Commit Graph

82 Commits

Author SHA1 Message Date
Rishabh Singh 7f335ff486
Resolve CVEs: Upgrade jetty version and suppress azure cve (#17385) 2024-11-15 10:55:02 +05:30
Karan Kumar 4fdb38118a
CVE suppression for various dependencies. (#17307) 2024-10-09 18:07:09 +05:30
Laksh Singla b698440bfe
suppress cve (#16997) 2024-09-04 19:37:23 +05:30
Adarsh Sanjeev 16517e348e
Suppress CVE (#16851) 2024-08-27 10:47:57 +05:30
Vishesh Garg af24cc88ce
Fix CVE errors (#16147)
* Fix CVE errors

* Update pac4j

* Update nimbus.jose.jwt.version

* Change pac4j version to 5.7.3

* Change pac4j version to 5.3.1

* Revert pac4j version change

* Update pac4j comment
2024-04-05 17:53:09 +05:30
Parth Agrawal 495e66f2e7
CVE Fix: Update json-path version (#15772)
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <xvrl@apache.org>
2024-02-14 20:58:27 -08:00
Vishesh Garg 5de39c6251
Resolve CVE issues (#15814)
* Resolve CVE issues

* Update license.yaml
2024-02-01 14:10:12 +05:30
Jan Werner fa2c8edb5d
unpin snakeyaml, add suppressions and licenses (#15549)
* unpin snakeyaml globally, add suppressions and licenses
* pin snakeyaml in the specific modules that require version 1.x, update licenses and owasp suppression

This removes the pin of the Snakeyaml introduced in:  https://github.com/apache/druid/pull/14519
After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are:
- in test scope, transitive dependency of jackson-dataformat-yaml🫙2.12.7
- in compile scope in contrib extension druid-cassandra-storage
- in compile scope in it-tests. 

With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
2023-12-15 10:33:14 -08:00
Keerthana Srikanth f32dbd4131
Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (#15522)
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
2023-12-13 10:44:05 -08:00
Jan Werner 3c7dec56ca
update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (#15449)
Update of direct dependencies:
* kubernetes java-client to 19.0.0
* docker-java-bom to 3.3.4

In order to update transitive dependencies:
* okio to 3.6.0
* bcjava to 1.76

To address CVES:
- CVE-2023-3635 in okio
- CVE-2023-33201 in bcjava

---------

Co-authored-by: Xavier Léauté <xvrl@apache.org>
2023-12-12 14:27:57 -08:00
Vishesh Garg 326b7b731d
Upgrade zookeeper from 3.5.10 to 3.8.3 (#15477)
Upgrade zookeeper from 3.5.10 to 3.8.3
2023-12-05 18:57:56 +05:30
Jan Werner a469c53c0c
cleanup already resolved CVEs (#15447)
Remove the crud from the dependency-check suppression file
2023-12-05 10:30:35 +05:30
Keerthana Srikanth 7467d2c00d
Upgrade Jackson and Google GSON to address CVEs (#15461)
Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003, CVE-2022-42004 which affects jackson-databind.
Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1) since 2.2.4 is affected by CVE-2022-25647.
2023-11-30 15:31:26 +05:30
Keerthana Srikanth 7a8204db72
Upgrade Avro to 1.11.3 to address CVE-2023-39410 (#15419) 2023-11-28 14:09:48 +05:30
Kashif Faraz 75d6993da9
Suppress Hadoop and jose4j cve (#15425)
Changes
- Suppress CVE-2023-36478 as there is no newer Hadoop version available that addresses
- Suppress CVE-2023-31582 in jose4j. Pulled in by Kubernetes/Kafka but not addressed yet.
2023-11-24 09:25:10 +05:30
Laksh Singla 7c8e841362
Suppress CVE's in master (#15231) 2023-10-27 09:29:18 +05:30
Tejaswini Bandlamudi 28870c702a
Resolve reported CVEs (#15081) 2023-10-04 11:59:01 +05:30
Tejaswini Bandlamudi 48b6d2abf9
skip org.owasp:dependency-check on extensions-contrib modules and suppress false-positive gRPC CVEs (#15026) 2023-09-25 12:14:42 +05:30
Tejaswini Bandlamudi dec6a0aa14
Update google client apis to latest version (#14414)
Currently Druid is using google apis client 1.26.0 version and google-oauth-client-1.26.0.jar in particular is bringing following CVEs CVE-2020-7692, CVE-2021-22573. Despite the CVEs being false positives, they're causing red security scans on Druid distribution. Hence updating the version to latest version with these CVE fixes.
2023-09-11 12:27:23 +05:30
Tejaswini Bandlamudi 388d5ecf78
Fix reported CVEs (#14882)
Suppress CVEs from dependencies with no available fix or false positives
hadoop-annotations: CVE-2022-25168, CVE-2021-33036
hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475
okio: CVE-2023-3635
Upgrade grpc version to fix CVE-2023-33953
2023-08-24 19:28:55 +05:30
Tejaswini Bandlamudi d87056e708
Upgrade guava version to 31.1-jre (#14767)
Currently, Druid is using Guava 16.0.1 version. This upgrade to 31.1-jre fixes the following issues.

