mirror of
https://github.com/apache/druid.git
synced 2025-02-10 03:55:02 +00:00
6aad9b08dd
Fixed vulnerabilities CVE-2021-26291 : Apache Maven is vulnerable to Man-in-the-Middle (MitM) attacks. Various functions across several files, mentioned below, allow for custom repositories to use the insecure HTTP protocol. An attacker can exploit this as part of a Man-in-the-Middle (MitM) attack, taking over or impersonating a repository using the insecure HTTP protocol. Unsuspecting users may then have the compromised repository defined as a dependency in their Project Object Model (pom) file and download potentially malicious files from it. Was fixed by removing outdated tesla-aether library containing vulnerable maven-settings (v3.1.1) package, pull-deps utility updated to use maven resolver instead. sonatype-2020-0244 : The joni package is vulnerable to Man-in-the-Middle (MitM) attacks. This project downloads dependencies over HTTP due to an insecure repository configuration within the .pom file. Consequently, a MitM could intercept requests to the specified repository and replace the requested dependencies with malicious versions, which can execute arbitrary code from the application that was built with them. Was fixed by upgrading joni package to recommended 2.1.34 version
526 lines
19 KiB
XML
526 lines
19 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
~ Licensed to the Apache Software Foundation (ASF) under one
|
|
~ or more contributor license agreements. See the NOTICE file
|
|
~ distributed with this work for additional information
|
|
~ regarding copyright ownership. The ASF licenses this file
|
|
~ to you under the Apache License, Version 2.0 (the
|
|
~ "License"); you may not use this file except in compliance
|
|
~ with the License. You may obtain a copy of the License at
|
|
~
|
|
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
~
|
|
~ Unless required by applicable law or agreed to in writing,
|
|
~ software distributed under the License is distributed on an
|
|
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
~ KIND, either express or implied. See the License for the
|
|
~ specific language governing permissions and limitations
|
|
~ under the License.
|
|
-->
|
|
|
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
|
<modelVersion>4.0.0</modelVersion>
|
|
|
|
<artifactId>druid-server</artifactId>
|
|
<name>druid-server</name>
|
|
<description>Druid Server</description>
|
|
|
|
<parent>
|
|
<groupId>org.apache.druid</groupId>
|
|
<artifactId>druid</artifactId>
|
|
<version>32.0.0-SNAPSHOT</version>
|
|
</parent>
|
|
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.apache.druid</groupId>
|
|
<artifactId>druid-processing</artifactId>
|
|
<version>${project.parent.version}</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.druid</groupId>
|
|
<artifactId>druid-aws-common</artifactId>
|
|
<version>${project.parent.version}</version>
|
|
<scope>runtime</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.druid</groupId>
|
|
<artifactId>druid-gcp-common</artifactId>
|
|
<version>${project.parent.version}</version>
|
|
<scope>runtime</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.http-client</groupId>
|
|
<artifactId>google-http-client</artifactId>
|
|
<scope>runtime</scope>
|
|
</dependency>
|
|
|
|
<dependency>
|
|
<groupId>jakarta.inject</groupId>
|
|
<artifactId>jakarta.inject-api</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.zookeeper</groupId>
|
|
<artifactId>zookeeper</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.zookeeper</groupId>
|
|
<artifactId>zookeeper-jute</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.xerial.snappy</groupId>
|
|
<artifactId>snappy-java</artifactId>
|
|
<scope>runtime</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.curator</groupId>
|
|
<artifactId>curator-framework</artifactId>
|
|
<!-- We use log4j2 and log4j-1.2-api as a bridge -->
|
|
<exclusions>
|
|
<exclusion>
|
|
<artifactId>log4j</artifactId>
|
|
<groupId>log4j</groupId>
|
|
</exclusion>
|
|
</exclusions>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.curator</groupId>
|
|
<artifactId>curator-x-discovery</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.jaxrs</groupId>
|
|
<artifactId>jackson-jaxrs-json-provider</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.jaxrs</groupId>
|
|
<artifactId>jackson-jaxrs-smile-provider</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.dataformat</groupId>
|
|
<artifactId>jackson-dataformat-smile</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey</groupId>
|
|
<artifactId>jersey-server</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey</groupId>
|
|
<artifactId>jersey-core</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.inject.extensions</groupId>
|
|
<artifactId>guice-multibindings</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.inject.extensions</groupId>
|
|
<artifactId>guice-servlet</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey.contribs</groupId>
|
|
