Commit Graph

9 Commits

Author SHA1 Message Date
bolkedebruin ab5ac7f890
Document possible vulnerabilities for the druid-ranger-security (#9649)
* Document possible vulnerabilities for the druid-ranger-security

In certain configurations the ranger plugin can expose vulnerabilities due
to some of its dependencies having CVEs.

* Spelling checker is a bit tight
2020-04-09 10:43:11 -07:00
Chi Cao Minh b5419962f0
Suppress CVEs for jackson-mapper-asl:1.9.13 (#9604)
The jackson-mapper-asl:1.9.13 CVEs via curator-x-discovery are all
suppressed for now as fixing them requires updating the curator version.
2020-04-03 10:33:52 -07:00
Chi Cao Minh 100d587583
Suppress CWE-400 for node-sass:4.13.1 (#9517)
The vulnerability is fixed in 4.13.1:
https://github.com/sass/node-sass/issues/2816#issuecomment-575136455

But the dependency check plugin thinks its still broken as the
affected/fixed versions has not been updated yet on Sonatype OSS Index:
https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
2020-03-16 09:42:33 -07:00
Chi Cao Minh 559c7b64cc
Suppress CVEs for htrace-core4 and openstack-swift (#9489)
CVE-2013-7109 can be ignored for openstack-swift as it is for the python
SDK and druid uses the java SDK.

The jackson-databind:2.4.0 CVEs via htrace-core4 are all suppressed for
now as fixing them requires updating the hadoop version.
2020-03-10 10:55:41 -07:00
Chi Cao Minh 5d05b40e6d
Remove druid incubating references (#9405) 2020-02-26 21:47:58 -08:00
Chi Cao Minh 3f848e6a7c
Suppress CVE-2020-8840 for htrace-core-4.0.1 (#9379)
CVE-2020-8840 was updated on 19 Feb 2020, which now gets flagged by the
security vulnerability scan. Since the CVE is for jackson-databind, via
htrace-core-4.0.1, it can be added to the existing list of security
vulnerability suppressions for that dependency.
2020-02-21 11:05:00 -08:00
zachjsh 74ac9151c9
Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 (#9300)
* Suppress netty 3 vulnerabilites and upgrade netty 4 version

* Upgrade netty 4 version to fix vulnerabilities CVE-2019-20445
  and CVE-2019-20444
* suppress these CVEs for netty 3

* * simplify suppression xml file
* update licenses file with new version of netty

* * fix type in licenses.yaml
2020-01-31 14:51:54 -08:00
Chi Cao Minh b2877119d0 Suppress CVE-2019-20330 for htrace-core-4.0.1 (#9189)
CVE-2019-20330 was updated on 14 Jan 2020, which now gets flagged by the
security vulnerability scan. Since the CVE is for jackson-databind, via
htrace-core-4.0.1, it can be added to the existing list of security
vulnerability suppressions for that dependency.
2020-01-14 21:15:24 -08:00
Chi Cao Minh af74acaa85 Address security vulnerabilities CVSS >= 7 (#8980)
* Address security vulnerabilities CVSS >= 7

Update dependencies to address security vulnerabilities with CVSS scores
of 7 or higher. A new Travis CI job is added to prevent new
high/critical security vulnerabilities from being added.

Updated dependencies:
- api-util 1.0.0 -> 1.0.3
- jackson 2.9.10 -> 2.10.1
- kafka 2.1.0 -> 2.1.1
- libthrift 0.10.0 -> 0.13.0
- protobuf 3.2.0 -> 3.11.0

The following high/critical security vulnerabilities are currently
suppressed (so that the new Travis CI job can be added now) and are left
as future work to fix:
- hibernate-validator:5.2.5
- jackson-mapper-asl:1.9.13
- libthrift:0.6.1
- netty:3.10.6
- nimbus-jose-jwt:4.41.1

* Rename EDL1 license file

* Fix inspection errors
2019-12-05 14:34:35 -08:00