Address security vulnerabilities CVSS >= 7 (#8980)

* Address security vulnerabilities CVSS >= 7

Update dependencies to address security vulnerabilities with CVSS scores
of 7 or higher. A new Travis CI job is added to prevent new
high/critical security vulnerabilities from being added.

Updated dependencies:
- api-util 1.0.0 -> 1.0.3
- jackson 2.9.10 -> 2.10.1
- kafka 2.1.0 -> 2.1.1
- libthrift 0.10.0 -> 0.13.0
- protobuf 3.2.0 -> 3.11.0

The following high/critical security vulnerabilities are currently
suppressed (so that the new Travis CI job can be added now) and are left
as future work to fix:
- hibernate-validator:5.2.5
- jackson-mapper-asl:1.9.13
- libthrift:0.6.1
- netty:3.10.6
- nimbus-jose-jwt:4.41.1

* Rename EDL1 license file

* Fix inspection errors
This commit is contained in:
Chi Cao Minh 2019-12-05 14:34:35 -08:00 committed by Clint Wylie
parent 5ecdf94d83
commit af74acaa85
25 changed files with 393 additions and 55 deletions

View File

@ -114,6 +114,18 @@ jobs:
https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html
"
- name: "security vulnerabilities"
install: skip
script: ${MVN} dependency-check:check
after_failure: |-
echo "FAILURE EXPLANATION:
The OWASP dependency check has found security vulnerabilities. Please use a newer version
of the dependency that does not have vulenerabilities. If the analysis has false positives,
they can be suppressed by adding entries to owasp-dependency-check-suppressions.xml (for more
information, see https://jeremylong.github.io/DependencyCheck/general/suppression.html).
"
- &package
name: "(openjdk8) packaging check"
install: skip

View File

@ -216,6 +216,13 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<plugins>

View File

@ -43,7 +43,7 @@ public class JsonIterator<T> implements Iterator<T>, Closeable
{
private JsonParser jp;
private ObjectCodec objectCodec;
private final TypeReference typeRef;
private final TypeReference<T> typeRef;
private final InputStream inputStream;
private final Closeable resourceCloser;
private final ObjectMapper objectMapper;
@ -55,7 +55,7 @@ public class JsonIterator<T> implements Iterator<T>, Closeable
* @param objectMapper object mapper, used for deserialization
*/
public JsonIterator(
TypeReference typeRef,
TypeReference<T> typeRef,
InputStream inputStream,
Closeable resourceCloser,
ObjectMapper objectMapper

View File

@ -239,6 +239,7 @@ def build_compatible_license_names():
compatible_licenses['The BSD 3-Clause License'] = 'BSD-3-Clause License'
compatible_licenses['Revised BSD'] = 'BSD-3-Clause License'
compatible_licenses['New BSD License'] = 'BSD-3-Clause License'
compatible_licenses['3-Clause BSD License'] = 'BSD-3-Clause License'
compatible_licenses['ICU License'] = 'ICU License'
@ -254,6 +255,10 @@ def build_compatible_license_names():
compatible_licenses['Eclipse Public License - Version 1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['Eclipse Public License, Version 1.0'] = 'Eclipse Public License 1.0'
compatible_licenses['Eclipse Distribution License 1.0'] = 'Eclipse Distribution License 1.0'
compatible_licenses['Eclipse Distribution License - v 1.0'] = 'Eclipse Distribution License 1.0'
compatible_licenses['EDL 1.0'] = 'Eclipse Distribution License 1.0'
compatible_licenses['Mozilla Public License Version 2.0'] = 'Mozilla Public License Version 2.0'
compatible_licenses['Mozilla Public License, Version 2.0'] = 'Mozilla Public License Version 2.0'

View File

@ -98,6 +98,13 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>

View File

@ -69,6 +69,12 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<!-- transitive dependency of org.apache.amabri:ambari-metrics-common; override version to fix security vulnerabilities -->
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-annotations</artifactId>
<version>${hadoop.compile.version}</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
@ -126,6 +132,22 @@
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<configuration>
<ignoredUnusedDeclaredDependencies>
<!-- Transitive dependency but explicitly added to fix security vulnerability -->
<ignoredUnusedDeclaredDependency>org.apache.hadoop:hadoop-annotations</ignoredUnusedDeclaredDependency>
</ignoredUnusedDeclaredDependencies>
</configuration>
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>hortonworks</id>

