Commit Graph

80 Commits

Author SHA1 Message Date
Jihoon Son 691e26d242
Suppress CVE-2021-43138 (#12437)
* Suppress CVE-2021-43138

* revert netty 3.10.5.Final
2022-04-18 20:00:06 -07:00
Abhishek Agarwal 7bdb9ebdf1
Suppress Avro CVEs (#12166) 2022-01-18 21:09:48 +05:30
Karan Kumar 90640bb316
Support for hadoop 3 via maven profiles (#11794)
Add support for hadoop 3 profiles . Most of the details are captured in #11791 .
We use a combination of maven profiles and resource filtering to achieve this. Hadoop2 is supported by default and a new maven profile with the name hadoop3 is created. This will allow the user to choose the profile which is best suited for the use case.
2021-10-30 22:46:24 +05:30
Jihoon Son 07a232d7b4
Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 (#11844)
* bump netty4 to 4.1.68

* suppress CVE-2021-37136 and CVE-2021-37137 for netty3

* license
2021-10-25 21:09:15 -07:00
Clint Wylie 335b582377
suppress hive-storage-api thrift security vulnerability (#11753) 2021-09-28 23:54:13 -07:00
Clint Wylie 6b959f09e5
suppress false positive cve (#11699)
* suppress false positive cve

* update comment, dont run tests on changes to owasp-dependency-check-suppressions.xml
2021-09-13 20:45:38 -07:00
Jonathan Wei 2a6421d0d9
Suppress CVEs for jdom2, kafka-clients, libthrift, solr-solrj (#11572) 2021-08-11 15:46:57 +05:30
Abhishek Agarwal 2eff0902aa
suppress kafka-clients CVE (#11562)
The CVE details are here - https://nvd.nist.gov/vuln/detail/CVE-2021-26291. I am marking it suppressed since we are only using kafka-clients jar in druid. We use maven-artifact jar ourselves but it is only used for comparing versions
2021-08-09 19:02:25 +05:30
zachjsh 73711a456a
Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)
Dependency on hadoop 2.8.5 is preventing us form updating this dependency to a later version. We don't believe that this is a major concern since Druid eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion jobs, which can only be run by admin type users.
2021-07-12 22:58:06 -04:00
Clint Wylie 4a3c834ecf
i dig the optimism, but need more time (#11250) 2021-05-13 11:16:10 -07:00
Maytas Monsereenusorn 351059ca43
Suppressing false positive CVE-2020-7791 (#11215)
* suppressing false positive CVE-2020-7791

* add comments
2021-05-06 15:24:12 -07:00
Suneet Saldanha c86178aaeb
Suppress CVE in libthrift (#11093) 2021-04-12 18:13:42 -07:00
Jihoon Son efc5d7d112
Suppress CVEs for Solr and org.codehaus.jackson (#11030)
* Suppress CVEs for Solr and org.codehaus.jackson

* add a comment
2021-03-24 16:44:05 -07:00
Clint Wylie 694605e815
suppress (#11002) 2021-03-16 18:17:57 -07:00
Abhishek Agarwal 7d9a61cf7f
Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15o (#10933) 2021-03-02 16:18:27 -08:00
Jihoon Son ad946559bf
Suppress CVE-2020-9492 for hadoop-mapreduce-client-core (#10847) 2021-02-03 15:54:25 -08:00
Jonathan Wei a1a49811d9
Address CVE-2020-8570, suppress CVE-2020-8554 (#10826)
* Address CVE-2020-8570, suppress CVE-2020-8554

* Update licenses.yaml
2021-02-03 15:17:06 -08:00
Jonathan Wei 0aa2a8e2c6
Suppress CVE-2018-11765 for hadoop dependencies (#10485) 2020-10-07 21:55:34 -07:00
Chi Cao Minh 176b715624
Ignore CVEs from htrace and ambari transitive deps (#10353)
* Ignore CVEs from htrace and ambari transitive deps

htrace CVEs are suppressed for now as addressing them requires updating
the hadoop version.

ambari CVEs are suppressed for now since ambari is updated to the latest
version and is no longer actively maintained.

