Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix reported CVEs (#14882) 

Suppress CVEs from dependencies with no available fix or false positives
hadoop-annotations: CVE-2022-25168, CVE-2021-33036
hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475
okio: CVE-2023-3635
Upgrade grpc version to fix CVE-2023-33953
This commit is contained in:
Tejaswini Bandlamudi 2023-08-24 19:28:55 +05:30 committed by GitHub
parent 3c7b237c22
commit 388d5ecf78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
extensions-contrib/opentelemetry-emitter/pom.xml
View File

@ -39,7 +39,7 @@
<!-- These guava and grpc versions are used only in the opentelemetry-extension.
Look at build section for more details about shading. -->
<shade.guava.version>32.0.1-jre</shade.guava.version>
<shade.grpc.version>1.41.3</shade.grpc.version>
<shade.grpc.version>1.57.2</shade.grpc.version>
</properties>
<dependencyManagement>
<dependencies>

15
owasp-dependency-check-suppressions.xml
View File

@ -359,6 +359,9 @@
]]></notes>
<cve>CVE-2022-45855</cve>
<cve>CVE-2022-42009</cve>
<!-- Suppress hadoop CVEs that not applicable to hadoop-annotations -->
<cve>CVE-2022-25168</cve> <!-- Affected FileUtil.unTar(File, File) API isn't present in hadoop-annotations -->
<cve>CVE-2021-33036</cve> <!-- Only applicable to hadoop-yarn-server -->
</suppress>
<suppress>
<!--
@ -759,6 +762,10 @@
<!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
<cve>CVE-2023-25613</cve>
<cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using com.google.common.io.FileBackedOutputStream -->
<!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop release version -
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9 -->
<cve>CVE-2023-1370</cve>
<cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843 -->
</suppress>
<suppress>
<!-- from extensions using hadoop-client-api, these dependencies are shaded in the jar -->
@ -785,4 +792,12 @@
<packageUrl regex="true">^pkg:maven/.*/.*@.*$</packageUrl>
<cve>CVE-2021-4277</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: okio-1.17.2.jar, okio-1.15.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@1..*$</packageUrl>
<cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user-facing -->
</suppress>
</suppressions>