View File

@ -41,6 +41,11 @@
<scope>provided</scope>
</dependency>
<dependency>
<!--
~ This library is no longer actively developed and should be migrated to DataStax Java Driver for Apache
~ Cassandra. Even the latest version of astyanax (3.10.2) has transitive dependencies with security
~ vulenerabilites with CVSS scores greater than 7 (e.g., libthrift 0.9.1).
-->
<groupId>com.netflix.astyanax</groupId>
<artifactId>astyanax</artifactId>
<version>1.0.1</version>
@ -113,6 +118,11 @@
<groupId>com.github.stephenc.high-scale-lib</groupId>
<artifactId>high-scale-lib</artifactId>
</exclusion>
<exclusion>
<!-- Excluded to remove security vulnerability -->
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>

View File

@ -38,7 +38,6 @@ import org.apache.druid.client.cache.ForegroundCachePopulator;
import org.apache.druid.client.cache.MapCache;
import org.apache.druid.client.selector.ServerSelector;
import org.apache.druid.data.input.MapBasedRow;
import org.apache.druid.data.input.Row;
import org.apache.druid.guice.DruidProcessingModule;
import org.apache.druid.guice.GuiceInjectors;
import org.apache.druid.guice.QueryRunnerFactoryModule;
@ -99,7 +98,7 @@ public class MovingAverageQueryTest extends InitializedNullHandlingTest
private final RetryQueryRunnerConfig retryConfig;
private final ServerConfig serverConfig;
private final List<Row> groupByResults = new ArrayList<>();
private final List<ResultRow> groupByResults = new ArrayList<>();
private final List<Result<TimeseriesResultValue>> timeseriesResults = new ArrayList<>();
private final TestConfig config;
@ -222,9 +221,9 @@ public class MovingAverageQueryTest extends InitializedNullHandlingTest
return MovingAverageQuery.class;
}
private TypeReference<?> getExpectedResultType()
private TypeReference<List<MapBasedRow>> getExpectedResultType()
{
return new TypeReference<List<Row>>()
return new TypeReference<List<MapBasedRow>>()
{
};
}

View File

@ -36,7 +36,7 @@
<modelVersion>4.0.0</modelVersion>
<properties>
<thrift.version>0.10.0</thrift.version>
<thrift.version>0.13.0</thrift.version>
<elephantbird.version>4.17</elephantbird.version>
<scrooge.version>19.10.0</scrooge.version>
</properties>

View File

@ -67,32 +67,32 @@ public class BasicAuthUtils
public static final int KEY_LENGTH = 512;
public static final String ALGORITHM = "PBKDF2WithHmacSHA512";
public static final TypeReference AUTHENTICATOR_USER_MAP_TYPE_REFERENCE =
public static final TypeReference<Map<String, BasicAuthenticatorUser>> AUTHENTICATOR_USER_MAP_TYPE_REFERENCE =
new TypeReference<Map<String, BasicAuthenticatorUser>>()
{
};
public static final TypeReference AUTHORIZER_USER_MAP_TYPE_REFERENCE =
public static final TypeReference<Map<String, BasicAuthorizerUser>> AUTHORIZER_USER_MAP_TYPE_REFERENCE =
new TypeReference<Map<String, BasicAuthorizerUser>>()
{
};
public static final TypeReference AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE =
public static final TypeReference<Map<String, BasicAuthorizerGroupMapping>> AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE =
new TypeReference<Map<String, BasicAuthorizerGroupMapping>>()
{
};
public static final TypeReference AUTHORIZER_ROLE_MAP_TYPE_REFERENCE =
public static final TypeReference<Map<String, BasicAuthorizerRole>> AUTHORIZER_ROLE_MAP_TYPE_REFERENCE =
new TypeReference<Map<String, BasicAuthorizerRole>>()
{
};
public static final TypeReference AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE =
public static final TypeReference<UserAndRoleMap> AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE =
new TypeReference<UserAndRoleMap>()
{
};
public static final TypeReference AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE =
public static final TypeReference<GroupMappingAndRoleMap> AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE =
new TypeReference<GroupMappingAndRoleMap>()
{
};

View File

@ -33,10 +33,6 @@
<relativePath>../../pom.xml</relativePath>
</parent>
<properties>
<apache.kafka.version>2.1.0</apache.kafka.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>