* Fix compilation issue from ambari upgrade

* Add missing test coverage
2020-09-04 15:22:26 -07:00
Suneet Saldanha 2f28be3f2a
Suppress CVE-2020-7692 (#10214)
Druid is not a native app, so this CVE should not apply.
2020-07-27 10:52:44 -07:00
Chi Cao Minh fd6fffc4b8
Suppress CVEs for openstack-keystone (#9903)
CVE-2020-12689, CVE-2020-12691, and CVE-2020-12690 can be ignored for
openstack-keystone as they are for the python SDK and druid uses the
java SDK.
2020-05-22 10:32:17 -07:00
bolkedebruin ab5ac7f890
Document possible vulnerabilities for the druid-ranger-security (#9649)
* Document possible vulnerabilities for the druid-ranger-security

In certain configurations the ranger plugin can expose vulnerabilities due
to some of its dependencies having CVEs.

* Spelling checker is a bit tight
2020-04-09 10:43:11 -07:00
Chi Cao Minh b5419962f0
Suppress CVEs for jackson-mapper-asl:1.9.13 (#9604)
The jackson-mapper-asl:1.9.13 CVEs via curator-x-discovery are all
suppressed for now as fixing them requires updating the curator version.
2020-04-03 10:33:52 -07:00
Chi Cao Minh 100d587583
Suppress CWE-400 for node-sass:4.13.1 (#9517)
The vulnerability is fixed in 4.13.1:
https://github.com/sass/node-sass/issues/2816#issuecomment-575136455

But the dependency check plugin thinks its still broken as the
affected/fixed versions has not been updated yet on Sonatype OSS Index:
https://ossindex.sonatype.org/vuln/c97f4ae7-be1f-4f71-b238-7c095b126e74
2020-03-16 09:42:33 -07:00
Chi Cao Minh 559c7b64cc
Suppress CVEs for htrace-core4 and openstack-swift (#9489)
CVE-2013-7109 can be ignored for openstack-swift as it is for the python
SDK and druid uses the java SDK.

The jackson-databind:2.4.0 CVEs via htrace-core4 are all suppressed for
now as fixing them requires updating the hadoop version.
2020-03-10 10:55:41 -07:00
Chi Cao Minh 5d05b40e6d
Remove druid incubating references (#9405) 2020-02-26 21:47:58 -08:00
Chi Cao Minh 3f848e6a7c
Suppress CVE-2020-8840 for htrace-core-4.0.1 (#9379)
CVE-2020-8840 was updated on 19 Feb 2020, which now gets flagged by the
security vulnerability scan. Since the CVE is for jackson-databind, via
htrace-core-4.0.1, it can be added to the existing list of security
vulnerability suppressions for that dependency.
2020-02-21 11:05:00 -08:00
zachjsh 74ac9151c9
Fix / suppress netty CVEs CVE-2019-20445 and CVE-2019-20444 (#9300)
* Suppress netty 3 vulnerabilites and upgrade netty 4 version

* Upgrade netty 4 version to fix vulnerabilities CVE-2019-20445
  and CVE-2019-20444
* suppress these CVEs for netty 3

* * simplify suppression xml file
* update licenses file with new version of netty

* * fix type in licenses.yaml
2020-01-31 14:51:54 -08:00
Chi Cao Minh b2877119d0 Suppress CVE-2019-20330 for htrace-core-4.0.1 (#9189)
CVE-2019-20330 was updated on 14 Jan 2020, which now gets flagged by the
security vulnerability scan. Since the CVE is for jackson-databind, via
htrace-core-4.0.1, it can be added to the existing list of security
vulnerability suppressions for that dependency.
2020-01-14 21:15:24 -08:00
Chi Cao Minh af74acaa85 Address security vulnerabilities CVSS >= 7 (#8980)
* Address security vulnerabilities CVSS >= 7

Update dependencies to address security vulnerabilities with CVSS scores
of 7 or higher. A new Travis CI job is added to prevent new
high/critical security vulnerabilities from being added.

Updated dependencies:
- api-util 1.0.0 -> 1.0.3
- jackson 2.9.10 -> 2.10.1
- kafka 2.1.0 -> 2.1.1
- libthrift 0.10.0 -> 0.13.0
- protobuf 3.2.0 -> 3.11.0

The following high/critical security vulnerabilities are currently
suppressed (so that the new Travis CI job can be added now) and are left
as future work to fix:
- hibernate-validator:5.2.5
- jackson-mapper-asl:1.9.13
- libthrift:0.6.1
- netty:3.10.6
- nimbus-jose-jwt:4.41.1

* Rename EDL1 license file

* Fix inspection errors
2019-12-05 14:34:35 -08:00