[3f8zK8nS] Upgrade hadoop from 3.3.6 to 3.4.0 to mitigate multiple vulnerabilities #612
Conversation
…ding on it explicitly.
| @@ -41,7 +41,6 @@ dependencies { | |||
| // These will be dependencies not packaged with the .jar | |||
| // They need to be provided either through the database or in an extra .jar | |||
| compileOnly group: 'org.neo4j', name: 'neo4j', version: neo4jVersionEffective | |||
| compileOnly group: 'org.apache.commons', name: 'commons-configuration2', version: '2.9.0' | |||
There was a problem hiding this comment.
The Snyk build failure is because of two newly found vulnerabilities in commons-configuration2. I will mitigate by this change and then it can be updated in Neo4j when possible (currently it is not fixable because of another Neo4j dependency which have 2.9.0 transitively).
test-utils/build.gradle
Outdated
|
|
||
| // The following dependencies needs to be excluded because they do not have licenses which we are allowed to include | ||
| def withoutLicenseViolations = { | ||
| exclude group: 'com.sun.codemodel' |
There was a problem hiding this comment.
This has the license: https://github.com/javaee/jaxb-codemodel/tree/master, the repo is archived which may be why the license tool has issues with it, you can manually add it in to the licenses instead. See line 117 of licenses-3rdparties.gradle on how to do this.
test-utils/build.gradle
Outdated
| // The following dependencies needs to be excluded because they do not have licenses which we are allowed to include | ||
| def withoutLicenseViolations = { | ||
| exclude group: 'com.sun.codemodel' | ||
| exclude group: 'org.jline' |
There was a problem hiding this comment.
This has a license: https://github.com/jline/jline3 , The license tool has issues sometimes if the repo owner hasn't declared it correctly, you can manually add it in to the licenses instead. See line 117 of licenses-3rdparties.gradle on how to do this.
Better to add in case something relies on these in Hadoop! :)
licenses-3rdparties.gradle
Outdated
| @@ -114,6 +114,8 @@ downloadLicenses { | |||
| // Add licenses to some libraries which don't declare their license inside the POM. Should be rechecked if the version is updated. | |||
| licenses = [ | |||
| 'javax.servlet.jsp:jsp-api:2.1' : license('Common Development and Distribution License Version 1.1', null), | |||
| 'org.jline:jline:3.22.0' : license('BSD-2-Clause', "https://opensource.org/license/bsd-2-clause"), | |||
There was a problem hiding this comment.
| 'org.jline:jline:3.22.0' : license('BSD-2-Clause', "https://opensource.org/license/bsd-2-clause"), | |
| 'org.jline:jline:3.22.0' : license('BSD 2-Clause license', 'http://opensource.org/licenses/BSD-2-Clause'), |
I think this should stop it from adding a "new" whole license clause.
There was a problem hiding this comment.
Of some reason it is still complaining about invalid license after this change, will take a closer look tomorrow
licenses-3rdparties.gradle
Outdated
| @@ -114,6 +114,8 @@ downloadLicenses { | |||
| // Add licenses to some libraries which don't declare their license inside the POM. Should be rechecked if the version is updated. | |||
| licenses = [ | |||
| 'javax.servlet.jsp:jsp-api:2.1' : license('Common Development and Distribution License Version 1.1', null), | |||
| 'org.jline:jline:3.22.0' : license('BSD-2-Clause', "https://opensource.org/license/bsd-2-clause"), | |||
| 'com.sun.codemodel:codemodel:2.6' : license('Common Development and Distribution License Version 1.0', null), | |||
Upgrading Hadoop will mitigate the following vulnerabilities:
CVE 2019-10172 (high)
CVE-2019-10202 (critical)
CVE-2019-16869 (medium)
CVE-2019-17571 (critical)
CVE-2020-9488 (low)
CVE-2020-29582 (low)
CVE-2021-4104 (medium)
CVE-2022-23302 (high)
CVE-2022-23305 (high)
CVE-2022-23307 (high)
CVE-2022-24329 (medium)
CVE-2023-3635 (medium)
CVE-2023-26464 (medium)
CVE-2023-34453 (medium)
CVE-2023-34454 (medium)
CVE-2023-34455 (high)
CVE-2023-43642 (high)
CVE-2023-44981 (high)
CVE-2024-23944 (medium)
CWE-310 (medium)