Address security vulnerabilities CVSS >= 7 #8980
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ccaominh
force-pushed
the
cve-check
branch
8 times, most recently
from
2191a73
to
f2ac3a5
Compare
Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added. Updated dependencies: - api-util 1.0.0 -> 1.0.3 - jackson 2.9.10 -> 2.10.1 - kafka 2.1.0 -> 2.1.1 - libthrift 0.10.0 -> 0.13.0 - protobuf 3.2.0 -> 3.11.0 The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work to fix: - hibernate-validator:5.2.5 - jackson-mapper-asl:1.9.13 - libthrift:0.6.1 - netty:3.10.6 - nimbus-jose-jwt:4.41.1
|
Manually tested with https://druid.apache.org/docs/latest/tutorials/tutorial-batch-hadoop.html |
clintropolis
reviewed
Dec 4, 2019
| @@ -233,6 +233,30 @@ notice: | | |||
|
|
|||
| --- | |||
|
|
|||
| name: JavaBeans Activation Framework API JAR | |||
There was a problem hiding this comment.
Are these only run by CI? Unless these jars end up in the source binary packaging when building the distributions I don't believe they need to be included here.
There was a problem hiding this comment.
They're part of the distribution now. Here's a diff of the distribution:
Only in before/extensions/druid-hdfs-storage: api-util-1.0.0-M20.jar
Only in after/extensions/druid-hdfs-storage: api-util-1.0.3.jar
Only in before/extensions/druid-kafka-extraction-namespace: kafka-clients-2.1.0.jar
Only in after/extensions/druid-kafka-extraction-namespace: kafka-clients-2.1.1.jar
Only in before/extensions/druid-kerberos: api-util-1.0.0-M20.jar
Only in after/extensions/druid-kerberos: api-util-1.0.3.jar
Only in after/extensions/druid-kinesis-indexing-service: jackson-annotations-2.10.1.jar
Only in before/extensions/druid-kinesis-indexing-service: jackson-annotations-2.9.10.jar
Only in after/extensions/druid-kinesis-indexing-service: jackson-core-2.10.1.jar
Only in before/extensions/druid-kinesis-indexing-service: jackson-core-2.9.10.jar
Only in after/extensions/druid-kinesis-indexing-service: jackson-databind-2.10.1.jar
Only in before/extensions/druid-kinesis-indexing-service: jackson-databind-2.9.10.jar
Only in before/extensions/druid-orc-extensions: protobuf-java-3.1.0.jar
Only in after/extensions/druid-orc-extensions: protobuf-java-3.11.0.jar
Only in after/extensions/druid-protobuf-extensions: error_prone_annotations-2.3.2.jar
Only in before/extensions/druid-protobuf-extensions: gson-2.7.jar
Only in after/extensions/druid-protobuf-extensions: gson-2.8.6.jar
Only in after/extensions/druid-protobuf-extensions: protobuf-java-3.11.0.jar
Only in before/extensions/druid-protobuf-extensions: protobuf-java-3.2.0.jar
Only in after/extensions/druid-protobuf-extensions: protobuf-java-util-3.11.0.jar
Only in before/extensions/druid-protobuf-extensions: protobuf-java-util-3.2.0.jar
Only in after/lib: jackson-annotations-2.10.1.jar
Only in before/lib: jackson-annotations-2.9.10.jar
Only in after/lib: jackson-core-2.10.1.jar
