Jan Werner
95115d722a
CVE fixes - update of multiple dependencies. ( #14519 )
...
Apache Druid brings multiple direct and transitive dependencies that are affected by plethora of CVEs.
This PR attempts to update all the dependencies that did not require code refactoring.
This PR modifies pom files, license file and OWASP Dependency Check suppression file.
2023-07-07 20:27:30 +05:30
Tejaswini Bandlamudi
baa64e6d8a
update hadoop version to 3.3.6 ( #14489 )
2023-06-28 15:03:10 +05:30
Tejaswini Bandlamudi
72cf91fbc0
Upgrade Avro to latest version ( #14440 )
...
Upgraded Avro to 1.11.1
2023-06-24 14:51:30 +05:30
Clint Wylie
eae9e07ea9
suppress CVE-2021-40331 since it applies to ranger-hive-plugin which afaict we do not use ( #14261 )
2023-05-11 21:58:47 -07:00
Clint Wylie
e833a4700d
suppress hadoop3 cve that seem not applicable to us ( #14252 )
2023-05-10 23:08:05 -07:00
Clint Wylie
6db11bfc60
suppress some cves and fix javadoc build when using java 17 ( #14241 )
2023-05-10 15:47:10 -07:00
abhagraw
c52d15d65d
Fixing security vulnerability check errors ( #13956 )
...
* Fixing security vulnerability check errors
* Updating javax.el to jakarta.el
* Adding cron job trigger on changes to suppressions file
2023-03-23 11:10:06 +05:30
AmatyaAvadhanula
76e79c7db7
Suppress CVEs ( #13733 )
2023-02-01 04:18:41 -08:00
Kashif Faraz
78ae0b7533
Upgrade to netty 4.1.86.Final to address CVEs ( #13604 )
...
This commit addresses the following CVEs:
- CVE-2021-43797
- CVE-2022-41881
2022-12-23 01:44:01 +05:30
Kashif Faraz
e34e56295f
Suppress CVE-2022-1278, CVE-2022-2048, CVE-2022-3509, CVE-2022-40152 ( #13590 )
2022-12-17 20:09:52 +05:30
Kashif Faraz
1cc9bc9af9
Suppress CVE-2022-45685 and CVE-2022-45693 from jettison-1.3 ( #13585 )
2022-12-16 22:56:30 +05:30
Kashif Faraz
431a1195ca
Suppress CVE-2022-1471 from snakeyaml ( #13557 )
...
* Upgrade kube client to 17.0.0
* Remove snakeyaml CVE suppression
* Update licenses.yaml
* Revert changes and suppress cve
2022-12-15 21:39:14 +05:30
Rohan Garg
c26b18c953
Port CVE suppressions from 24.0.1 ( #13415 )
...
* Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004
(cherry picked from commit 1f4d892c9a
)
* Suppress CVEs
(cherry picked from commit ed55baa8fa
)
* Suppress vulnerabilities from druid-website package
(cherry picked from commit c0fb364f80
)
* Add more suppressions for website package
(cherry picked from commit 9bba569ebd
)
2022-11-23 11:35:33 +05:30
abhagraw
848570d8db
Suppressing package-lock.json?d3-color vulnerability ( #13301 )
2022-11-04 11:47:02 +05:30
Adarsh Sanjeev
306f612f86
Suppress Calcite CVE ( #13119 )
...
* Suppress Calcite CVE
* Update comment
2022-09-23 16:23:26 +05:30
Abhishek Agarwal
7d332c6f6a
Suppress false CVEs ( #13026 )
...
* Suppress CVEs
* Add more suppressions
2022-09-06 11:46:56 +05:30
abhagraw
9cc30ee120
Suppressing CVE-2022-25168 - hadoop-common-2.8.5.jar ( #12970 )
2022-08-25 16:02:17 +05:30
Abhishek Agarwal
b4985ccd5e
Suppress CVEs - Avatica, Postgres ( #12884 )
2022-08-10 14:18:19 +05:30
Kashif Faraz
6c96d09680
Suppress some false alarm CVEs ( #12812 )
...
This commit suppresses the following CVEs:
- CVE-2021-43138: false alarm for async-http-client
- CVE-2021-34538: applicable to Hive server
- CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure
- CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 22:27:31 +05:30
Rohan Garg
97a926fb29
Suppress CVE-2022-33915 ( #12740 )
2022-07-04 22:48:08 +05:30
AmatyaAvadhanula
6bcb778eeb
Add CVEs for Hadoop3 ( #12336 )
...
* Add CVEs
* Move CVEs under hadoop3 section
2022-06-22 14:12:17 +05:30
AmatyaAvadhanula
f7ce73eee7
Suppress CVEs ( #12590 )
2022-06-01 21:22:32 +05:30
Abhishek Agarwal
b10eb4cbd4
Suppress false CVE on druid-indexing-hadoop artifact ( #12562 )
2022-05-24 16:00:58 +05:30
AmatyaAvadhanula
6d85ba4c00
Suppress CVEs ( #12553 )
2022-05-23 12:35:23 +05:30
AmatyaAvadhanula
215b90d1a4
CVE suppression ( #12535 )
2022-05-19 11:21:48 +05:30
Tejaswini Bandlamudi
65d00c705c
Supress CVE 2022 26612 ( #12463 )
...
* supress CVE-2022-26612
* adding packageUrl
* suppressing CVE-2022-26612
* adding packageUrl
* moving to hadoop section
2022-04-21 08:48:20 -07:00
Jihoon Son
691e26d242
Suppress CVE-2021-43138 ( #12437 )
...