<artifactId>jersey-guice</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-server</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-util</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-proxy</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-rewrite</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.code.findbugs</groupId>
|
|
<artifactId>jsr305</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.maven.resolver</groupId>
|
|
<artifactId>maven-resolver-connector-basic</artifactId>
|
|
<version>1.3.1</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.maven.resolver</groupId>
|
|
<artifactId>maven-resolver-transport-http</artifactId>
|
|
<version>1.3.1</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.maven</groupId>
|
|
<artifactId>maven-resolver-provider</artifactId>
|
|
<version>3.6.0</version>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.amazonaws</groupId>
|
|
<artifactId>elasticache-java-cluster-client</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.lz4</groupId>
|
|
<artifactId>lz4-java</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-servlet</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-servlets</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.derby</groupId>
|
|
<artifactId>derby</artifactId>
|
|
<scope>runtime</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.derby</groupId>
|
|
<artifactId>derbynet</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.derby</groupId>
|
|
<artifactId>derbyclient</artifactId>
|
|
<scope>runtime</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.commons</groupId>
|
|
<artifactId>commons-math3</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>it.unimi.dsi</groupId>
|
|
<artifactId>fastutil-core</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.github.ben-manes.caffeine</groupId>
|
|
<artifactId>caffeine</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.jdbi</groupId>
|
|
<artifactId>jdbi</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>io.netty</groupId>
|
|
<artifactId>netty</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.commons</groupId>
|
|
<artifactId>commons-dbcp2</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.logging.log4j</groupId>
|
|
<artifactId>log4j-api</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.logging.log4j</groupId>
|
|
<artifactId>log4j-core</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.datatype</groupId>
|
|
<artifactId>jackson-datatype-joda</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.asynchttpclient</groupId>
|
|
<artifactId>async-http-client</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.curator</groupId>
|
|
<artifactId>curator-client</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.inject</groupId>
|
|
<artifactId>guice</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>commons-codec</groupId>
|
|
<artifactId>commons-codec</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-io</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>io.netty</groupId>
|
|
<artifactId>netty-common</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>io.netty</groupId>
|
|
<artifactId>netty-handler</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.guava</groupId>
|
|
<artifactId>guava</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.skife.config</groupId>
|
|
<artifactId>config-magic</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.curator</groupId>
|
|
<artifactId>curator-recipes</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey</groupId>
|
|
<artifactId>jersey-servlet</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>commons-io</groupId>
|
|
<artifactId>commons-io</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
<artifactId>jackson-annotations</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>joda-time</groupId>
|
|
<artifactId>joda-time</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
<artifactId>jackson-databind</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-client</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>javax.ws.rs</groupId>
|
|
<artifactId>jsr311-api</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>javax.servlet</groupId>
|
|
<artifactId>javax.servlet-api</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.core</groupId>
|
|
<artifactId>jackson-core</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.eclipse.jetty</groupId>
|
|
<artifactId>jetty-http</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>jakarta.validation</groupId>
|
|
<artifactId>jakarta.validation-api</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.errorprone</groupId>
|
|
<artifactId>error_prone_annotations</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>commons-lang</groupId>
|
|
<artifactId>commons-lang</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.slf4j</groupId>
|
|
<artifactId>slf4j-api</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>io.github.resilience4j</groupId>
|
|
<artifactId>resilience4j-bulkhead</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>io.timeandspace</groupId>
|
|
<artifactId>cron-scheduler</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.fasterxml.jackson.module</groupId>
|
|
<artifactId>jackson-module-guice</artifactId>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.commons</groupId>