Only in before/lib: jackson-core-2.9.10.jar
Only in after/lib: jackson-databind-2.10.1.jar
Only in before/lib: jackson-databind-2.9.10.jar
Only in after/lib: jackson-dataformat-cbor-2.10.1.jar
Only in before/lib: jackson-dataformat-cbor-2.9.10.jar
Only in after/lib: jackson-dataformat-smile-2.10.1.jar
Only in before/lib: jackson-dataformat-smile-2.9.10.jar
Only in after/lib: jackson-datatype-guava-2.10.1.jar
Only in before/lib: jackson-datatype-guava-2.9.10.jar
Only in after/lib: jackson-datatype-joda-2.10.1.jar
Only in before/lib: jackson-datatype-joda-2.9.10.jar
Only in after/lib: jackson-jaxrs-base-2.10.1.jar
Only in before/lib: jackson-jaxrs-base-2.9.10.jar
Only in after/lib: jackson-jaxrs-json-provider-2.10.1.jar
Only in before/lib: jackson-jaxrs-json-provider-2.9.10.jar
Only in after/lib: jackson-jaxrs-smile-provider-2.10.1.jar
Only in before/lib: jackson-jaxrs-smile-provider-2.9.10.jar
Only in after/lib: jackson-module-guice-2.10.1.jar
Only in before/lib: jackson-module-guice-2.9.10.jar
Only in after/lib: jackson-module-jaxb-annotations-2.10.1.jar
Only in before/lib: jackson-module-jaxb-annotations-2.9.10.jar
Only in after/lib: jakarta.activation-api-1.2.1.jar
Only in after/lib: jakarta.xml.bind-api-2.3.2.jar
Only in before/lib: protobuf-java-3.1.0.jar
Only in after/lib: protobuf-java-3.11.0.jar
Only in after/licenses/bin: jakarta.activation-api.EDL1
| @@ -0,0 +1,13 @@ | |||
| Eclipse Distribution License - v 1.0 | |||
There was a problem hiding this comment.
Likewise these might not be needed depending on the answer to whether or not this stuff is only used by CI
| @@ -43,7 +43,7 @@ | |||
| { | |||
| private JsonParser jp; | |||
| private ObjectCodec objectCodec; | |||
| private final TypeReference typeRef; | |||
| private final TypeReference<T> typeRef; | |||
There was a problem hiding this comment.
Are these changes required for something or just opportunistic?
There was a problem hiding this comment.
They are required after upgrading Jackson to 2.10
ccaominh
commented
Dec 4, 2019
| @@ -43,7 +43,7 @@ | |||
| { | |||
| private JsonParser jp; | |||
| private ObjectCodec objectCodec; | |||
| private final TypeReference typeRef; | |||
| private final TypeReference<T> typeRef; | |||
There was a problem hiding this comment.
They are required after upgrading Jackson to 2.10
| @@ -96,7 +95,7 @@ private String getLoadStatusURL() | |||
| // return a list of the segment dates for the specified datasource | |||
| public List<String> getMetadataSegments(final String dataSource) | |||
| { | |||
| ArrayList<String> segments; | |||
| List<String> segments; | |||
There was a problem hiding this comment.
This was required after upgrading Jackson to 2.10 (since TypeReference<List<String>> is used below)
| @@ -233,6 +233,30 @@ notice: | | |||
|
|
|||
| --- | |||
|
|
|||
| name: JavaBeans Activation Framework API JAR | |||
There was a problem hiding this comment.
