Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ignore CVEs from htrace and ambari transitive deps (#10353) 

* Ignore CVEs from htrace and ambari transitive deps

htrace CVEs are suppressed for now as addressing them requires updating
the hadoop version.

ambari CVEs are suppressed for now since ambari is updated to the latest
version and is no longer actively maintained.

* Fix compilation issue from ambari upgrade

* Add missing test coverage
This commit is contained in:
Chi Cao Minh 2020-09-04 15:22:26 -07:00 committed by GitHub
parent 91a153820e
commit 176b715624
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 79 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
extensions-contrib/ambari-metrics-emitter/pom.xml
View File

@ -51,7 +51,7 @@
<dependency> <dependency>
<groupId>org.apache.ambari</groupId> <groupId>org.apache.ambari</groupId>
<artifactId>ambari-metrics-common</artifactId> <artifactId>ambari-metrics-common</artifactId>
<version>2.6.1.0.0</version> <version>2.7.0.0.0</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>org.codehaus.jackson</groupId> <groupId>org.codehaus.jackson</groupId>

18
extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
View File

@ -185,6 +185,24 @@ public class AmbariMetricsEmitter extends AbstractTimelineMetricsSink implements
return config.getHostname(); return config.getHostname();
} }
@Override
protected boolean isHostInMemoryAggregationEnabled()
{
return false;
}
@Override
protected int getHostInMemoryAggregationPort()
{
return 0; // since host in-memory aggregation is disabled, this return value is unimportant
}
@Override
protected String getHostInMemoryAggregationProtocol()
{
return ""; // since host in-memory aggregation is disabled, this return value is unimportant
}
private class ConsumerRunnable implements Runnable private class ConsumerRunnable implements Runnable
{ {
@Override @Override

4
extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
View File

@ -66,5 +66,9 @@ public class AmbariMetricsEmitterTest
Assert.assertEquals("hostname", emitter.getHostname()); Assert.assertEquals("hostname", emitter.getHostname());
Assert.assertNull(emitter.getZookeeperQuorum()); Assert.assertNull(emitter.getZookeeperQuorum());
Assert.assertEquals(Collections.singleton("hostname"), emitter.getConfiguredCollectorHosts()); Assert.assertEquals(Collections.singleton("hostname"), emitter.getConfiguredCollectorHosts());
Assert.assertFalse(emitter.isHostInMemoryAggregationEnabled());
Assert.assertEquals(0, emitter.getHostInMemoryAggregationPort());
Assert.assertEquals("", emitter.getHostInMemoryAggregationProtocol());
} }
} }

60
owasp-dependency-check-suppressions.xml
View File

@ -147,7 +147,7 @@
<cve>CVE-2019-17195</cve> <cve>CVE-2019-17195</cve>
</suppress> </suppress>
<suppress> <suppress>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage --> <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
<notes><![CDATA[ <notes><![CDATA[
file name: libthrift-0.6.1.jar file name: libthrift-0.6.1.jar
]]></notes> ]]></notes>
@ -156,6 +156,28 @@
<cve>CVE-2018-1320</cve> <cve>CVE-2018-1320</cve>
<cve>CVE-2019-0205</cve> <cve>CVE-2019-0205</cve>
</suppress> </suppress>
<suppress>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
<notes><![CDATA[
file name: snakeyaml-1.6.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
<cve>CVE-2017-18640</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@2.4.0$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-annotations:2.4.0 since it is via htrace-core4 -->
</suppress>
<suppress>
<notes><![CDATA[
file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@2.4.0$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-core:2.4.0 since it is via htrace-core4 -->
</suppress>
<suppress> <suppress>
<!-- <!--
~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change ~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change
@ -173,10 +195,10 @@
~ TODO: Fix by updating parquet version in extensions-core/parquet-extensions. ~ TODO: Fix by updating parquet version in extensions-core/parquet-extensions.
--> -->
<notes><![CDATA[ <notes><![CDATA[
file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.9.10) file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-{core,databind}:2.9.10)
]]></notes> ]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.9.10$</packageUrl> <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-.*@2.9.10$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-databind:2.9.0 since it is via parquet transitive dependencies --> <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-{core,databind}:2.9.0 since it is via parquet transitive dependencies -->
</suppress> </suppress>
<suppress> <suppress>
<notes><![CDATA[ <notes><![CDATA[
@ -229,4 +251,34 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl> <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve> <cve>CVE-2019-17571</cve>
</suppress> </suppress>
<suppress>
<!--
- TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-->
<notes><![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
<cve>CVE-2019-16869</cve>
<cve>CVE-2019-20444</cve>
<cve>CVE-2019-20445</cve>
</suppress>
<suppress>
<!--
- TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
-->
<notes><![CDATA[
file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
<cve>CVE-2015-1776</cve>
<cve>CVE-2016-3086</cve>
<cve>CVE-2016-5393</cve>
<cve>CVE-2016-6811</cve>
<cve>CVE-2017-3162</cve>
<cve>CVE-2018-11768</cve>
<cve>CVE-2018-1296</cve>
<cve>CVE-2018-8009</cve>
<cve>CVE-2018-8029</cve>
</suppress>
</suppressions> </suppressions>