View File

@ -471,7 +471,7 @@ public class NamespaceLookupExtractorFactoryTest
namespaceLookupExtractorFactory.getExtractionNamespace().getClass()
);
Assert.assertFalse(namespaceLookupExtractorFactory.replaces(mapper.readValue(str, LookupExtractorFactory.class)));
final Map<String, Object> map = new HashMap<>(mapper.<Map<String, Object>>readValue(
final Map<String, Object> map = new HashMap<>(mapper.readValue(
str,
JacksonUtils.TYPE_REFERENCE_MAP_STRING_OBJECT
));

View File

@ -35,10 +35,6 @@
<relativePath>../../pom.xml</relativePath>
</parent>
<properties>
<protobuf.version>3.2.0</protobuf.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>
@ -111,7 +107,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.0.0</version>
<version>3.2.1</version>
<configuration>
<createDependencyReducedPom>false</createDependencyReducedPom>
<relocations>

View File

@ -1079,7 +1079,7 @@ public abstract class SeekableStreamIndexTaskRunner<PartitionIdType, SequenceOff
final File sequencesPersistFile = getSequencesPersistFile(toolbox);
if (sequencesPersistFile.exists()) {
sequences = new CopyOnWriteArrayList<>(
toolbox.getJsonMapper().<List<SequenceMetadata<PartitionIdType, SequenceOffsetType>>>readValue(
toolbox.getJsonMapper().readValue(
sequencesPersistFile,
getSequenceMetadataTypeReference()
)

View File

@ -31,10 +31,6 @@
<version>0.17.0-incubating-SNAPSHOT</version>
</parent>
<properties>
<apache.kafka.version>2.1.0</apache.kafka.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>
@ -252,6 +248,13 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>

View File

@ -41,7 +41,6 @@ import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.joda.time.Interval;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
@ -96,7 +95,7 @@ public class CoordinatorResourceTestClient
// return a list of the segment dates for the specified datasource
public List<String> getMetadataSegments(final String dataSource)
{
ArrayList<String> segments;
List<String> segments;
try {
StatusResponseHolder response = makeRequest(HttpMethod.GET, getMetadataSegmentsURL(dataSource));
@ -115,7 +114,7 @@ public class CoordinatorResourceTestClient
// return a list of the segment dates for the specified datasource
public List<String> getSegmentIntervals(final String dataSource)
{
ArrayList<String> segments;
List<String> segments;
try {
StatusResponseHolder response = makeRequest(HttpMethod.GET, getIntervalsURL(dataSource));

View File

@ -74,12 +74,12 @@ public class ITBasicAuthConfigurationTest
{
private static final Logger LOG = new Logger(ITBasicAuthConfigurationTest.class);
private static final TypeReference LOAD_STATUS_TYPE_REFERENCE =
private static final TypeReference<Map<String, Boolean>> LOAD_STATUS_TYPE_REFERENCE =
new TypeReference<Map<String, Boolean>>()
{
};
private static final TypeReference SYS_SCHEMA_RESULTS_TYPE_REFERENCE =
private static final TypeReference<List<Map<String, Object>>> SYS_SCHEMA_RESULTS_TYPE_REFERENCE =
new TypeReference<List<Map<String, Object>>>()
{
};