CVE-2018-10237 (Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable). We don't use Java or GWT serializations. Despite being false positive they're causing red security scans on Druid distribution.
Latest version of google-client-api is incompatible with the existing Guava version. This PR unblocks Update google client apis to latest version #14414
2023-08-22 12:09:53 +05:30
Tejaswini Bandlamudi a45b25fa1d
Removes support for Hadoop 2 (#14763)
Removing Hadoop 2 support as discussed in https://lists.apache.org/list?dev@druid.apache.org:lte=1M:hadoop
2023-08-09 17:47:52 +05:30
Tejaswini Bandlamudi 550a66d71e
Upgrade jackson-databind to 2.12.7 (#14770)
The current version of jackson-databind is flagged for vulnerabilities CVE-2020-28491 (Although cbor format is not used in druid), CVE-2020-36518 (Seems genuine as deeply nested json in can cause resource exhaustion). Updating the dependency to the latest version 2.12.7 to fix these vulnerabilities.
2023-08-09 12:22:16 +05:30
AmatyaAvadhanula 6566bda57c
Suppress CVEs (#14648)
CVE-2023-34462 - (Allows malicious allocation of resources without throttling) Not applicable as the Netty requests in Druid are internal, and not user facing.
CVE-2016-2402 - (Man in the middle with okhttp by sending certificate chains) Not applicable as okhttp requests in Druid are also internal
2023-07-25 13:37:50 +05:30
AmatyaAvadhanula 536e491d00
Suppress ambari metrics CVEs (#14645)
* Suppress ambari metrics CVEs
2023-07-24 18:01:56 +05:30
Tejaswini Bandlamudi c3f84f9ea0
Suppress CVEs (#14291)
Address various CVEs by upgrading dependencies or adding suppression with a justification
2023-07-10 15:19:26 +05:30
Jan Werner 95115d722a
CVE fixes - update of multiple dependencies. (#14519)
Apache Druid brings multiple direct and transitive dependencies that are affected by plethora of CVEs.
This PR attempts to update all the dependencies that did not require code refactoring.
This PR modifies pom files, license file and OWASP Dependency Check suppression file.
2023-07-07 20:27:30 +05:30
Tejaswini Bandlamudi baa64e6d8a
update hadoop version to 3.3.6 (#14489) 2023-06-28 15:03:10 +05:30
Tejaswini Bandlamudi 72cf91fbc0
Upgrade Avro to latest version (#14440)
Upgraded Avro to 1.11.1
2023-06-24 14:51:30 +05:30
Clint Wylie eae9e07ea9
suppress CVE-2021-40331 since it applies to ranger-hive-plugin which afaict we do not use (#14261) 2023-05-11 21:58:47 -07:00
Clint Wylie e833a4700d
suppress hadoop3 cve that seem not applicable to us (#14252) 2023-05-10 23:08:05 -07:00
Clint Wylie 6db11bfc60
suppress some cves and fix javadoc build when using java 17 (#14241) 2023-05-10 15:47:10 -07:00
abhagraw c52d15d65d
Fixing security vulnerability check errors (#13956)
* Fixing security vulnerability check errors

