:
- [CVE-2024-26308](GHSA-4265-ccf5-phj5)
- [CVE-2024-25710](GHSA-4g9r-vxhx-9pgx)
@lc525 lc525 requested a review from sakoush as a code owner March 4, 2024 16:57
sakoush
sakoush approved these changes Mar 4, 2024
View reviewed changes
Copy link
Member

@sakoush sakoush left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@lc525 lc525 merged commit e628ffe into SeldonIO:v2 Mar 4, 2024
6 checks passed
@sakoush sakoush added the v2 label Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sakoush sakoush sakoush approved these changes

Assignees
No one assigned
Labels
v2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lc525 @sakoush