View File

@ -196,7 +196,7 @@ name: Jackson
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 2.9.10
version: 2.10.1
libraries:
- com.fasterxml.jackson.core: jackson-annotations
- com.fasterxml.jackson.core: jackson-core
@ -233,6 +233,30 @@ notice: |
---
name: JavaBeans Activation Framework API JAR
license_category: binary
module: java-core
license_name: Eclipse Distribution License 1.0
version: 1.2.1
copyright: Oracle and/or its affiliates.
license_file_path: licenses/bin/jakarta.EDL1
libraries:
- jakarta.activation: jakarta.activation-api
---
name: Jakarta XML Bind API
license_category: binary
module: java-core
license_name: Eclipse Distribution License 1.0
version: 2.3.2
copyright: Oracle and/or its affiliates.
license_file_path: licenses/bin/jakarta.EDL1
libraries:
- jakarta.xml.bind: jakarta.xml.bind-api
---
name: Caffeine
license_category: binary
module: java-core
@ -2744,11 +2768,21 @@ license_name: Apache License version 2.0
version: 1.0.0-M20
libraries:
- org.apache.directory.api: api-asn1-api
---
name: Apache Directory
license_category: binary
module: hadoop-client
license_name: Apache License version 2.0
version: 1.0.3
libraries:
- org.apache.directory.api: api-util
notices:
- api-util: |
Apache Directory LDAP API Utilities
Copyright 2003-2013 The Apache Software Foundation
---
name: Apache Directory Server
@ -3161,7 +3195,7 @@ name: Gson
license_category: binary
module: extensions/protobuf-extensions
license_name: Apache License version 2.0
version: 2.7
version: 2.8.6
libraries:
- com.google.code.gson: gson
@ -3279,7 +3313,7 @@ name: Protocol Buffers
license_category: binary
module: java-core
license_name: BSD-3-Clause License
version: 3.1.0
version: 3.11.0
copyright: Google, Inc.
license_file_path:
- licenses/bin/protobuf-java.BSD3
@ -3444,7 +3478,7 @@ name: Protocol Buffers
license_category: binary
module: extensions/druid-protobuf-extensions
license_name: BSD-3-Clause License
version: 3.2.0
version: 3.11.0
copyright: Google, Inc.
license_file_path: licenses/bin/protobuf-java.BSD3
libraries:
@ -3932,7 +3966,7 @@ name: Apache Kafka
license_category: binary
module: extensions/kafka-extraction-namespace
license_name: Apache License version 2.0
version: 2.1.0
version: 2.1.1
libraries:
- org.apache.kafka: kafka_2.12
- org.apache.kafka: kafka-clients

13
licenses/bin/jakarta.EDL1 Normal file
View File

@ -0,0 +1,13 @@
Eclipse Distribution License - v 1.0
Copyright (c) 2007, Eclipse Foundation, Inc. and its licensors.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the Eclipse Foundation, Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