|
|
<artifactId>commons-lang3</artifactId>
|
|
</dependency>
|
|
|
|
<!-- Tests -->
|
|
<dependency>
|
|
<groupId>junit</groupId>
|
|
<artifactId>junit</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.junit.jupiter</groupId>
|
|
<artifactId>junit-jupiter-api</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.junit.jupiter</groupId>
|
|
<artifactId>junit-jupiter-engine</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.junit.jupiter</groupId>
|
|
<artifactId>junit-jupiter-migrationsupport</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.junit.jupiter</groupId>
|
|
<artifactId>junit-jupiter-params</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.junit.vintage</groupId>
|
|
<artifactId>junit-vintage-engine</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.mockito</groupId>
|
|
<artifactId>mockito-core</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.hamcrest</groupId>
|
|
<artifactId>hamcrest-all</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.hamcrest</groupId>
|
|
<artifactId>hamcrest-core</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.carrotsearch</groupId>
|
|
<artifactId>junit-benchmarks</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.easymock</groupId>
|
|
<artifactId>easymock</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.druid</groupId>
|
|
<artifactId>druid-processing</artifactId>
|
|
<version>${project.parent.version}</version>
|
|
<type>test-jar</type>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.curator</groupId>
|
|
<artifactId>curator-test</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.google.caliper</groupId>
|
|
<artifactId>caliper</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey.jersey-test-framework</groupId>
|
|
<artifactId>jersey-test-framework-core</artifactId>
|
|
<version>${jersey.version}</version>
|
|
<scope>test</scope>
|
|
<exclusions>
|
|
<exclusion>
|
|
<groupId>javax.servlet</groupId>
|
|
<artifactId>javax.servlet-api</artifactId>
|
|
</exclusion>
|
|
</exclusions>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey.jersey-test-framework</groupId>
|
|
<artifactId>jersey-test-framework-grizzly2</artifactId>
|
|
<version>${jersey.version}</version>
|
|
<scope>test</scope>
|
|
<exclusions>
|
|
<exclusion>
|
|
<groupId>javax.servlet</groupId>
|
|
<artifactId>javax.servlet-api</artifactId>
|
|
</exclusion>
|
|
</exclusions>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>pl.pragmatists</groupId>
|
|
<artifactId>JUnitParams</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.github.stefanbirkner</groupId>
|
|
<artifactId>system-rules</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey</groupId>
|
|
<artifactId>jersey-grizzly2</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>com.sun.jersey</groupId>
|
|
<artifactId>jersey-client</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.glassfish.grizzly</groupId>
|
|
<artifactId>grizzly-http-server</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.httpcomponents</groupId>
|
|
<artifactId>httpcore</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.assertj</groupId>
|
|
<artifactId>assertj-core</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>nl.jqno.equalsverifier</groupId>
|
|
<artifactId>equalsverifier</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
<dependency>
|
|
<groupId>org.apache.commons</groupId>
|
|
<artifactId>commons-text</artifactId>
|
|
<scope>test</scope>
|
|
</dependency>
|
|
</dependencies>
|
|
|
|
<build>
|
|
<plugins>
|
|
<plugin>
|
|
<groupId>org.jacoco</groupId>
|
|
<artifactId>jacoco-maven-plugin</artifactId>
|
|
<configuration>
|
|
<excludes>
|
|
<!-- There are UTs for this class but it is very difficult to get required branch coverage -->
|
|
<exclude>org/apache/druid/metadata/BasicDataSourceExt.class</exclude>
|
|
<!-- Tested in the SQL layer, but, oddly, not in this module. -->
|
|
<exclude>org/apache/druid/server/QueryResponse.class</exclude>
|
|
<exclude>org/apache/druid/curator/CuratorModule.class</exclude>
|
|
<!-- Guice providers where unit tests would be tightly-coupled and not useful -->
|
|
<exclude>org/apache/druid/server/SubqueryGuardrailHelperProvider.class</exclude>
|
|
</excludes>
|
|
</configuration>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-jar-plugin</artifactId>
|
|
<executions>
|
|
<execution>
|
|
<goals>
|
|
<goal>test-jar</goal>
|
|
</goals>
|
|
</execution>
|
|
</executions>
|
|
</plugin>
|
|
<plugin>
|
|
<groupId>org.apache.maven.plugins</groupId>
|
|
<artifactId>maven-dependency-plugin</artifactId>
|
|
<configuration>
|
|
<usedDependencies>
|
|
<!-- These are needed for scope: compile -->
|
|
<dependency>org.apache.maven:maven-resolver-provider</dependency>
|
|
<dependency>org.apache.maven.resolver:maven-resolver-transport-http</dependency>
|
|
<dependency>org.apache.maven.resolver:maven-resolver-connector-basic</dependency>
|
|
<!-- These are needed for scope: runtime -->
|
|
<dependency>org.xerial.snappy:snappy-java</dependency>
|
|
</usedDependencies>
|
|
</configuration>
|
|
</plugin>
|
|
</plugins>
|
|
</build>
|
|
|
|
</project>
|