* Suppress CVE-2021-43138
* revert netty 3.10.5.Final
2022-04-18 20:00:06 -07:00
Abhishek Agarwal
7bdb9ebdf1
Suppress Avro CVEs ( #12166 )
2022-01-18 21:09:48 +05:30
Karan Kumar
90640bb316
Support for hadoop 3 via maven profiles ( #11794 )
...
Add support for hadoop 3 profiles . Most of the details are captured in #11791 .
We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 22:46:24 +05:30
Jihoon Son
07a232d7b4
Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 ( #11844 )
...
* bump netty4 to 4.1.68
* suppress CVE-2021-37136 and CVE-2021-37137 for netty3
* license
2021-10-25 21:09:15 -07:00
Clint Wylie
335b582377
suppress hive-storage-api thrift security vulnerability ( #11753 )
2021-09-28 23:54:13 -07:00
Clint Wylie
6b959f09e5
suppress false positive cve ( #11699 )
...
* suppress false positive cve
* update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
2021-09-13 20:45:38 -07:00
Jonathan Wei
2a6421d0d9
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj ( #11572 )
2021-08-11 15:46:57 +05:30
Abhishek Agarwal
2eff0902aa
suppress kafka-clients CVE ( #11562 )
...
The CVE details are here - https://nvd.nist.gov/vuln/detail/CVE-2021-26291 . I am marking it suppressed since we are only using kafka-clients jar in druid. We use maven-artifact jar ourselves but it is only used for comparing versions
2021-08-09 19:02:25 +05:30
zachjsh
73711a456a
Suppress CVE-2021-27568 from json-smart 2.3 dependency ( #11438 )
...
Dependency on hadoop 2.8.5 is preventing us form updating this dependency to a later version. We don't believe that this is a major concern since Druid eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion jobs, which can only be run by admin type users.
2021-07-12 22:58:06 -04:00
Clint Wylie
4a3c834ecf
i dig the optimism, but need more time ( #11250 )
2021-05-13 11:16:10 -07:00
Maytas Monsereenusorn
351059ca43
Suppressing false positive CVE-2020-7791 ( #11215 )
...
* suppressing false positive CVE-2020-7791
* add comments
2021-05-06 15:24:12 -07:00
Suneet Saldanha
c86178aaeb
Suppress CVE in libthrift ( #11093 )
2021-04-12 18:13:42 -07:00
Jihoon Son
efc5d7d112
Suppress CVEs for Solr and org.codehaus.jackson ( #11030 )
...
* Suppress CVEs for Solr and org.codehaus.jackson
* add a comment
2021-03-24 16:44:05 -07:00
Clint Wylie
694605e815
suppress ( #11002 )
2021-03-16 18:17:57 -07:00
Abhishek Agarwal
7d9a61cf7f
Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15o ( #10933 )
2021-03-02 16:18:27 -08:00
Jihoon Son
ad946559bf
Suppress CVE-2020-9492 for hadoop-mapreduce-client-core ( #10847 )
2021-02-03 15:54:25 -08:00
Jonathan Wei
a1a49811d9
Address CVE-2020-8570, suppress CVE-2020-8554 ( #10826 )
...
* Address CVE-2020-8570, suppress CVE-2020-8554
* Update licenses.yaml
2021-02-03 15:17:06 -08:00
Jonathan Wei
0aa2a8e2c6
Suppress CVE-2018-11765 for hadoop dependencies ( #10485 )
2020-10-07 21:55:34 -07:00
Chi Cao Minh
176b715624
Ignore CVEs from htrace and ambari transitive deps ( #10353 )
...
* Ignore CVEs from htrace and ambari transitive deps
htrace CVEs are suppressed for now as addressing them requires updating
the hadoop version.
ambari CVEs are suppressed for now since ambari is updated to the latest
version and is no longer actively maintained.
* Fix compilation issue from ambari upgrade
* Add missing test coverage
2020-09-04 15:22:26 -07:00
Suneet Saldanha
2f28be3f2a
Suppress CVE-2020-7692 ( #10214 )
...
Druid is not a native app, so this CVE should not apply.
2020-07-27 10:52:44 -07:00
Chi Cao Minh
fd6fffc4b8
Suppress CVEs for openstack-keystone ( #9903 )
...
CVE-2020-12689, CVE-2020-12691, and CVE-2020-12690 can be ignored for
openstack-keystone as they are for the python SDK and druid uses the
java SDK.
2020-05-22 10:32:17 -07:00
bolkedebruin
ab5ac7f890
Document possible vulnerabilities for the druid-ranger-security ( #9649 )
...
* Document possible vulnerabilities for the druid-ranger-security
In certain configurations the ranger plugin can expose vulnerabilities due
to some of its dependencies having CVEs.
* Spelling checker is a bit tight
2020-04-09 10:43:11 -07:00
Chi Cao Minh
b5419962f0
Suppress CVEs for jackson-mapper-asl:1.9.13 ( #9604 )
...
The jackson-mapper-asl:1.9.13 CVEs via curator-x-discovery are all
suppressed for now as fixing them requires updating the curator version.
2020-04-03 10:33:52 -07:00
Chi Cao Minh
100d587583
Suppress CWE-400 for node-sass:4.13.1 ( #9517 )
...
The vulnerability is fixed in 4.13.1:
https://github.com/sass/node-sass/issues/2816#issuecomment-575136455
But the dependency check plugin thinks its still broken as the
affected/fixed versions has not been updated yet on Sonatype OSS Index:
https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
2020-03-16 09:42:33 -07:00