Commit Graph

50 Commits

Author SHA1 Message Date
abhagraw c52d15d65d
Fixing security vulnerability check errors (#13956)
* Fixing security vulnerability check errors

* Updating javax.el to jakarta.el

* Adding cron job trigger on changes to suppressions file
2023-03-23 11:10:06 +05:30
AmatyaAvadhanula 76e79c7db7
Suppress CVEs (#13733) 2023-02-01 04:18:41 -08:00
Kashif Faraz 78ae0b7533
Upgrade to netty 4.1.86.Final to address CVEs (#13604)
This commit addresses the following CVEs:
- CVE-2021-43797
- CVE-2022-41881
2022-12-23 01:44:01 +05:30
Kashif Faraz e34e56295f
Suppress CVE-2022-1278, CVE-2022-2048, CVE-2022-3509, CVE-2022-40152 (#13590) 2022-12-17 20:09:52 +05:30
Kashif Faraz 1cc9bc9af9
Suppress CVE-2022-45685 and CVE-2022-45693 from jettison-1.3 (#13585) 2022-12-16 22:56:30 +05:30
Kashif Faraz 431a1195ca
Suppress CVE-2022-1471 from snakeyaml (#13557)
* Upgrade kube client to 17.0.0

* Remove snakeyaml CVE suppression

* Update licenses.yaml

* Revert changes and suppress cve
2022-12-15 21:39:14 +05:30
Rohan Garg c26b18c953
Port CVE suppressions from 24.0.1 (#13415)
* Suppress jackson-databind CVE-2022-42003 and CVE-2022-42004
(cherry picked from commit 1f4d892c9a)
* Suppress CVEs
(cherry picked from commit ed55baa8fa)
* Suppress vulnerabilities from druid-website package
(cherry picked from commit c0fb364f80)
* Add more suppressions for website package
(cherry picked from commit 9bba569ebd)
2022-11-23 11:35:33 +05:30
abhagraw 848570d8db
Suppressing package-lock.json?d3-color vulnerability (#13301) 2022-11-04 11:47:02 +05:30
Adarsh Sanjeev 306f612f86
Suppress Calcite CVE (#13119)
* Suppress Calcite CVE

* Update comment
2022-09-23 16:23:26 +05:30
Abhishek Agarwal 7d332c6f6a
Suppress false CVEs (#13026)
* Suppress CVEs

* Add more suppressions
2022-09-06 11:46:56 +05:30
abhagraw 9cc30ee120
Suppressing CVE-2022-25168 - hadoop-common-2.8.5.jar (#12970) 2022-08-25 16:02:17 +05:30
Abhishek Agarwal b4985ccd5e
Suppress CVEs - Avatica, Postgres (#12884) 2022-08-10 14:18:19 +05:30
Kashif Faraz 6c96d09680
Suppress some false alarm CVEs (#12812)
This commit suppresses the following CVEs:
- CVE-2021-43138: false alarm for async-http-client
- CVE-2021-34538: applicable to Hive server
- CVE-2020-25638: requires hibernate update, which causes Hadoop ingestion failure
- CVE-2021-27568: false alarm for accessors-smart which is a dependency of json-smart (already suppressed)
2022-07-22 22:27:31 +05:30
Rohan Garg 97a926fb29
Suppress CVE-2022-33915 (#12740) 2022-07-04 22:48:08 +05:30
AmatyaAvadhanula 6bcb778eeb
Add CVEs for Hadoop3 (#12336)
* Add CVEs

* Move CVEs under hadoop3 section
2022-06-22 14:12:17 +05:30
AmatyaAvadhanula f7ce73eee7
Suppress CVEs (#12590) 2022-06-01 21:22:32 +05:30
Abhishek Agarwal b10eb4cbd4
Suppress false CVE on druid-indexing-hadoop artifact (#12562) 2022-05-24 16:00:58 +05:30
AmatyaAvadhanula 6d85ba4c00
Suppress CVEs (#12553) 2022-05-23 12:35:23 +05:30
AmatyaAvadhanula 215b90d1a4
CVE suppression (#12535) 2022-05-19 11:21:48 +05:30
Tejaswini Bandlamudi 65d00c705c
Supress CVE 2022 26612 (#12463)
* supress CVE-2022-26612

