Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (#15449) 

Update of direct dependencies:
* kubernetes java-client to 19.0.0
* docker-java-bom to 3.3.4

In order to update transitive dependencies:
* okio to 3.6.0
* bcjava to 1.76

To address CVES:
- CVE-2023-3635 in okio
- CVE-2023-33201 in bcjava

---------

Co-authored-by: Xavier Léauté <xvrl@apache.org>
This commit is contained in:
Jan Werner 2023-12-12 17:27:57 -05:00 committed by GitHub
parent debb6b401c
commit 3c7dec56ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 177 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
extensions-core/kubernetes-extensions/pom.xml
View File

@ -35,9 +35,22 @@
</parent> </parent>
<properties> <properties>
<kubernetes.client.version>11.0.4</kubernetes.client.version> <kubernetes.client.version>19.0.0</kubernetes.client.version>
</properties> </properties>
<dependencyManagement>
<dependencies>
<!-- This is an indirect dependency of io.kubernetes.client-java
update to address vulnerability in transitive dependency okio used by okhttp -->
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
<version>4.12.0</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.apache.druid</groupId> <groupId>org.apache.druid</groupId>
@ -80,18 +93,6 @@
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<!-- Version override to address CVE-2020-28052 -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-ext-jdk15on</artifactId>
<scope>runtime</scope>
</dependency>
<!-- others --> <!-- others -->
<dependency> <dependency>
<groupId>com.google.code.findbugs</groupId> <groupId>com.google.code.findbugs</groupId>
@ -137,6 +138,18 @@
</dependencies> </dependencies>
<build> <build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<configuration>
<!-- analyze incorrectly flags this dependency as missing when omitted, and unused when declared -->
<ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:19.0.0</ignoredDependencies>
</configuration>
</plugin>
</plugins>
</pluginManagement>
<plugins> <plugins>
<plugin> <plugin>
<groupId>org.jacoco</groupId> <groupId>org.jacoco</groupId>

6
extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
View File

@ -65,7 +65,7 @@ public class DefaultK8sApiClient implements K8sApiClient
public void patchPod(String podName, String podNamespace, String jsonPatchStr) public void patchPod(String podName, String podNamespace, String jsonPatchStr)
{ {
try { try {
coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null); coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null, null);
} }
catch (ApiException ex) { catch (ApiException ex) {
throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].", podNamespace, podName, ex.getCode(), ex.getResponseBody()); throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].", podNamespace, podName, ex.getCode(), ex.getResponseBody());
@ -80,7 +80,7 @@ public class DefaultK8sApiClient implements K8sApiClient
) )
{ {
try { try {
V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null); V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null, null);
Preconditions.checkState(podList != null, "WTH: NULL podList"); Preconditions.checkState(podList != null, "WTH: NULL podList");
Map<String, DiscoveryDruidNode> allNodes = new HashMap(); Map<String, DiscoveryDruidNode> allNodes = new HashMap();
@ -114,7 +114,7 @@ public class DefaultK8sApiClient implements K8sApiClient
Watch.createWatch( Watch.createWatch(
realK8sClient, realK8sClient,
coreV1Api.listNamespacedPodCall(namespace, null, true, null, null, coreV1Api.listNamespacedPodCall(namespace, null, true, null, null,
labelSelector, null, lastKnownResourceVersion, null, 0, true, null labelSelector, null, lastKnownResourceVersion, null, null, 0, true, null
), ),
new TypeReference<Watch.Response<V1Pod>>() new TypeReference<Watch.Response<V1Pod>>()
{ {

14
extensions-core/protobuf-extensions/pom.xml
View File

@ -36,6 +36,7 @@
<properties> <properties>
<commons-io.version>2.11.0</commons-io.version> <commons-io.version>2.11.0</commons-io.version>
<okio.version>3.6.0</okio.version>
</properties> </properties>
<repositories> <repositories>
@ -45,6 +46,19 @@
</repository> </repository>
</repositories> </repositories>
<dependencyManagement>
<dependencies>
<!-- This is an indirect dependency of kafka-protobuf-provider
update to address vulnerability in transitive dependency okio -->
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>${okio.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.apache.druid</groupId> <groupId>org.apache.druid</groupId>