* Updating javax.el to jakarta.el

* Adding cron job trigger on changes to suppressions file
2023-03-23 11:10:06 +05:30
AmatyaAvadhanula 76e79c7db7
Suppress CVEs (#13733) 2023-02-01 04:18:41 -08:00
Kashif Faraz 78ae0b7533
Upgrade to netty 4.1.86.Final to address CVEs (#13604)
This commit addresses the following CVEs:
- CVE-2021-43797
- CVE-2022-41881
2022-12-23 01:44:01 +05:30
Kashif Faraz e34e56295f
Suppress CVE-2022-1278, CVE-2022-2048, CVE-2022-3509, CVE-2022-40152 (#13590) 2022-12-17 20:09:52 +05:30
Kashif Faraz 1cc9bc9af9
Suppress CVE-2022-45685 and CVE-2022-45693 from jettison-1.3 (#13585) 2022-12-16 22:56:30 +05:30
Kashif Faraz 431a1195ca
Suppress CVE-2022-1471 from snakeyaml (#13557)
* Upgrade kube client to 17.0.0

* Remove snakeyaml CVE suppression

* Update licenses.yaml

* Revert changes and suppress cve
2022-12-15 21:39:14 +05:30
Rohan Garg c26b18c953
Port CVE suppressions from 24.0.1 (#13415)
* Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004
(cherry picked from commit 1f4d892c9a)
* Suppress CVEs
(cherry picked from commit ed55baa8fa)
* Suppress vulnerabilities from druid-website package
(cherry picked from commit c0fb364f80)
* Add more suppressions for website package
(cherry picked from commit 9bba569ebd)
2022-11-23 11:35:33 +05:30
abhagraw 848570d8db
Suppressing package-lock.json?d3-color vulnerability (#13301) 2022-11-04 11:47:02 +05:30
Adarsh Sanjeev 306f612f86
Suppress Calcite CVE (#13119)
* Suppress Calcite CVE

* Update comment
2022-09-23 16:23:26 +05:30
Abhishek Agarwal 7d332c6f6a
Suppress false CVEs (#13026)
* Suppress CVEs

* Add more suppressions
2022-09-06 11:46:56 +05:30
abhagraw 9cc30ee120
Suppressing CVE-2022-25168 - hadoop-common-2.8.5.jar (#12970) 2022-08-25 16:02:17 +05:30
Abhishek Agarwal b4985ccd5e
Suppress CVEs - Avatica, Postgres (#12884) 2022-08-10 14:18:19 +05:30
Kashif Faraz 6c96d09680
Suppress some false alarm CVEs (#12812)
This commit suppresses the following CVEs:
- CVE-2021-43138: false alarm for async-http-client
- CVE-2021-34538: applicable to Hive server
- CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure
- CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 22:27:31 +05:30
Rohan Garg 97a926fb29
Suppress CVE-2022-33915 (#12740) 2022-07-04 22:48:08 +05:30
AmatyaAvadhanula 6bcb778eeb
Add CVEs for Hadoop3 (#12336)
* Add CVEs

* Move CVEs under hadoop3 section
2022-06-22 14:12:17 +05:30
AmatyaAvadhanula f7ce73eee7
Suppress CVEs (#12590) 2022-06-01 21:22:32 +05:30
Abhishek Agarwal b10eb4cbd4
Suppress false CVE on druid-indexing-hadoop artifact (#12562) 2022-05-24 16:00:58 +05:30
AmatyaAvadhanula 6d85ba4c00
Suppress CVEs (#12553) 2022-05-23 12:35:23 +05:30