* adding packageUrl

* suppressing CVE-2022-26612

* adding packageUrl

* moving to hadoop section
2022-04-21 08:48:20 -07:00
Jihoon Son 691e26d242
Suppress CVE-2021-43138 (#12437)
* Suppress CVE-2021-43138

* revert netty 3.10.5.Final
2022-04-18 20:00:06 -07:00
Abhishek Agarwal 7bdb9ebdf1
Suppress Avro CVEs (#12166) 2022-01-18 21:09:48 +05:30
Karan Kumar 90640bb316
Support for hadoop 3 via maven profiles (#11794)
Add support for hadoop 3 profiles . Most of the details are captured in #11791 .
We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 22:46:24 +05:30
Jihoon Son 07a232d7b4
Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (#11844)
* bump netty4 to 4.1.68

* suppress CVE-2021-37136 and CVE-2021-37137 for netty3

* license
2021-10-25 21:09:15 -07:00
Clint Wylie 335b582377
suppress hive-storage-api thrift security vulnerability (#11753) 2021-09-28 23:54:13 -07:00
Clint Wylie 6b959f09e5
suppress false positive cve (#11699)
* suppress false positive cve

* update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
2021-09-13 20:45:38 -07:00
Jonathan Wei 2a6421d0d9
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572) 2021-08-11 15:46:57 +05:30
Abhishek Agarwal 2eff0902aa
suppress kafka-clients CVE (#11562)
The CVE details are here - https://nvd.nist.gov/vuln/detail/CVE-2021-26291. I am marking it suppressed since we are only using kafka-clients jar in druid. We use maven-artifact jar ourselves but it is only used for comparing versions
2021-08-09 19:02:25 +05:30
zachjsh 73711a456a
Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)
Dependency on hadoop 2.8.5 is preventing us form updating this dependency to a later version. We don't believe that this is a major concern since Druid eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion jobs, which can only be run by admin type users.
2021-07-12 22:58:06 -04:00
Clint Wylie 4a3c834ecf
i dig the optimism, but need more time (#11250) 2021-05-13 11:16:10 -07:00
Maytas Monsereenusorn 351059ca43
Suppressing false positive CVE-2020-7791 (#11215)
* suppressing false positive CVE-2020-7791

* add comments
2021-05-06 15:24:12 -07:00
Suneet Saldanha c86178aaeb
Suppress CVE in libthrift (#11093) 2021-04-12 18:13:42 -07:00
Jihoon Son efc5d7d112
Suppress CVEs for Solr and org.codehaus.jackson (#11030)
* Suppress CVEs for Solr and org.codehaus.jackson

* add a comment
2021-03-24 16:44:05 -07:00
Clint Wylie 694605e815
suppress (#11002) 2021-03-16 18:17:57 -07:00
Abhishek Agarwal 7d9a61cf7f
Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15o (#10933) 2021-03-02 16:18:27 -08:00
Jihoon Son ad946559bf
Suppress CVE-2020-9492 for hadoop-mapreduce-client-core (#10847) 2021-02-03 15:54:25 -08:00
Jonathan Wei a1a49811d9
Address CVE-2020-8570, suppress CVE-2020-8554 (#10826)
* Address CVE-2020-8570, suppress CVE-2020-8554

* Update licenses.yaml
2021-02-03 15:17:06 -08:00
Jonathan Wei 0aa2a8e2c6
Suppress CVE-2018-11765 for hadoop dependencies (#10485) 2020-10-07 21:55:34 -07:00
Chi Cao Minh 176b715624
Ignore CVEs from htrace and ambari transitive deps (#10353)
* Ignore CVEs from htrace and ambari transitive deps

htrace CVEs are suppressed for now as addressing them requires updating
the hadoop version.

ambari CVEs are suppressed for now since ambari is updated to the latest
version and is no longer actively maintained.