229
licenses.yaml
View File

@ -843,36 +843,6 @@ libraries:
--- ---
name: kubernetes official java client
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java
---
name: kubernetes official java client api
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java-api
---
name: kubernetes official java client extended
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java-extended
---
name: kubernetes fabric java client name: kubernetes fabric java client
license_category: binary license_category: binary
module: extensions-contrib/kubernetes-overlord-extensions module: extensions-contrib/kubernetes-overlord-extensions
@ -883,13 +853,28 @@ libraries:
--- ---
name: io.prometheus simpleclient_common name: kubernetes official java client
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0 license_name: Apache License version 2.0
version: 0.9.0 version: 19.0.0
libraries: libraries:
- io.prometheus: simpleclient_common - io.kubernetes: client-java
- io.kubernetes: client-java-api
- io.kubernetes: client-java-extended
- io.kubernetes: client-java-api-fluent
- io.kubernetes: client-java-proto
---
name: Swagger
version: 1.6.2
license_category: binary
module: extensions/druid-avro-extensions
license_name: Apache License version 2.0
libraries:
- io.swagger: swagger-core
- io.swagger: swagger-models
--- ---
@ -903,6 +888,16 @@ libraries:
--- ---
name: io.sundr builder-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 0.22.0
libraries:
- io.sundr: builder-annotations
---
name: com.squareup.okio okio name: com.squareup.okio okio
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
@ -923,6 +918,16 @@ libraries:
--- ---
name: io.swagger swagger-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 1.6.11
libraries:
- io.swagger: swagger-annotations
---
name: io.swagger swagger-annotations name: io.swagger swagger-annotations
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
@ -943,15 +948,6 @@ libraries:
--- ---
name: io.prometheus simpleclient_httpserver
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 0.9.0
libraries:
- io.prometheus: simpleclient_httpserver
---
name: org.bitbucket.b_c jose4j name: org.bitbucket.b_c jose4j
license_category: binary license_category: binary
@ -971,15 +967,38 @@ version: 2.2.1
libraries: libraries:
- org.joda: joda-convert - org.joda: joda-convert
--- ---
name: com.squareup.okhttp3 okhttp name: com.squareup.okhttp3 okhttp
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0 license_name: Apache License version 2.0
version: 3.14.9 version: 4.12.0
libraries: libraries:
- com.squareup.okhttp3: okhttp - com.squareup.okhttp3: okhttp
- com.squareup.okhttp3: logging-interceptor
---
name: com.squareup.okhttp3 okhttp logging-interceptor
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 4.11.0
libraries:
- com.squareup.okhttp3: logging-interceptor
---
name: com.squareup.okio okio
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 3.6.0
libraries:
- com.squareup.okio: okio
- com.squareup.okio: okio-jvm
--- ---
@ -987,19 +1006,15 @@ name: io.prometheus simpleclient
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0 license_name: Apache License version 2.0
version: 0.9.0 version: 0.16.0
libraries: libraries:
- io.prometheus: simpleclient - io.prometheus: simpleclient
- io.prometheus: simpleclient_common
- io.prometheus: simpleclient_httpserver
- io.prometheus: simpleclient_tracer_common
- io.prometheus: simpleclient_tracer_otel
- io.prometheus: simpleclient_tracer_otel_agent
---
name: io.kubernetes client-java-proto
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 11.0.4
libraries:
- io.kubernetes: client-java-proto
--- ---
@ -1017,73 +1032,79 @@ name: com.flipkart.zjsonpatch zjsonpatch
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0 license_name: Apache License version 2.0
version: 0.4.11 version: 0.4.14
libraries: libraries:
- com.flipkart.zjsonpatch: zjsonpatch - com.flipkart.zjsonpatch: zjsonpatch
--- ---
name: org.bouncycastle bcprov-jdk18on
name: org.bouncycastle bcprov-jdk15on
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
license_name: MIT License license_name: MIT License
version: "1.70" version: "1.76"
libraries: libraries:
- org.bouncycastle: bcprov-jdk15on - org.bouncycastle: bcprov-jdk18on
- org.bouncycastle: bcprov-ext-jdk18on
- org.bouncycastle: bcpkix-jdk18on
- org.bouncycastle: bcutil-jdk18on
--- ---
name: org.bouncycastle bcprov-ext-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: "1.70"
libraries:
- org.bouncycastle: bcprov-ext-jdk15on
---
name: org.bouncycastle bcpkix-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: "1.70"
libraries:
- org.bouncycastle: bcpkix-jdk15on
---
name: org.bouncycastle bcutil-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: "1.70"
libraries:
- org.bouncycastle: bcutil-jdk15on
---
name: com.squareup.okhttp3 logging-interceptor
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 3.14.9
libraries:
- com.squareup.okhttp3: logging-interceptor
---
name: com.github.vladimir-bukhtoyarov bucket4j-core name: com.github.vladimir-bukhtoyarov bucket4j-core
license_category: binary license_category: binary
module: extensions/druid-kubernetes-extensions module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0 license_name: Apache License version 2.0
version: 4.10.0 version: 7.6.0
libraries: libraries:
- com.github.vladimir-bukhtoyarov: bucket4j-core - com.github.vladimir-bukhtoyarov: bucket4j-core
--- ---
name: Jetbrains Annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 13.0
libraries:
- org.jetbrains: annotations
---
name: Jetbrains kotlin-stdlib
license_category: binary
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 1.6.10
libraries:
- org.jetbrains.kotlin: kotlin-stdlib
---
name: Jetbrains kotlin-stdlib common
license_category: binary
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 1.9.10
libraries:
- org.jetbrains.kotlin: kotlin-stdlib-common
---
name: Jetbrains jdk7 jdk 8
license_category: binary
module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
version: 1.8.21
libraries:
- org.jetbrains.kotlin: kotlin-stdlib
- org.jetbrains.kotlin: kotlin-stdlib-common
- org.jetbrains.kotlin: kotlin-stdlib-jdk7
- org.jetbrains.kotlin: kotlin-stdlib-jdk8
---
name: Netty name: Netty
license_category: binary license_category: binary
module: java-core module: java-core
@ -4097,6 +4118,16 @@ libraries:
--- ---
name: org.elasticsearch securesm
license_category: binary
version: 2.1.9
module: druid-ranger-security
license_name: Creative Commons CC0
libraries:
- org.hdrhistogram: HdrHistogram
---
name: Apache Lucene name: Apache Lucene
license_category: binary license_category: binary
version: 8.4.0 version: 8.4.0

