Fix reported CVEs by tejaswini-imply · Pull Request #14882 · apache/druid

tejaswini-imply · 2023-08-21T07:11:53Z

Suppress CVEs from dependencies with no available fix or false positives
- hadoop-annotations: CVE-2022-25168, CVE-2021-33036
- hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475
- okio: CVE-2023-3635
Upgrade grpc version to fix CVE-2023-33953

drop druid-iceberg-extensions module, upgrade grpc-netty-shaded version

abhishekagarwal87 · 2023-08-21T08:35:54Z

owasp-dependency-check-suppressions.xml

    ]]></notes>
    <cve>CVE-2022-45855</cve>
    <cve>CVE-2022-42009</cve>
+    <!-- Suppress hadoop CVEs that not applicable to hadoop-annotations -->


we should add a comment as to why these are not applicable to hadoop-annotations.

Updated it! Thanks, @abhishekagarwal87

abhishekagarwal87 · 2023-08-22T08:14:26Z

distribution/pom.xml

-                                        <argument>-c</argument>
-                                        <argument>org.apache.druid.extensions:druid-iceberg-extensions</argument>


why are you removing this? This profile is bundle-contrib-exts which is supposed to package all contrib extensions in the bundle.

Reverted this! Thanks for pointing it out.

…profile

tejaswini-imply added 3 commits August 21, 2023 12:24

suppress CVEs,

4d784d5

drop druid-iceberg-extensions module, upgrade grpc-netty-shaded version

Merge branch 'master' into suppress-cves

c30da53

fix description

1e4f0cb

abhishekagarwal87 reviewed Aug 21, 2023

View reviewed changes

kfaraz added Security Area - Dependencies labels Aug 22, 2023

tejaswini-imply added 2 commits August 22, 2023 10:16

drop iceberg-extensions from package

95bcb20

update suppression comments

16bdfcc

abhishekagarwal87 reviewed Aug 22, 2023

View reviewed changes

tejaswini-imply and others added 4 commits August 22, 2023 15:05

revert: removal of druid-iceberg-extensions from bundle-contrib-exts …

0d7fab7

…profile

Merge branch 'master' into suppress-cves

94f9f92

nit

8cc7c46

revert: removal of druid-iceberg-extensions

6552fc3

abhishekagarwal87 approved these changes Aug 24, 2023

View reviewed changes

abhishekagarwal87 merged commit 388d5ec into apache:master Aug 24, 2023

LakshSingla added this to the 28.0 milestone Oct 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix reported CVEs#14882

Fix reported CVEs#14882
abhishekagarwal87 merged 9 commits intoapache:masterfrom
tejaswini-imply:suppress-cves

tejaswini-imply commented Aug 21, 2023 •

edited

Loading

Uh oh!

abhishekagarwal87 Aug 21, 2023

Uh oh!

tejaswini-imply Aug 22, 2023

Uh oh!

abhishekagarwal87 Aug 22, 2023

Uh oh!

tejaswini-imply Aug 22, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

		<argument>-c</argument>
		<argument>org.apache.druid.extensions:druid-iceberg-extensions</argument>

Conversation

tejaswini-imply commented Aug 21, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

abhishekagarwal87 Aug 21, 2023

Choose a reason for hiding this comment

Uh oh!

tejaswini-imply Aug 22, 2023

Choose a reason for hiding this comment

Uh oh!

abhishekagarwal87 Aug 22, 2023

Choose a reason for hiding this comment

Uh oh!

tejaswini-imply Aug 22, 2023

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

tejaswini-imply commented Aug 21, 2023 •

edited

Loading