Conversation
| <cve>CVE-2019-20445</cve> | ||
| <cve>CVE-2021-37136</cve> | ||
| <cve>CVE-2021-37137</cve> | ||
| </suppress> |
There was a problem hiding this comment.
This change seems unrelated?
When I ran the dependency check job on top of this PR I still got some failures
There was a problem hiding this comment.
This PR also cleans up a stale suppression for netty-3.10.5.Final which we no longer use.
This part removed is what I mentioned in the PR description.
When I ran the dependency check job on top of this PR I still got some failures
What was the failure you saw? I guess it was the jackson-bind that should be fixed in #12411?
There was a problem hiding this comment.
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] ambari-metrics-common-2.7.0.0.0.jar/META-INF/maven/io.netty/netty/pom.xml: CVE-2019-16869, CVE-2021-37136, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444
[ERROR] ambari-metrics-common-2.7.0.0.0.jar/META-INF/maven/org.apache.hadoop/hadoop-annotations/pom.xml: CVE-2022-26612
[ERROR] hadoop-yarn-server-common-2.8.5.jar: CVE-2022-26612
[ERROR] jackson-databind-2.10.5.1.jar: CVE-2020-36518
[ERROR] jackson-xc-1.9.13.jar: CVE-2020-36518
[ERROR] jedis-2.9.0.jar: CVE-2021-32626
[ERROR] log4j-1.2.17.jar: CVE-2021-4104, CVE-2020-9493, CVE-2022-23307, CVE-2022-23305, CVE-2022-23302
[ERROR] pom.xml: CVE-2022-26612
[ERROR] pac4j-core-3.8.3.jar: CVE-2021-44878
[ERROR] parquet-jackson-1.12.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2020-36518
[ERROR] solr-solrj-7.7.1.jar: CVE-2021-44548
[ERROR]
[ERROR] See the dependency-check report for more details.
There was a problem hiding this comment.
Hmm, it's strange. This is what I see.
$ mvn dependency-check:purge dependency-check:check
...
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] jackson-databind-2.10.5.1.jar: CVE-2020-36518
[ERROR]
[ERROR] See the dependency-check report for more details.
There was a problem hiding this comment.
I see what's going on. I was using the same command of mvn dependency-check:check as what we are running on Travis. This command checks only the project dependencies. The command @suneet-s ran was mvn dependency-check:aggregate which checks the project dependencies as well as the dependencies of all child modules. This is why I missed the error about the netty 3.10.5.Final in Ambari. I reverted my change for the netty.
Looking at the github history, we tried to change the command to mvn dependency-check:aggregate in #10883. But we reverted that change in #11709 because it was not correctly configured and blocking our release. I think we should use mvn dependency-check:aggregate again with a proper configuration such as skipTestScope to skip tests. This should be done in a separate PR.
3 participants
Description
The Travis CI cron job flagged https://nvd.nist.gov/vuln/detail/CVE-2021-43138. This failure is a false alarm as the CVE is about the Async javascript library (https://github.com/caolan/async), not
async-http-client-netty-utils. Even though we do use the Async library for the web console development, I think we can still suppress this CVE as the Async library is a dev dependency.This PR also cleans up a stale suppression for netty-3.10.5.Final which we no longer use.
This PR has: