update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (#15449)

Update of direct dependencies:
* kubernetes java-client to 19.0.0
* docker-java-bom to 3.3.4

In order to update transitive dependencies:
* okio to 3.6.0
* bcjava to 1.76

To address CVES:
- CVE-2023-3635 in okio
- CVE-2023-33201 in bcjava

---------

Co-authored-by: Xavier Léauté <xvrl@apache.org>
This commit is contained in:
Jan Werner 2023-12-12 17:27:57 -05:00 committed by GitHub
parent debb6b401c
commit 3c7dec56ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 177 additions and 149 deletions

View File

@ -35,9 +35,22 @@
</parent>
<properties>
<kubernetes.client.version>11.0.4</kubernetes.client.version>
<kubernetes.client.version>19.0.0</kubernetes.client.version>
</properties>
<dependencyManagement>
<dependencies>
<!-- This is an indirect dependency of io.kubernetes.client-java
update to address vulnerability in transitive dependency okio used by okhttp -->
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
<version>4.12.0</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>
@ -80,18 +93,6 @@
<scope>test</scope>
</dependency>
<!-- Version override to address CVE-2020-28052 -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-ext-jdk15on</artifactId>
<scope>runtime</scope>
</dependency>
<!-- others -->
<dependency>
<groupId>com.google.code.findbugs</groupId>
@ -137,6 +138,18 @@
</dependencies>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<configuration>
<!-- analyze incorrectly flags this dependency as missing when omitted, and unused when declared -->
<ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:19.0.0</ignoredDependencies>
</configuration>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.jacoco</groupId>

View File

@ -65,7 +65,7 @@ public class DefaultK8sApiClient implements K8sApiClient
public void patchPod(String podName, String podNamespace, String jsonPatchStr)
{
try {
coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null);
coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null, null);
}
catch (ApiException ex) {
throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].", podNamespace, podName, ex.getCode(), ex.getResponseBody());
@ -80,7 +80,7 @@ public class DefaultK8sApiClient implements K8sApiClient
)
{
try {
V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null);
V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null, null);
Preconditions.checkState(podList != null, "WTH: NULL podList");
Map<String, DiscoveryDruidNode> allNodes = new HashMap();
@ -114,7 +114,7 @@ public class DefaultK8sApiClient implements K8sApiClient
Watch.createWatch(
realK8sClient,
coreV1Api.listNamespacedPodCall(namespace, null, true, null, null,
labelSelector, null, lastKnownResourceVersion, null, 0, true, null
labelSelector, null, lastKnownResourceVersion, null, null, 0, true, null
),
new TypeReference<Watch.Response<V1Pod>>()
{

View File

@ -36,6 +36,7 @@
<properties>
<commons-io.version>2.11.0</commons-io.version>
<okio.version>3.6.0</okio.version>
</properties>
<repositories>
@ -45,6 +46,19 @@
</repository>
</repositories>
<dependencyManagement>
<dependencies>
<!-- This is an indirect dependency of kafka-protobuf-provider
update to address vulnerability in transitive dependency okio -->
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>${okio.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>

