Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BackPort]: CVE Fixes from Upstream #174

Merged
merged 15 commits into from
Dec 19, 2023
Merged

[BackPort]: CVE Fixes from Upstream #174

merged 15 commits into from
Dec 19, 2023

Conversation

Pankaj260100
Copy link
Member

@Pankaj260100 Pankaj260100 commented Dec 13, 2023
edited
Loading

Backporting Changes:

One extra commit 3cb7afd to fix test cases, These test cases start failing because of apache#15482

@cla-assistant CLA Assistant
Copy link

cla-assistant bot commented Dec 13, 2023
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
3 out of 4 committers have signed the CLA.

✅ KeerthanaSrikanth
✅ janjwerner-confluent
✅ Pankaj260100
❌ vivek807
You have signed the CLA already but the status is still pending? Let us recheck it.

@Pankaj260100 Pankaj260100 changed the title [BackPort]: Patched security vulnerability by updating Ranger libraries to the ne… [BackPort]: CVE Fixes from Upstream Dec 13, 2023
@Pankaj260100 Pankaj260100 changed the base branch from 28.0.1-confluent to 28.0.0-confluent December 14, 2023 05:17
@Pankaj260100 Pankaj260100 changed the base branch from 28.0.0-confluent to 28.0.1-confluent December 14, 2023 05:18
@Pankaj260100 Pankaj260100 requested review from a team as code owners December 18, 2023 06:07
@xvrl
Copy link
Member

xvrl commented Dec 18, 2023

Let's make sure we "rebase and merge for this PR" and DO NOT squash. Otherwise it will be very hard to keep track of which patches we have merged or not, and make it hard to revert if some cause unexpected issues.

@xvrl
Copy link
Member

xvrl commented Dec 18, 2023

@Pankaj260100 can you update the PR description to include the set of patches you are backporting? Right now the description only lists one, but I see others.

@Pankaj260100 Pankaj260100 changed the base branch from 28.0.1-confluent to 28.0.0-confluent December 19, 2023 07:22
@Pankaj260100 Pankaj260100 changed the base branch from 28.0.0-confluent to 28.0.1-cflt December 19, 2023 09:17
@Pankaj260100 Pankaj260100 changed the base branch from 28.0.1-cflt to 28.0.1-confluent December 19, 2023 09:18
@Pankaj260100 Pankaj260100 changed the base branch from 28.0.1-confluent to 28.0.1-cflt December 19, 2023 09:20
pagrawal10
pagrawal10 approved these changes Dec 19, 2023
View reviewed changes
Copy link

@pagrawal10 pagrawal10 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. All commits are cherry-picks from the master except using set instead of list which is being used for fixing the tests. You should add it in the upstream as well.

vivek807 and others added 12 commits December 19, 2023 15:32
@vivek807 @Pankaj260100
Patched security vulnerability by updating Ranger libraries to the ne… (
6d9475f 
apache#15363)

Patched security vulnerability by updating Ranger libraries to the newest available version.
@janjwerner-confluent @Pankaj260100
update confluent's dependencies to common, supported version (apache#…
32b49d0 
…15441)

* update confluent's dependencies to common, supported version

  Update io.confluent.* dependencies to common, updated version 6.2.12
currently used versions are EOL

* move version definition to the top level pom
@janjwerner-confluent @Pankaj260100
remove unnecessary elasticsearch dependencies to fix CVE regressions (a…
eefbad1 
…pache#15443)

Recent upgrade of ranger introduced CVE regressions due to outdated elasticsearch components.
Druid-ranger-plugin does not elasticsearch components , and they have been explicitly removed.

