Skip to content

chore: fix vulnerabilities in attribute service #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
saxenakshitiz merged 2 commits into from
Feb 24, 2023
Merged

chore: fix vulnerabilities in attribute service #160

saxenakshitiz merged 2 commits into from
Feb 24, 2023

Conversation

@saxenakshitiz
Copy link
Contributor

@saxenakshitiz saxenakshitiz commented Feb 24, 2023
edited
Loading

Fix vulnerabilities -

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Local Snyk policy: found
Licenses: enabled

✔ Tested /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service for known issues, no vulnerable paths found.

Next steps:

  • Run snyk monitor to be notified about new related vulnerabilities.
  • Run snyk test as part of your CI/test.

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-projection-functions
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

✔ Tested 17 dependencies for known issues, no vulnerable paths found.

Next steps:

  • Run snyk monitor to be notified about new related vulnerabilities.
  • Run snyk test as part of your CI/test.

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Tested 32 dependencies for known issues, found 3 issues, 6 vulnerable paths.

Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3040284] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.attribute.service:attribute-service-api@0.14.17 > io.grpc:grpc-protobuf@1.44.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167772] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.attribute.service:attribute-service-api@0.14.17 > io.grpc:grpc-protobuf@1.44.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167774] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.attribute.service:attribute-service-api@0.14.17 > io.grpc:grpc-protobuf@1.44.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-projection-registry
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Tested 76 dependencies for known issues, found 4 issues, 8 vulnerable paths.

Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3040284] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.serviceframework:platform-grpc-service-framework@0.1.37 > io.grpc:grpc-services@1.47.0 > io.grpc:grpc-protobuf@1.47.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167772] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.serviceframework:platform-grpc-service-framework@0.1.37 > io.grpc:grpc-services@1.47.0 > io.grpc:grpc-protobuf@1.47.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167774] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.serviceframework:platform-grpc-service-framework@0.1.37 > io.grpc:grpc-services@1.47.0 > io.grpc:grpc-protobuf@1.47.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Improper Certificate Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1042268] in io.netty:netty-handler@4.1.79.Final
introduced by io.grpc:grpc-netty@1.50.0 > io.netty:netty-codec-http2@4.1.79.Final > io.netty:netty-handler@4.1.79.Final and 1 other path(s)
No upgrade or patch available

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-service
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Tested 18 dependencies for known issues, found 3 issues, 6 vulnerable paths.

Issues to fix by upgrading:

Upgrade io.grpc:grpc-protobuf@1.44.0 to io.grpc:grpc-protobuf@1.44.2 to fix
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3040284] in com.google.protobuf:protobuf-java@3.19.2
introduced by io.grpc:grpc-protobuf@1.44.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167772] in com.google.protobuf:protobuf-java@3.19.2
introduced by io.grpc:grpc-protobuf@1.44.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167774] in com.google.protobuf:protobuf-java@3.19.2
introduced by io.grpc:grpc-protobuf@1.44.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-service-api
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Tested 19 dependencies for known issues, found 3 issues, 6 vulnerable paths.

Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3040284] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.attribute.service:attribute-service-api@0.14.17 > io.grpc:grpc-protobuf@1.45.1 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167772] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.attribute.service:attribute-service-api@0.14.17 > io.grpc:grpc-protobuf@1.45.1 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167774] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.attribute.service:attribute-service-api@0.14.17 > io.grpc:grpc-protobuf@1.45.1 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-service-client
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Tested 27 dependencies for known issues, found 3 issues, 6 vulnerable paths.

Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3040284] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.serviceframework:platform-grpc-service-framework@0.1.37 > io.grpc:grpc-services@1.47.0 > io.grpc:grpc-protobuf@1.47.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167772] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.serviceframework:platform-grpc-service-framework@0.1.37 > io.grpc:grpc-services@1.47.0 > io.grpc:grpc-protobuf@1.47.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167774] in com.google.protobuf:protobuf-java@3.19.2
introduced by org.hypertrace.core.serviceframework:platform-grpc-service-framework@0.1.37 > io.grpc:grpc-services@1.47.0 > io.grpc:grpc-protobuf@1.47.0 > com.google.protobuf:protobuf-java@3.19.2 and 1 other path(s)
This issue was fixed in versions: 3.16.3, 3.19.6, 3.20.3, 3.21.7

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-service-factory
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Tested 52 dependencies for known issues, found 3 issues, 3 vulnerable paths.