View File

@ -843,36 +843,6 @@ libraries:
---
name: kubernetes official java client
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java
---
name: kubernetes official java client api
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java-api
---
name: kubernetes official java client extended
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java-extended
---
name: kubernetes fabric java client
license_category: binary
module: extensions-contrib/kubernetes-overlord-extensions
@ -883,13 +853,28 @@ libraries:
---
name: io.prometheus simpleclient_common
name: kubernetes official java client
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 0.9.0
version: 19.0.0
libraries:
- io.prometheus: simpleclient_common
- io.kubernetes: client-java
- io.kubernetes: client-java-api
- io.kubernetes: client-java-extended
- io.kubernetes: client-java-api-fluent
- io.kubernetes: client-java-proto
---
name: Swagger
version: 1.6.2
license_category: binary
module: extensions/druid-avro-extensions
license_name: Apache License version 2.0
libraries:
- io.swagger: swagger-core
- io.swagger: swagger-models
---
@ -903,6 +888,16 @@ libraries:
---
name: io.sundr builder-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 0.22.0
libraries:
- io.sundr: builder-annotations
---
name: com.squareup.okio okio
license_category: binary
module: extensions/druid-kubernetes-extensions
@ -923,6 +918,16 @@ libraries:
---
name: io.swagger swagger-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 1.6.11
libraries:
- io.swagger: swagger-annotations
---
name: io.swagger swagger-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
@ -943,15 +948,6 @@ libraries:
---
name: io.prometheus simpleclient_httpserver
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 0.9.0
libraries:
- io.prometheus: simpleclient_httpserver
---
name: org.bitbucket.b_c jose4j
license_category: binary
@ -971,15 +967,38 @@ version: 2.2.1
libraries:
- org.joda: joda-convert
---
name: com.squareup.okhttp3 okhttp
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 3.14.9
version: 4.12.0
libraries:
- com.squareup.okhttp3: okhttp
- com.squareup.okhttp3: logging-interceptor
---
name: com.squareup.okhttp3 okhttp logging-interceptor
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 4.11.0
libraries:
- com.squareup.okhttp3: logging-interceptor
---
name: com.squareup.okio okio
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 3.6.0
libraries:
- com.squareup.okio: okio
- com.squareup.okio: okio-jvm
---
@ -987,19 +1006,15 @@ name: io.prometheus simpleclient
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 0.9.0
version: 0.16.0
libraries:
- io.prometheus: simpleclient
- io.prometheus: simpleclient_common
- io.prometheus: simpleclient_httpserver
- io.prometheus: simpleclient_tracer_common
- io.prometheus: simpleclient_tracer_otel
- io.prometheus: simpleclient_tracer_otel_agent
---
name: io.kubernetes client-java-proto
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java-proto
---
@ -1017,73 +1032,79 @@ name: com.flipkart.zjsonpatch zjsonpatch
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 0.4.11
version: 0.4.14
libraries:
- com.flipkart.zjsonpatch: zjsonpatch
---
name: org.bouncycastle bcprov-jdk15on
name: org.bouncycastle bcprov-jdk18on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: "1.70"
version: "1.76"
libraries:
- org.bouncycastle: bcprov-jdk15on
- org.bouncycastle: bcprov-jdk18on
- org.bouncycastle: bcprov-ext-jdk18on
- org.bouncycastle: bcpkix-jdk18on
- org.bouncycastle: bcutil-jdk18on
---
name: org.bouncycastle bcprov-ext-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: "1.70"
libraries:
- org.bouncycastle: bcprov-ext-jdk15on
---
name: org.bouncycastle bcpkix-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: "1.70"
libraries:
- org.bouncycastle: bcpkix-jdk15on
---
name: org.bouncycastle bcutil-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: "1.70"
libraries:
- org.bouncycastle: bcutil-jdk15on
---
name: com.squareup.okhttp3 logging-interceptor
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 3.14.9
libraries:
- com.squareup.okhttp3: logging-interceptor
---
name: com.github.vladimir-bukhtoyarov bucket4j-core
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 4.10.0
version: 7.6.0
libraries:
- com.github.vladimir-bukhtoyarov: bucket4j-core
---
name: Jetbrains Annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 13.0
libraries:
- org.jetbrains: annotations
---
name: Jetbrains kotlin-stdlib
license_category: binary
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 1.6.10
libraries:
- org.jetbrains.kotlin: kotlin-stdlib
---
name: Jetbrains kotlin-stdlib common
license_category: binary
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 1.9.10
libraries:
- org.jetbrains.kotlin: kotlin-stdlib-common
---
name: Jetbrains jdk7 jdk 8
license_category: binary
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 1.8.21
libraries:
- org.jetbrains.kotlin: kotlin-stdlib
- org.jetbrains.kotlin: kotlin-stdlib-common
- org.jetbrains.kotlin: kotlin-stdlib-jdk7
- org.jetbrains.kotlin: kotlin-stdlib-jdk8
---
name: Netty
license_category: binary
module: java-core
@ -4097,6 +4118,16 @@ libraries:
---
name: org.elasticsearch securesm
license_category: binary
version: 2.1.9
module: druid-ranger-security
license_name: Creative Commons CC0
libraries:
- org.hdrhistogram: HdrHistogram
---
name: Apache Lucene
license_category: binary
version: 8.4.0

View File

@ -440,9 +440,10 @@
<cve>CVE-2021-4277</cve>
</suppress>
<!-- the remaining uses of vulnerable okio are in contrib-extensions -->
<suppress>
<notes><![CDATA[
file name: okio-1.17.2.jar, okio-1.15.0.jar okio 2.8.0
file name: okio-1.17.2.jar, okio-1.15.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl>
<cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user-facing -->
@ -460,18 +461,6 @@
<cve>CVE-2023-5072</cve>
</suppress>
<!--
~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
~ older ZK library is still compatible with.
-->
<suppress>
<notes><![CDATA[
file name: zookeeper-3.8.3.jar
]]></notes>
<cve>CVE-2023-44981</cve>
</suppress>
<!--
~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,

23
pom.xml
View File

@ -369,26 +369,7 @@
<artifactId>snakeyaml</artifactId>
<version>1.33</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-ext-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<!-- transitive dependency of testng
this would be resolved by updating
testng to 7.8.0 -->
@ -1113,7 +1094,7 @@
<dependency>
<groupId>com.github.docker-java</groupId>
<artifactId>docker-java-bom</artifactId>
<version>3.2.13</version>
<version>3.3.4</version>
<scope>import</scope>
<type>pom</type>
</dependency>