Update woodstox-core to 6.4.0 to address GHSA-3f7h-mf4q-vrm4
@janjwerner-confluent @Pankaj260100
update few minor dependencies to resolve CVEs (apache#15464)
1307513 
Update multiple dependencies to clear CVEs
Update dropwizard-metrics to 4.2.22 to address GHSA-mm8h-8587-p46h in com.rabbitmq:amqp-client
Update ant to 1.10.14 to resolve GHSA-f62v-xpxf-3v68 GHSA-4p6w-m9wc-c9c9 GHSA-q5r4-cfpx-h6fh GHSA-5v34-g2px-j4fw
Update comomons-compress to resolve GHSA-cgwf-w82q-5jrr
Update jose4j to 0.9.3 to resolve GHSA-7g24-qg88-p43q GHSA-jgvc-jfgh-rjvv
Update kotlin-stdlib to 1.6.0 to resolve GHSA-cqj8-47ch-rvvq and CVE-2022-24329
@janjwerner-confluent @Pankaj260100
run npm audit fix to update JS packages (apache#15466)
803a521
@janjwerner-confluent @xvrl @Pankaj260100
update guava to 32.0.1-jre to address CVEs (apache#15482)
8cca716 
Update guava to 32.0.1-jre to address two CVEs: CVE-2020-8908, CVE-2023-2976
This change requires a minor test change to remove assumptions about ordering.

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
@janjwerner-confluent @xvrl @Pankaj260100
remove licenses of removed libraries, update the license checker (apa…
e0fc49a 
…che#15446)

- Licenses file contains several licenses for outdated libraries. In this PR we remove licenses for no longer used components. 
  This change is purely cosmetic / cleans up the license database. 
  The candidates were designated by reviewing the output of the license check script and comparing it against the depdency tree.

 - Minor fix to license check tool to fail more gracefully when the license of used dependency is not listed as known, as well as fix not to fail on multi licensed components when at least one of the licenses is accepted. 

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
@KeerthanaSrikanth @Pankaj260100
Upgrade Avro to 1.11.3 to address CVE-2023-39410 (apache#15419)
5f565cc
@KeerthanaSrikanth @Pankaj260100
Upgrade Jackson and Google GSON to address CVEs (apache#15461)
4af512c 
Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003, CVE-2022-42004 which affects jackson-databind.
Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1) since 2.2.4 is affected by CVE-2022-25647.
@janjwerner-confluent @xvrl @Pankaj260100
ranger-security: exclude jackson-jaxrs from + fix outdated documentat…
6412199 
…ion (apache#15481)

* Excluding jackson-jaxrs dependency from ranger-plugin-common to address CVE regression introduced by ranger-upgrade: CVE-2019-10202, CVE-2019-10172
* remove the reference to outdated ranger 2.0 from the docs

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
@janjwerner-confluent @xvrl @Pankaj260100
add gson to dependencyManagement (apache#15488)
89b89b3 
This change completes the change introduced in apache#15461
and unifies the version of gson dependency used between all the modules.

gson is used by kubernetes-extension, avro-extensions, ranger-security,
and as a test dependency in several core modules.

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
@janjwerner-confluent @xvrl @Pankaj260100
update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (apa…
634c186 
…che#15449)

Update of direct dependencies:
* kubernetes java-client to 19.0.0
* docker-java-bom to 3.3.4

In order to update transitive dependencies:
* okio to 3.6.0
* bcjava to 1.76

To address CVES:
- CVE-2023-3635 in okio
- CVE-2023-33201 in bcjava

---------

Co-authored-by: Xavier Léauté <xvrl@apache.org>
KeerthanaSrikanth and others added 3 commits December 19, 2023 15:33
@KeerthanaSrikanth @Pankaj260100
Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522)
01f7579 
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
@janjwerner-confluent @Pankaj260100
unpin snakeyaml, add suppressions and licenses (apache#15549)
5de0f76 
* unpin snakeyaml globally, add suppressions and licenses
* pin snakeyaml in the specific modules that require version 1.x, update licenses and owasp suppression

This removes the pin of the Snakeyaml introduced in:  apache#14519
After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are:
- in test scope, transitive dependency of jackson-dataformat-yaml:jar:2.12.7
- in compile scope in contrib extension druid-cassandra-storage
- in compile scope in it-tests. 

With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
@Pankaj260100
using set instead of list, apache#15482
1f289c9
@Pankaj260100 Pankaj260100 merged commit e5df49c into 28.0.1-cflt Dec 19, 2023
2 of 3 checks passed
@Pankaj260100 Pankaj260100 deleted the pankaj/FixCVEs branch December 19, 2023 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KeerthanaSrikanth KeerthanaSrikanth KeerthanaSrikanth approved these changes

@pagrawal10 pagrawal10 pagrawal10 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Pankaj260100 @xvrl @KeerthanaSrikanth @pagrawal10 @vivek807 @janjwerner-confluent