Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing security vulnerability check errors (#13956) 

* Fixing security vulnerability check errors

* Updating javax.el to jakarta.el

* Adding cron job trigger on changes to suppressions file
This commit is contained in:
abhagraw 2023-03-23 11:10:06 +05:30 committed by GitHub
parent da42ee5bfa
commit c52d15d65d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/cron-job-its.yml vendored
View File

@ -18,6 +18,10 @@ on:
schedule: # Runs by default on master branch
- cron: '0 3 * * *' # Runs every day at 3:00 AM UTC
pull_request:
paths:
'owasp-dependency-check-suppressions.xml'
jobs:
integration-index-tests-middleManager:
strategy:
@ -86,7 +90,7 @@ jobs:
env:
HADOOP_PROFILE: ${{ matrix.HADOOP_PROFILE }}
run: |
${MVN} dependency-check:purge dependency-check:check ${HADOOP_PROFILE} || { echo "
mvn dependency-check:purge dependency-check:check ${HADOOP_PROFILE} || { echo "
The OWASP dependency check has found security vulnerabilities. Please use a newer version
of the dependency that does not have vulnerabilities. To see a report run
`mvn dependency-check:check`

2
LABELS
View File

@ -37,7 +37,7 @@ This product bundles JSR311 API version 1.1.1, copyright Oracle and/or its affil
This product bundles Expression Language 3.0 version 3.0.0., copyright Oracle and/or its affiliates.,
which is available under the CDDL 1.1. For details, see licenses/bin/javax.CDDL11
* https://github.com/javaee/el-spec
* org.glassfish:javax.el
* org.glassfish:jakarta.el
This product bundles Jersey version 1.9, copyright Oracle and/or its affiliates.,
which is available under the CDDL 1.1. For details, see licenses/bin/jersey.CDDL11

18
owasp-dependency-check-suppressions.xml
View File

@ -68,6 +68,9 @@
~ dependency on hadoop 2.8.5 is blocking us from updating this dependency. Not a major concern since Druid
~ eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion
~ jobs which can only be run by admin type users.
~ CVE-2022-45688:
~ We do not use XML, so not impact that by this CVE
-->
<notes><![CDATA[
file name: json-smart-2.3.jar
@ -75,7 +78,18 @@
<packageUrl regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl>
<cve>CVE-2021-27568</cve>
<cve>CVE-2021-31684</cve>
<cve>CVE-2022-45688</cve>
<cve>CVE-2023-1370</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: json-path-2.3.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/json\-path@.*$</packageUrl>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<!--
accessors-smart-1.2 is a dependency of json-smart-2.3.
@ -87,6 +101,7 @@
]]></notes>
<packageUrl regex="true">^pkg:maven/net\.minidev/accessors\-smart@.*$</packageUrl>
<cve>CVE-2021-27568</cve>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>
<!--
@ -191,6 +206,7 @@
<cve>CVE-2019-16869</cve>
<cve>CVE-2019-20444</cve>
<cve>CVE-2019-20445</cve>
<cve>CVE-2020-11612</cve>
<cve>CVE-2021-37136</cve>
<cve>CVE-2021-37137</cve>
<cve>CVE-2022-41881</cve>
@ -599,10 +615,12 @@
<suppress>
<!-- Jackson CVEs when processing objects of large depth. Consider updating -->
<notes><![CDATA[
file name: *jackson-*.jar
]]></notes>
<cve>CVE-2020-36518</cve>
<cve>CVE-2022-45688</cve>
</suppress>
<suppress>

4
pom.xml
View File

@ -526,8 +526,8 @@
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>javax.el</artifactId>
<version>3.0.0</version>
<artifactId>jakarta.el</artifactId>
<version>3.0.4</version>
</dependency>
<dependency>
<groupId>org.glassfish.grizzly</groupId>

2
processing/pom.xml
View File

@ -146,7 +146,7 @@
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>javax.el</artifactId>
<artifactId>jakarta.el</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>