Skip to content

Backport security prs to 0.21.0 #11116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jihoonson merged 8 commits into from
Apr 15, 2021
Merged

Backport security prs to 0.21.0 #11116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
bf7d5a2
Address CVE-2020-8570, suppress CVE-2020-8554 (#10826)
jon-wei Feb 3, 2021
f35a2e9
Suppress CVE-2020-9492 for hadoop-mapreduce-client-core (#10847)
jihoonson Feb 3, 2021
58e38f4
Suppress CVE-2017-15288 and upgrade bcprov-ext-jdk15o (#10933)
abhishekagarwal87 Mar 3, 2021
3e6d06e
suppress (#11002)
clintropolis Mar 17, 2021
c241229
Suppress CVEs for Solr and org.codehaus.jackson (#11030)
jihoonson Mar 24, 2021
daa3284
Upgrade jetty to 9.4.39.v20210325 (#11076)
jon-wei Apr 7, 2021
b6f0ea1
Suppress CVE in libthrift (#11093)
suneet-s Apr 13, 2021
57d24be
add missing license
jihoonson Apr 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion extensions-core/kubernetes-extensions/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
</parent>

<properties>
<kubernetes.client.version>10.0.0</kubernetes.client.version>
<kubernetes.client.version>10.0.1</kubernetes.client.version>
</properties>

<dependencies>
Expand Down Expand Up @@ -93,6 +93,12 @@
<version>1.68</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-ext-jdk15on</artifactId>
<version>1.68</version>
<scope>runtime</scope>
</dependency>

<!-- others -->
<dependency>
Expand Down
13 changes: 7 additions & 6 deletions licenses.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -841,7 +841,7 @@ name: kubernetes official java client
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 10.0.0
version: 10.0.1
libraries:
- io.kubernetes: client-java

Expand All @@ -851,7 +851,7 @@ name: kubernetes official java client api
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 10.0.0
version: 10.0.1
libraries:
- io.kubernetes: client-java-api

Expand All @@ -861,7 +861,7 @@ name: kubernetes official java client extended
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 10.0.0
version: 10.0.1
libraries:
- io.kubernetes: client-java-extended

Expand Down Expand Up @@ -981,7 +981,7 @@ name: io.kubernetes client-java-proto
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
version: 10.0.0
version: 10.0.1
libraries:
- io.kubernetes: client-java-proto

Expand Down Expand Up @@ -1041,7 +1041,7 @@ name: org.bouncycastle bcprov-ext-jdk15on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
version: 1.66
version: 1.68
libraries:
- org.bouncycastle: bcprov-ext-jdk15on

Expand Down Expand Up @@ -1962,7 +1962,7 @@ name: Jetty
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 9.4.34.v20201102
version: 9.4.39.v20210325
libraries:
- org.eclipse.jetty: jetty-client
- org.eclipse.jetty: jetty-continuation
Expand All @@ -1975,6 +1975,7 @@ libraries:
- org.eclipse.jetty: jetty-servlet
- org.eclipse.jetty: jetty-servlets
- org.eclipse.jetty: jetty-util
- org.eclipse.jetty: jetty-util-ajax
notice: |
==============================================================
Jetty Web Container
Expand Down
55 changes: 55 additions & 0 deletions owasp-dependency-check-suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,17 @@
<cve>CVE-2020-12691</cve>
</suppress>


<suppress>
<!-- Not much for us to do as a user of the client lib, and no patch is available,
see https://github.com/kubernetes/kubernetes/issues/97076 -->
<notes><![CDATA[
file name: client-java-10.0.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java.*@10.0.1$</packageUrl>
<cve>CVE-2020-8554</cve>
</suppress>

<!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
<suppress>
<!--
Expand Down Expand Up @@ -287,5 +298,49 @@
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl>
<cve>CVE-2018-11765</cve>
<cve>CVE-2020-9492</cve>
</suppress>
<suppress>
<!-- We don't use scala compilation daemon. -->
<notes><![CDATA[
file name: kafka-clients-2.7.0.jar
]]></notes>
<cve>CVE-2017-15288</cve>
</suppress>
<suppress until="2021-04-30">
<!-- Suppress this until https://github.com/apache/druid/issues/11028 is resolved. -->
<notes><![CDATA[
This vulnerability should be fixed soon and the suppression should be removed.
]]></notes>
<cve>CVE-2020-13949</cve>
</suppress>

<suppress>
<!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users -->
<notes><![CDATA[
file name: velocity-engine-core-2.2.jar:
]]></notes>
<cve>CVE-2020-13936</cve>
</suppress>

<suppress>
<!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
<notes><![CDATA[
file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
<cve>CVE-2018-14718</cve>
<cve>CVE-2018-7489</cve>
</suppress>

<suppress>
<notes><![CDATA[
file name: solr-solrj-7.7.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
<cve>CVE-2020-13957</cve>
<cve>CVE-2019-17558</cve>
<cve>CVE-2019-0193</cve>
<cve>CVE-2020-13941</cve>
</suppress>
</suppressions>
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@
<guava.version>16.0.1</guava.version>
<guice.version>4.1.0</guice.version>
<hamcrest.version>1.3</hamcrest.version>
<jetty.version>9.4.34.v20201102</jetty.version>
<jetty.version>9.4.39.v20210325</jetty.version>
<jersey.version>1.19.3</jersey.version>
<jackson.version>2.10.2</jackson.version>
<jackson.databind.version>2.10.5.1</jackson.databind.version>
Expand Down