* Fix compilation issue from ambari upgrade

* Add missing test coverage
2020-09-04 15:22:26 -07:00
Suneet Saldanha 2f28be3f2a
Suppress CVE-2020-7692 (#10214)
Druid is not a native app, so this CVE should not apply.
2020-07-27 10:52:44 -07:00
Chi Cao Minh fd6fffc4b8
Suppress CVEs for openstack-keystone (#9903)
CVE-2020-12689, CVE-2020-12691, and CVE-2020-12690 can be ignored for
openstack-keystone as they are for the python SDK and druid uses the
java SDK.
2020-05-22 10:32:17 -07:00
bolkedebruin ab5ac7f890
Document possible vulnerabilities for the druid-ranger-security (#9649)
* Document possible vulnerabilities for the druid-ranger-security

In certain configurations the ranger plugin can expose vulnerabilities due
to some of its dependencies having CVEs.

* Spelling checker is a bit tight
2020-04-09 10:43:11 -07:00
Chi Cao Minh b5419962f0
Suppress CVEs for jackson-mapper-asl:1.9.13 (#9604)
The jackson-mapper-asl:1.9.13 CVEs via curator-x-discovery are all
suppressed for now as fixing them requires updating the curator version.
2020-04-03 10:33:52 -07:00
Chi Cao Minh 100d587583
Suppress CWE-400 for node-sass:4.13.1 (#9517)
The vulnerability is fixed in 4.13.1:
https://github.com/sass/node-sass/issues/2816#issuecomment-575136455

But the dependency check plugin thinks its still broken as the
affected/fixed versions has not been updated yet on Sonatype OSS Index:
https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
2020-03-16 09:42:33 -07:00
Chi Cao Minh 559c7b64cc
Suppress CVEs for htrace-core4 and openstack-swift (#9489)
CVE-2013-7109 can be ignored for openstack-swift as it is for the python
SDK and druid uses the java SDK.

The jackson-databind:2.4.0 CVEs via htrace-core4 are all suppressed for
now as fixing them requires updating the hadoop version.
2020-03-10 10:55:41 -07:00
Chi Cao Minh 5d05b40e6d
Remove druid incubating references (#9405) 2020-02-26 21:47:58 -08:00
Chi Cao Minh 3f848e6a7c
Suppress CVE-2020-8840 for htrace-core-4.0.1 (#9379)
CVE-2020-8840 was updated on 19 Feb 2020, which now gets flagged by the
security vulnerability scan. Since the CVE is for jackson-databind, via
htrace-core-4.0.1, it can be added to the existing list of security
vulnerability suppressions for that dependency.
2020-02-21 11:05:00 -08:00
zachjsh 74ac9151c9
Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 (#9300)
* Suppress netty 3 vulnerabilites and upgrade netty 4 version

* Upgrade netty 4 version to fix vulnerabilities CVE-2019-20445
  and CVE-2019-20444
* suppress these CVEs for netty 3

* * simplify suppression xml file
* update licenses file with new version of netty

* * fix type in licenses.yaml
2020-01-31 14:51:54 -08:00
Chi Cao Minh b2877119d0 Suppress CVE-2019-20330 for htrace-core-4.0.1 (#9189)
CVE-2019-20330 was updated on 14 Jan 2020, which now gets flagged by the
security vulnerability scan. Since the CVE is for jackson-databind, via
htrace-core-4.0.1, it can be added to the existing list of security
vulnerability suppressions for that dependency.
2020-01-14 21:15:24 -08:00
Chi Cao Minh af74acaa85 Address security vulnerabilities CVSS >= 7 (#8980)
* Address security vulnerabilities CVSS >= 7

Update dependencies to address security vulnerabilities with CVSS scores
of 7 or higher. A new Travis CI job is added to prevent new
high/critical security vulnerabilities from being added.

Updated dependencies:
- api-util 1.0.0 -> 1.0.3
- jackson 2.9.10 -> 2.10.1
- kafka 2.1.0 -> 2.1.1
- libthrift 0.10.0 -> 0.13.0
- protobuf 3.2.0 -> 3.11.0

The following high/critical security vulnerabilities are currently
suppressed (so that the new Travis CI job can be added now) and are left
as future work to fix:
- hibernate-validator:5.2.5
- jackson-mapper-asl:1.9.13
- libthrift:0.6.1
- netty:3.10.6
- nimbus-jose-jwt:4.41.1

* Rename EDL1 license file

* Fix inspection errors
2019-12-05 14:34:35 -08:00