They're part of the distribution now. Here's a diff of the distribution:
Only in before/extensions/druid-hdfs-storage: api-util-1.0.0-M20.jar
Only in after/extensions/druid-hdfs-storage: api-util-1.0.3.jar
Only in before/extensions/druid-kafka-extraction-namespace: kafka-clients-2.1.0.jar
Only in after/extensions/druid-kafka-extraction-namespace: kafka-clients-2.1.1.jar
Only in before/extensions/druid-kerberos: api-util-1.0.0-M20.jar
Only in after/extensions/druid-kerberos: api-util-1.0.3.jar
Only in after/extensions/druid-kinesis-indexing-service: jackson-annotations-2.10.1.jar
Only in before/extensions/druid-kinesis-indexing-service: jackson-annotations-2.9.10.jar
Only in after/extensions/druid-kinesis-indexing-service: jackson-core-2.10.1.jar
Only in before/extensions/druid-kinesis-indexing-service: jackson-core-2.9.10.jar
Only in after/extensions/druid-kinesis-indexing-service: jackson-databind-2.10.1.jar
Only in before/extensions/druid-kinesis-indexing-service: jackson-databind-2.9.10.jar
Only in before/extensions/druid-orc-extensions: protobuf-java-3.1.0.jar
Only in after/extensions/druid-orc-extensions: protobuf-java-3.11.0.jar
Only in after/extensions/druid-protobuf-extensions: error_prone_annotations-2.3.2.jar
Only in before/extensions/druid-protobuf-extensions: gson-2.7.jar
Only in after/extensions/druid-protobuf-extensions: gson-2.8.6.jar
Only in after/extensions/druid-protobuf-extensions: protobuf-java-3.11.0.jar
Only in before/extensions/druid-protobuf-extensions: protobuf-java-3.2.0.jar
Only in after/extensions/druid-protobuf-extensions: protobuf-java-util-3.11.0.jar
Only in before/extensions/druid-protobuf-extensions: protobuf-java-util-3.2.0.jar
Only in after/lib: jackson-annotations-2.10.1.jar
Only in before/lib: jackson-annotations-2.9.10.jar
Only in after/lib: jackson-core-2.10.1.jar
Only in before/lib: jackson-core-2.9.10.jar
Only in after/lib: jackson-databind-2.10.1.jar
Only in before/lib: jackson-databind-2.9.10.jar
Only in after/lib: jackson-dataformat-cbor-2.10.1.jar
Only in before/lib: jackson-dataformat-cbor-2.9.10.jar
Only in after/lib: jackson-dataformat-smile-2.10.1.jar
Only in before/lib: jackson-dataformat-smile-2.9.10.jar
Only in after/lib: jackson-datatype-guava-2.10.1.jar
Only in before/lib: jackson-datatype-guava-2.9.10.jar
Only in after/lib: jackson-datatype-joda-2.10.1.jar
Only in before/lib: jackson-datatype-joda-2.9.10.jar
Only in after/lib: jackson-jaxrs-base-2.10.1.jar
Only in before/lib: jackson-jaxrs-base-2.9.10.jar
Only in after/lib: jackson-jaxrs-json-provider-2.10.1.jar
Only in before/lib: jackson-jaxrs-json-provider-2.9.10.jar
Only in after/lib: jackson-jaxrs-smile-provider-2.10.1.jar
Only in before/lib: jackson-jaxrs-smile-provider-2.9.10.jar
Only in after/lib: jackson-module-guice-2.10.1.jar
Only in before/lib: jackson-module-guice-2.9.10.jar
Only in after/lib: jackson-module-jaxb-annotations-2.10.1.jar
Only in before/lib: jackson-module-jaxb-annotations-2.9.10.jar
Only in after/lib: jakarta.activation-api-1.2.1.jar
Only in after/lib: jakarta.xml.bind-api-2.3.2.jar
Only in before/lib: protobuf-java-3.1.0.jar
Only in after/lib: protobuf-java-3.11.0.jar
Only in after/licenses/bin: jakarta.activation-api.EDL1
licenses.yaml
Outdated
| license_name: Eclipse Distribution License 1.0 | ||
| version: 2.3.2 | ||
| copyright: Oracle and/or its affiliates. | ||
| license_file_path: licenses/bin/jakarta.activation-api.EDL1 |
There was a problem hiding this comment.
Since the EDL1 license is used for both jakarta.activation-api and jakarta.xml.bind-api, I'll rename the license file to "jakarta.EDL1"
clintropolis
approved these changes
Dec 5, 2019
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Update dependencies to address security vulnerabilities with CVSS scores of 7 or higher. A new Travis CI job is added to prevent new high/critical security vulnerabilities from being added.
Updated dependencies:
The following high/critical security vulnerabilities are currently suppressed (so that the new Travis CI job can be added now) and are left as future work:
This PR has: