From bf7d5a24dc2b3cde666ab12b117cff2d63af4ed1 Mon Sep 17 00:00:00 2001
From: Jonathan Wei <jon-wei@users.noreply.github.com>
Date: Wed, 3 Feb 2021 15:17:06 -0800
Subject: [PATCH 1/8] Address CVE-2020-8570, suppress CVE-2020-8554 (#10826)

* Address CVE-2020-8570, suppress CVE-2020-8554

* Update licenses.yaml
---
 extensions-core/kubernetes-extensions/pom.xml |  2 +-
 licenses.yaml                                 |  8 ++++----
 owasp-dependency-check-suppressions.xml       | 11 +++++++++++
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml
index a22c3dd13a6f..d6683135972e 100644
--- a/extensions-core/kubernetes-extensions/pom.xml
+++ b/extensions-core/kubernetes-extensions/pom.xml
@@ -35,7 +35,7 @@
   </parent>
 
   <properties>
-    <kubernetes.client.version>10.0.0</kubernetes.client.version>
+    <kubernetes.client.version>10.0.1</kubernetes.client.version>
   </properties>
 
   <dependencies>
diff --git a/licenses.yaml b/licenses.yaml
index 2759bf296182..697060a2fc43 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -841,7 +841,7 @@ name: kubernetes official java client
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
 libraries:
   - io.kubernetes: client-java
 
@@ -851,7 +851,7 @@ name: kubernetes official java client api
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
 libraries:
   - io.kubernetes: client-java-api
 
@@ -861,7 +861,7 @@ name: kubernetes official java client extended
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
 libraries:
   - io.kubernetes: client-java-extended
 
@@ -981,7 +981,7 @@ name: io.kubernetes client-java-proto
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 10.0.0
+version: 10.0.1
 libraries:
   - io.kubernetes: client-java-proto
 
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 6a532efff750..4e3ea3f04ac4 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -58,6 +58,17 @@
     <cve>CVE-2020-12691</cve>
   </suppress>
 
+
+  <suppress>
+    <!-- Not much for us to do as a user of the client lib, and no patch is available,
+     see https://github.com/kubernetes/kubernetes/issues/97076 -->
+    <notes><![CDATA[
+   file name: client-java-10.0.1.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java.*@10.0.1$</packageUrl>
+    <cve>CVE-2020-8554</cve>
+  </suppress>
+
   <!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
   <suppress>
     <!--

From f35a2e976dbc2c271a4d10b674b544a04592fc3d Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Wed, 3 Feb 2021 15:54:25 -0800
Subject: [PATCH 2/8] Suppress CVE-2020-9492 for hadoop-mapreduce-client-core
 (#10847)

---
 owasp-dependency-check-suppressions.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 4e3ea3f04ac4..aba002c03b37 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -298,5 +298,6 @@
      ]]></notes>
      <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl>
      <cve>CVE-2018-11765</cve>
+     <cve>CVE-2020-9492</cve>
   </suppress>
 </suppressions>

From 58e38f446f33e340db34125d9bd862d31907762f Mon Sep 17 00:00:00 2001
From: Abhishek Agarwal <1477457+abhishekagarwal87@users.noreply.github.com>
Date: Wed, 3 Mar 2021 05:48:27 +0530
Subject: [PATCH 3/8] Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15o
 (#10933)

---
 extensions-core/kubernetes-extensions/pom.xml | 6 ++++++
 licenses.yaml                                 | 2 +-
 owasp-dependency-check-suppressions.xml       | 7 +++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml
index d6683135972e..b68e46dc3b9b 100644
--- a/extensions-core/kubernetes-extensions/pom.xml
+++ b/extensions-core/kubernetes-extensions/pom.xml
@@ -93,6 +93,12 @@
       <version>1.68</version>
       <scope>runtime</scope>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-ext-jdk15on</artifactId>
+      <version>1.68</version>
+      <scope>runtime</scope>
+    </dependency>
 
     <!-- others -->
     <dependency>
diff --git a/licenses.yaml b/licenses.yaml
index 697060a2fc43..15390436d0dc 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1041,7 +1041,7 @@ name: org.bouncycastle bcprov-ext-jdk15on
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: MIT License
-version: 1.66
+version: 1.68
 libraries:
   - org.bouncycastle: bcprov-ext-jdk15on
 
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index aba002c03b37..b83a96ae924c 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -300,4 +300,11 @@
      <cve>CVE-2018-11765</cve>
      <cve>CVE-2020-9492</cve>
   </suppress>
+  <suppress>
+    <!-- We don't use scala compilation daemon. -->
+    <notes><![CDATA[
+     file name: kafka-clients-2.7.0.jar
+     ]]></notes>
+    <cve>CVE-2017-15288</cve>
+  </suppress>
 </suppressions>

