mirror of https://github.com/apache/druid.git
Update google client apis to latest version (#14414)
Currently Druid is using google apis client 1.26.0 version and google-oauth-client-1.26.0.jar in particular is bringing following CVEs CVE-2020-7692, CVE-2021-22573. Despite the CVEs being false positives, they're causing red security scans on Druid distribution. Hence updating the version to latest version with these CVE fixes.
This commit is contained in:
Tejaswini Bandlamudi
GitHub
parent
2b7f2c5119
commit
dec6a0aa14
|
|
@ -188,13 +188,13 @@
|
|||
<dependency>
|
||||
<groupId>com.google.http-client</groupId>
|
||||
<artifactId>google-http-client</artifactId>
|
||||
<version>${com.google.apis.client.version}</version>
|
||||
<version>${com.google.http.client.apis.version}</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.google.http-client</groupId>
|
||||
<artifactId>google-http-client-jackson2</artifactId>
|
||||
<version>${com.google.apis.client.version}</version>
|
||||
<version>${com.google.http.client.apis.version}</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<!-- Tests can choose either the MySQL or MariaDB driver. -->
|
||||
|
|
|
|||
|
|
@ -4422,7 +4422,7 @@ name: Google Cloud Storage JSON API
|
|||
license_category: binary
|
||||
module: extensions/druid-google-extensions
|
||||
license_name: Apache License version 2.0
|
||||
version: v1-rev20190523-1.26.0
|
||||
version: v1-rev20230301-2.0.0
|
||||
libraries:
|
||||
- com.google.apis: google-api-services-storage
|
||||
|
||||
|
|
@ -4432,7 +4432,7 @@ name: Google Compute Engine API
|
|||
license_category: binary
|
||||
module: extensions/gce-extensions
|
||||
license_name: Apache License version 2.0
|
||||
version: v1-rev20190523-1.26.0
|
||||
version: v1-rev20230606-2.0.0
|
||||
libraries:
|
||||
- com.google.apis: google-api-services-compute
|
||||
|
||||
|
|
@ -4442,7 +4442,7 @@ name: Google APIs Client Library For Java
|
|||
license_category: binary
|
||||
module: java-core
|
||||
license_name: Apache License version 2.0
|
||||
version: 1.32.1
|
||||
version: 2.2.0
|
||||
libraries:
|
||||
- com.google.api-client: google-api-client
|
||||
|
||||
|
|
@ -4452,7 +4452,7 @@ name: Google HTTP Client Library For Java
|
|||
license_category: binary
|
||||
module: java-core
|
||||
license_name: Apache License version 2.0
|
||||
version: 1.35.2
|
||||
version: 1.42.3
|
||||
libraries:
|
||||
- com.google.http-client: google-http-client
|
||||
- com.google.http-client: google-http-client-jackson2
|
||||
|
|
@ -4463,7 +4463,7 @@ name: Google OAuth Client Library For Java
|
|||
license_category: binary
|
||||
module: java-core
|
||||
license_name: Apache License version 2.0
|
||||
version: 1.22.0
|
||||
version: 1.34.1
|
||||
libraries:
|
||||
- com.google.oauth-client: google-oauth-client
|
||||
|
||||
|
|
|
|||
|
|
@ -291,14 +291,6 @@
|
|||
<packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
|
||||
<vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<notes><![CDATA[
|
||||
Druid is not a native app, so the vulnerability flagged is a false positive.
|
||||
]]></notes>
|
||||
<packageUrl regex="true">^pkg:maven/com\.google\.oauth-client/google\-oauth\-client@.*$</packageUrl>
|
||||
<cve>CVE-2020-7692</cve>
|
||||
<cve>CVE-2021-22573</cve>
|
||||
</suppress>
|
||||
<suppress>
|
||||
<!--
|
||||
~ TODO: Fix when Apache Ranger 2.1 is released
|
||||
|
|
|
|||
11
pom.xml
11
pom.xml
|
|
@ -120,9 +120,10 @@
|
|||
<!-- When upgrading ZK, edit docs and integration tests as well (integration-tests/docker-base/setup.sh) -->
|
||||
<zookeeper.version>3.5.10</zookeeper.version>
|
||||
<checkerframework.version>2.5.7</checkerframework.version>
|
||||
<com.google.apis.client.version>1.26.0</com.google.apis.client.version>
|
||||
<com.google.apis.compute.version>v1-rev20190607-${com.google.apis.client.version}</com.google.apis.compute.version>
|
||||
<com.google.apis.storage.version>v1-rev20190523-${com.google.apis.client.version}</com.google.apis.storage.version>
|
||||
<com.google.apis.client.version>2.2.0</com.google.apis.client.version>
|
||||
<com.google.http.client.apis.version>1.42.3</com.google.http.client.apis.version>
|
||||
<com.google.apis.compute.version>v1-rev20230606-2.0.0</com.google.apis.compute.version>
|
||||
<com.google.apis.storage.version>v1-rev20230301-2.0.0</com.google.apis.storage.version>
|
||||
<jdk.strong.encapsulation.argLine><!-- empty placeholder --></jdk.strong.encapsulation.argLine>
|
||||
<repoOrgId>maven.org</repoOrgId>
|
||||
<repoOrgName>Maven Central Repository</repoOrgName>
|
||||
|
|
@ -1170,12 +1171,12 @@
|
|||
<dependency>
|
||||
<groupId>com.google.http-client</groupId>
|
||||
<artifactId>google-http-client</artifactId>
|
||||
<version>${com.google.apis.client.version}</version>
|
||||
<version>${com.google.http.client.apis.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>com.google.http-client</groupId>
|
||||
<artifactId>google-http-client-jackson2</artifactId>
|
||||
<version>${com.google.apis.client.version}</version>
|
||||
<version>${com.google.http.client.apis.version}</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>com.fasterxml.jackson.core</groupId>
|
||||
|
|
|
|||
Loading…
Reference in New Issue