Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve multiple CVEs #15407

Closed
wants to merge 27 commits into from
Closed

resolve multiple CVEs #15407

wants to merge 27 commits into from

Conversation

janjwerner-confluent
Copy link
Contributor

@janjwerner-confluent janjwerner-confluent commented Nov 21, 2023
edited
Loading

Fixes # Multiple CVEs in dependencies. .

Description

Update multiple dependencies to clear CVEs
Update docker-java-bom to 3.3.4 and
kubernetes-client to 19.0.0 to move away from bcprov-jdk15 to address: CVE-2023-33201
Update dropwizard-metrics to 4.2.22 to address CVE-2023-46120 in com.rabbitmq:amqp-client
Update avro to 1.11.3 to resolve CVE-2023-39410
Update jackson-databind to 2.12.7.1 to resolve CVE-2022-42003 CVE-2022-42004
Update ant to 1.10.14 to resolve CVE-2020-11979 CVE-2020-1945 CVE-2021-36373 CVE-2021-36374
Update comomons-compress to resolve CVE-2023-42503
Update jose4j to 0.9.3 to resolve CVE-2023-31582 GHSA-jgvc-jfgh-rjvv
Update kotlin-stdlib to 1.4.21 to resolve CVE-2020-29582
Update kafka-client-schema-registry to 6.2.12
Update woodstox-core to 6.4.0 to address CVE-2022-40152
Update aws-java-sdk-bundle to 1.12.497 to remove CVE regressions introduced by ranger update

  • updated licenses and suppressions.
  • update license checker to provide more verbose information when license is not found

This PR has:

  • [ x] been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • [ x] added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@janjwerner-confluent janjwerner-confluent marked this pull request as draft November 21, 2023 01:39
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 23, 2023
View reviewed changes
distribution/bin/check-licenses.py Fixed Show resolved Hide resolved
@janjwerner-confluent janjwerner-confluent marked this pull request as ready for review November 23, 2023 15:57
@janjwerner-confluent
Copy link
Contributor Author

@abhishekagarwal87
Could you help me with the web-checks failing.
I am fixing the remaining license and CVE issues, but I'm stomped with the e2e test.

@kfaraz kfaraz mentioned this pull request Nov 24, 2023
Merged
@janjwerner-confluent
Copy link
Contributor Author

Cannot update elasticsearch to CVE-2023-31418 CVE-2021-22134 CVE-2021-22135 CVE-2021-22144 CVE-2023-31417 CVE-2023-31419 CVE-2023-46673
nor the elasticsearch-rest-client to address CVE-2021-22145
as Elastic changed the licenses to non permissive dual license.

@janjwerner-confluent janjwerner-confluent mentioned this pull request Nov 26, 2023
Closed
10 tasks
@janjwerner-confluent
Copy link
Contributor Author

closing this PR as it's being addressed with a series of smaller efforts.

@janjwerner-confluent janjwerner-confluent mentioned this pull request Dec 8, 2023
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Area - Dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@janjwerner-confluent