From 3e6d06e73e4ade06948cd2c9fc71f69ef978c47f Mon Sep 17 00:00:00 2001
From: Clint Wylie <cwylie@apache.org>
Date: Tue, 16 Mar 2021 18:17:57 -0700
Subject: [PATCH 4/8] suppress (#11002)

---
 owasp-dependency-check-suppressions.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index b83a96ae924c..957e7765733e 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -307,4 +307,12 @@
      ]]></notes>
     <cve>CVE-2017-15288</cve>
   </suppress>
+
+  <suppress>
+    <!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users -->
+    <notes><![CDATA[
+     file name: velocity-engine-core-2.2.jar:
+     ]]></notes>
+    <cve>CVE-2020-13936</cve>
+  </suppress>
 </suppressions>

From c241229fbe21a9a8d7d0796671335a90fb55d3a7 Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Wed, 24 Mar 2021 16:44:05 -0700
Subject: [PATCH 5/8] Suppress CVEs for Solr and org.codehaus.jackson (#11030)

* Suppress CVEs for Solr and org.codehaus.jackson

* add a comment
---
 owasp-dependency-check-suppressions.xml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 957e7765733e..8c55436b9151 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -315,4 +315,25 @@
      ]]></notes>
     <cve>CVE-2020-13936</cve>
   </suppress>
+
+  <suppress>
+     <!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
+     <notes><![CDATA[
+     file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
+     <cve>CVE-2018-14718</cve>
+     <cve>CVE-2018-7489</cve>
+  </suppress>
+
+  <suppress>
+     <notes><![CDATA[
+     file name: solr-solrj-7.7.1.jar
+     ]]></notes>
+     <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
+     <cve>CVE-2020-13957</cve>
+     <cve>CVE-2019-17558</cve>
+     <cve>CVE-2019-0193</cve>
+     <cve>CVE-2020-13941</cve>
+  </suppress>
 </suppressions>

From daa3284a0e804dadbcc132c71a0dd538367325bc Mon Sep 17 00:00:00 2001
From: Jonathan Wei <jon-wei@users.noreply.github.com>
Date: Tue, 6 Apr 2021 20:20:40 -0700
Subject: [PATCH 6/8] Upgrade jetty to 9.4.39.v20210325 (#11076)

---
 licenses.yaml | 2 +-
 pom.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/licenses.yaml b/licenses.yaml
index 15390436d0dc..ca3c3c652cad 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1962,7 +1962,7 @@ name: Jetty
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 9.4.34.v20201102
+version: 9.4.39.v20210325
 libraries:
   - org.eclipse.jetty: jetty-client
   - org.eclipse.jetty: jetty-continuation
diff --git a/pom.xml b/pom.xml
index 812c2267eab9..657bd6ad82e9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -90,7 +90,7 @@
         <guava.version>16.0.1</guava.version>
         <guice.version>4.1.0</guice.version>
         <hamcrest.version>1.3</hamcrest.version>
-        <jetty.version>9.4.34.v20201102</jetty.version>
+        <jetty.version>9.4.39.v20210325</jetty.version>
         <jersey.version>1.19.3</jersey.version>
         <jackson.version>2.10.2</jackson.version>
         <jackson.databind.version>2.10.5.1</jackson.databind.version>

From b6f0ea19834adc10eb9132cb04d3dc4109767d40 Mon Sep 17 00:00:00 2001
From: Suneet Saldanha <suneet@apache.org>
Date: Mon, 12 Apr 2021 18:13:42 -0700
Subject: [PATCH 7/8] Suppress CVE in libthrift (#11093)

---
 owasp-dependency-check-suppressions.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 8c55436b9151..30147fbe7b7c 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -307,6 +307,13 @@
      ]]></notes>
     <cve>CVE-2017-15288</cve>
   </suppress>
+  <suppress until="2021-04-30">
+    <!-- Suppress this until https://github.com/apache/druid/issues/11028 is resolved. -->
+    <notes><![CDATA[
+     This vulnerability should be fixed soon and the suppression should be removed.
+     ]]></notes>
+    <cve>CVE-2020-13949</cve>
+  </suppress>
 
   <suppress>
     <!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users -->

From 57d24be994269bb929274cfe841dbc4696678eaa Mon Sep 17 00:00:00 2001
From: Jihoon Son <jihoonson@apache.org>
Date: Wed, 14 Apr 2021 17:28:44 -0700
Subject: [PATCH 8/8] add missing license

---
 licenses.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/licenses.yaml b/licenses.yaml
index ca3c3c652cad..ab9ae272ac51 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1975,6 +1975,7 @@ libraries:
   - org.eclipse.jetty: jetty-servlet
   - org.eclipse.jetty: jetty-servlets
   - org.eclipse.jetty: jetty-util
+  - org.eclipse.jetty: jetty-util-ajax
 notice: |
   ==============================================================
    Jetty Web Container