View File

@ -0,0 +1,198 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
<notes><![CDATA[
file name: org.apache.druid:druid-indexing-hadoop:0.17.0-incubating-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
<cve>CVE-2012-4449</cve>
</suppress>
<suppress>
<!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
<notes><![CDATA[
file name: druid-indexing-hadoop-0.17.0-incubating-SNAPSHOT.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
<cve>CVE-2017-3162</cve>
</suppress>
<suppress>
<!-- druid-processing.jar is mistaken for org.processing:processing -->
<notes><![CDATA[
file name: org.apache.druid:druid-processing:0.17.0-incubating-SNAPSHOT
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-processing@.*$</packageUrl>
<cve>CVE-2018-1000840</cve>
</suppress>
<suppress>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<notes><![CDATA[
file name: openstack-swift-1.9.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-swift@.*$</packageUrl>
<cve>CVE-2016-0737</cve>
<cve>CVE-2016-0738</cve>
<cve>CVE-2017-16613</cve>
</suppress>
<suppress>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
<notes><![CDATA[
file name: openstack-keystone-1.9.3.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
<cve>CVE-2015-7546</cve>
</suppress>
<!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
<suppress>
<!--
~ TODO: Fix by updating hibernate-validator.
~ Note hibernate-validator:5.3.1 introduces a change that requires an EL implementation to be in the classpath:
~ https://developer.jboss.org/wiki/HibernateValidatorMigrationGuide#jive_content_id_531Final
~
~ For example, updating hibernate-validator causes hadoop ingestion tasks to fail:
~
~ Error: com.google.inject.CreationException: Unable to create injector, see the following errors:
~
~ 1) An exception was caught and reported. Message: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
~ at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
~
~ 2) No implementation for javax.validation.Validator was bound.
~ at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
~
~ 2 errors
~ at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:470)
~ at com.google.inject.internal.InternalInjectorCreator.initializeStatically(InternalInjectorCreator.java:155)
~ at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107)
~ at com.google.inject.Guice.createInjector(Guice.java:99)
~ at com.google.inject.Guice.createInjector(Guice.java:73)
~ at org.apache.druid.guice.GuiceInjectors.makeStartupInjector(GuiceInjectors.java:56)
~ at org.apache.druid.indexer.HadoopDruidIndexerConfig.<clinit>(HadoopDruidIndexerConfig.java:102)
~ at org.apache.druid.indexer.HadoopDruidIndexerMapper.setup(HadoopDruidIndexerMapper.java:53)
~ at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.setup(DetermineHashedPartitionsJob.java:279)
~ at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.run(DetermineHashedPartitionsJob.java:334)
~ at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:787)
~ at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
~ at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:175)
~ at java.security.AccessController.doPrivileged(Native Method)
~ at javax.security.auth.Subject.doAs(Subject.java:422)
~ at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1844)
~ at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:169)
~ Caused by: javax.validation.ValidationException: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:102)
~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.<init>(ResourceBundleMessageInterpolator.java:45)
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolator(ConfigurationImpl.java:423)
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolatorConfiguredWithClassLoader(ConfigurationImpl.java:575)
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getMessageInterpolator(ConfigurationImpl.java:364)
~ at org.hibernate.validator.internal.engine.ValidatorFactoryImpl.<init>(ValidatorFactoryImpl.java:148)
~ at org.hibernate.validator.HibernateValidator.buildValidatorFactory(HibernateValidator.java:38)
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.buildValidatorFactory(ConfigurationImpl.java:331)
~ at javax.validation.Validation.buildDefaultValidatorFactory(Validation.java:110)
~ at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
~ at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
~ at com.google.inject.spi.Elements.getElements(Elements.java:110)
~ at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
~ at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
~ ... 14 more
~ Caused by: java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory;
~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:98)
~ ... 27 more
-->
<notes><![CDATA[
file name: hibernate-validator-5.2.5.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
<cve>CVE-2017-7536</cve>
</suppress>
<suppress>
<!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop -->
<notes><![CDATA[
file name: jackson-mapper-asl-1.9.13.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
<cve>CVE-2017-7525</cve>
<cve>CVE-2017-15095</cve>
<cve>CVE-2017-17485</cve>
<cve>CVE-2018-5968</cve>
<cve>CVE-2018-7489</cve>
<cve>CVE-2018-14718</cve>
<cve>CVE-2019-10172</cve>
<cve>CVE-2019-14540</cve>
<cve>CVE-2019-16335</cve>
<cve>CVE-2019-17267</cve>
</suppress>
<suppress>
<!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
<notes><![CDATA[
file name: netty-3.10.6.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty@.*$</packageUrl>
<cve>CVE-2019-16869</cve>
</suppress>
<suppress>
<!-- TODO: Fix by upgrading hadoop-auth version -->
<notes><![CDATA[
file name: nimbus-jose-jwt-4.41.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@.*$</packageUrl>
<cve>CVE-2019-17195</cve>
</suppress>
<suppress>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage -->
<notes><![CDATA[
file name: libthrift-0.6.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
<cve>CVE-2016-5397</cve>
<cve>CVE-2018-1320</cve>
<cve>CVE-2019-0205</cve>
</suppress>
<suppress>
<!--
~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change
~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well.
-->
<notes><![CDATA[
file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2017-7525</cve>
<cve>CVE-2017-15095</cve>
<cve>CVE-2017-17485</cve>
<cve>CVE-2018-5968</cve>
<cve>CVE-2018-7489</cve>
<cve>CVE-2018-11307</cve>
<cve>CVE-2018-14718</cve>
<cve>CVE-2018-14719</cve>
<cve>CVE-2018-14720</cve>
<cve>CVE-2018-14721</cve>
<cve>CVE-2018-19360</cve>
<cve>CVE-2018-19361</cve>
<cve>CVE-2018-19362</cve>
<cve>CVE-2019-14540</cve>
<cve>CVE-2019-16335</cve>
<cve>CVE-2019-16942</cve>
<cve>CVE-2019-16943</cve>
<cve>CVE-2019-17267</cve>
<cve>CVE-2019-17531</cve>
</suppress>
</suppressions>