Issues to fix by upgrading:

Upgrade com.fasterxml.jackson.core:jackson-databind@2.13.2.2 to com.fasterxml.jackson.core:jackson-databind@2.13.4.2 to fix
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426] in com.fasterxml.jackson.core:jackson-databind@2.13.2.2
introduced by com.fasterxml.jackson.core:jackson-databind@2.13.2.2
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424] in com.fasterxml.jackson.core:jackson-databind@2.13.2.2
introduced by com.fasterxml.jackson.core:jackson-databind@2.13.2.2

Upgrade com.google.protobuf:protobuf-java-util@3.19.2 to com.google.protobuf:protobuf-java-util@3.20.0 to fix
✗ Deserialization of Untrusted Data [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327] in com.google.code.gson:gson@2.8.6
introduced by com.google.protobuf:protobuf-java-util@3.19.2 > com.google.code.gson:gson@2.8.6

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-service-impl
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/attribute-service-tenant-api
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

✔ Tested 15 dependencies for known issues, no vulnerable paths found.

Next steps:

  • Run snyk monitor to be notified about new related vulnerabilities.
  • Run snyk test as part of your CI/test.

Testing /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service...

Organization: saxenakshitiz
Package manager: gradle
Target file: build.gradle.kts
Project name: attribute-service/caching-attribute-service-client
Open source: no
Project path: /Users/kshitizsaxena/SourceCode/hypertrace/attribute-service
Licenses: enabled

✔ Tested 47 dependencies for known issues, no vulnerable paths found.

Next steps:

  • Run snyk monitor to be notified about new related vulnerabilities.
  • Run snyk test as part of your CI/test.

Tested 10 projects, 6 contained vulnerable paths.

@saxenakshitiz saxenakshitiz requested a review from a team February 24, 2023 11:54
@github-actions

This comment has been minimized.

Sign in to view
kotharironak
kotharironak reviewed Feb 24, 2023
View reviewed changes
attribute-service-api/build.gradle.kts Outdated
protobuf {
protoc {
artifact = "com.google.protobuf:protoc:3.15.6"
artifact = "com.google.protobuf:protoc:3.21.1"
Copy link
Contributor

@kotharironak kotharironak Feb 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shall we move to https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/3.22.0 ?

Copy link
Contributor Author

@saxenakshitiz saxenakshitiz Feb 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will require code change. Will it be okay to stick to 3.21.12?

@codecov
Copy link

codecov bot commented Feb 24, 2023
edited
Loading

Codecov Report

Merging #160 (6b09775) into main (da3c949) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##               main     #160   +/-   ##
=========================================
  Coverage     82.82%   82.82%           
  Complexity      281      281           
=========================================
  Files            33       33           
  Lines           949      949           
  Branches         73       73           
=========================================
  Hits            786      786           
  Misses          111      111           
  Partials         52       52
Flag Coverage Δ
integration 82.82% <ø> (ø)
unit 69.72% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

GurtejSohi
GurtejSohi reviewed Feb 24, 2023
View reviewed changes
@github-actions

This comment has been minimized.

Sign in to view
@saxenakshitiz saxenakshitiz merged commit bf2f2e4 into main Feb 24, 2023
@saxenakshitiz saxenakshitiz deleted the fix_vulnerabilities branch February 24, 2023 12:12
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2023

Unit Test Results

  24 files  ±0    24 suites  ±0   14s ⏱️ -1s
102 tests ±0  102 ✔️ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit bf2f2e4. ± Comparison against base commit da3c949.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kotharironak kotharironak kotharironak left review comments

@GurtejSohi GurtejSohi GurtejSohi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@saxenakshitiz @GurtejSohi @kotharironak