15
owasp-dependency-check-suppressions.xml
View File

@ -440,9 +440,10 @@
<cve>CVE-2021-4277</cve> <cve>CVE-2021-4277</cve>
</suppress> </suppress>
<!-- the remaining uses of vulnerable okio are in contrib-extensions -->
<suppress> <suppress>
<notes><![CDATA[ <notes><![CDATA[
file name: okio-1.17.2.jar, okio-1.15.0.jar okio 2.8.0 file name: okio-1.17.2.jar, okio-1.15.0.jar
]]></notes> ]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl> <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl>
<cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user-facing --> <cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user-facing -->
@ -460,18 +461,6 @@
<cve>CVE-2023-5072</cve> <cve>CVE-2023-5072</cve>
</suppress> </suppress>
<!--
~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
~ older ZK library is still compatible with.
-->
<suppress>
<notes><![CDATA[
file name: zookeeper-3.8.3.jar
]]></notes>
<cve>CVE-2023-44981</cve>
</suppress>
<!-- <!--
~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged, ~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,

23
pom.xml
View File

@ -369,26 +369,7 @@
<artifactId>snakeyaml</artifactId> <artifactId>snakeyaml</artifactId>
<version>1.33</version> <version>1.33</version>
</dependency> </dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-ext-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<!-- transitive dependency of testng <!-- transitive dependency of testng
this would be resolved by updating this would be resolved by updating
testng to 7.8.0 --> testng to 7.8.0 -->
@ -1113,7 +1094,7 @@
<dependency> <dependency>
<groupId>com.github.docker-java</groupId> <groupId>com.github.docker-java</groupId>
<artifactId>docker-java-bom</artifactId> <artifactId>docker-java-bom</artifactId>
<version>3.2.13</version> <version>3.3.4</version>
<scope>import</scope> <scope>import</scope>
<type>pom</type> <type>pom</type>
</dependency> </dependency>