25
pom.xml
View File

@ -78,6 +78,7 @@
<aether.version>0.9.0.M2</aether.version>
<apache.curator.version>4.1.0</apache.curator.version>
<apache.curator.test.version>2.12.0</apache.curator.test.version>
<apache.kafka.version>2.1.1</apache.kafka.version>
<avatica.version>1.15.0</avatica.version>
<avro.version>1.9.1</avro.version>
<calcite.version>1.21.0</calcite.version>
@ -88,7 +89,7 @@
<hamcrest.version>1.3</hamcrest.version>
<jetty.version>9.4.12.v20180830</jetty.version>
<jersey.version>1.19.3</jersey.version>
<jackson.version>2.9.10</jackson.version>
<jackson.version>2.10.1</jackson.version>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version>
<log4j.version>2.8.2</log4j.version>
<netty3.version>3.10.6.Final</netty3.version>
@ -96,6 +97,7 @@
<netty4.version>4.1.42.Final</netty4.version>
<node.version>v10.14.2</node.version>
<npm.version>6.5.0</npm.version>
<protobuf.version>3.11.0</protobuf.version>
<slf4j.version>1.7.12</slf4j.version>
<!-- If compiling with different hadoop version also modify default hadoop coordinates in TaskConfig.java -->
<hadoop.compile.version>2.8.5</hadoop.compile.version>
@ -758,7 +760,7 @@
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>3.1.0</version>
<version>${protobuf.version}</version>
</dependency>
<dependency>
<groupId>io.tesla.aether</groupId>
@ -988,7 +990,7 @@
<dependency>
<groupId>org.apache.directory.api</groupId>
<artifactId>api-util</artifactId>
<version>1.0.0-M20</version>
<version>1.0.3</version>
</dependency>
<dependency>
<groupId>org.apache.calcite</groupId>
@ -1478,6 +1480,23 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.2.4</version>
<configuration>
<cveValidForHours>24</cveValidForHours>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<skipSystemScope>true</skipSystemScope> <!-- avoid error when processing jdk.tools:jdk.tools:jar:1.8:system -->
<suppressionFile>owasp-dependency-check-suppressions.xml</suppressionFile>
</configuration>
<executions>
<execution>
<phase>none</phase> <!-- TODO: Consider enabling so part of dev flow instead of just CI -->
</execution>
</executions>
</plugin>
</plugins>
<pluginManagement>
<plugins>

View File

@ -59,10 +59,10 @@ public abstract class SQLMetadataStorageActionHandler<EntryType, StatusType, Log
private final SQLMetadataConnector connector;
private final ObjectMapper jsonMapper;
private final TypeReference entryType;
private final TypeReference statusType;
private final TypeReference logType;
private final TypeReference lockType;
private final TypeReference<EntryType> entryType;
private final TypeReference<StatusType> statusType;
private final TypeReference<LogType> logType;
private final TypeReference<LockType> lockType;
private final String entryTypeName;
private final String entryTable;
@ -107,7 +107,7 @@ public abstract class SQLMetadataStorageActionHandler<EntryType, StatusType, Log
return jsonMapper;
}
protected TypeReference getStatusType()
protected TypeReference<StatusType> getStatusType()
{
return statusType;
}
@ -127,7 +127,7 @@ public abstract class SQLMetadataStorageActionHandler<EntryType, StatusType, Log
return entryTypeName;
}
public TypeReference getEntryType()
public TypeReference<EntryType> getEntryType()
{
return entryType;
}

View File

@ -185,7 +185,7 @@ public class ResultLevelCachingQueryRunner<T> implements QueryRunner<T>
log.error("Cached result set is null");
}
final Function<Object, T> pullFromCacheFunction = strategy.pullFromCache(true);
final TypeReference<Object> cacheObjectClazz = strategy.getCacheObjectClazz();
final TypeReference<T> cacheObjectClazz = strategy.getCacheObjectClazz();
//Skip the resultsetID and its length bytes
Sequence<T> cachedSequence = Sequences.simple(() -> {
try {

View File

@ -67,11 +67,13 @@ import java.util.concurrent.atomic.AtomicLong;
*/
public class HttpLoadQueuePeon extends LoadQueuePeon
{
public static final TypeReference REQUEST_ENTITY_TYPE_REF = new TypeReference<List<DataSegmentChangeRequest>>()
public static final TypeReference<List<DataSegmentChangeRequest>> REQUEST_ENTITY_TYPE_REF =
new TypeReference<List<DataSegmentChangeRequest>>()
{
};
public static final TypeReference RESPONSE_ENTITY_TYPE_REF = new TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>>()
public static final TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>> RESPONSE_ENTITY_TYPE_REF =
new TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>>()
{
};

View File

@ -226,6 +226,22 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<configuration>
<!--
~ The analysis gets confused between javax.xml.bind:jaxb-api and jakarta.xml.bind:jakarta.xml.bind-api.
~ The former is a direct dependency, and the latter is a transitive dependency of jackson 2.10+.
-->
<usedDependencies>
<dependency>javax.xml.bind:jaxb-api</dependency>
</usedDependencies>
<ignoredUsedUndeclaredDependencies>
<ignoredUsedUndeclaredDependency>jakarta.xml.bind:jakarta.xml.bind-api</ignoredUsedUndeclaredDependency>
</ignoredUsedUndeclaredDependencies>
</configuration>
</plugin>
</plugins>
</build>