CVE Fix: Update json-path version#15772
Merged
xvrl merged 13 commits intoapache:masterfrom Feb 15, 2024
Merged
Conversation
Updating to latest master
github-actions
Bot
added
Area - Batch Ingestion
Area - Querying
Area - Segment Format and Ser/De
Area - Web Console
Area - Ingestion
Area - MSQ
pagrawal10
force-pushed
the
pagrawal/updateJsonPath
branch
from
3ad578d to
7334c7f
Compare
xvrl
reviewed
Jan 30, 2024
Comment on lines
+317
to
+318
| //Support for append has been added in json-path-2.9.0 | ||
| //Assert.assertEquals(Collections.emptyList(), row.getDimension("append")); |
Member
There was a problem hiding this comment.
if append is now supported, then let's update the test to check that it does what it needs to do.
Contributor
Author
There was a problem hiding this comment.
row.getDimension("append") results in java.lang.UnsupportedOperationException: Unused coming from
Contributor
Author
There was a problem hiding this comment.
Therefore, while the upstream has added the capability of append , we are not using it.
Member
There was a problem hiding this comment.
understood, but there are two issues here:
- as a principle we don't leave commented code unless there's a very good reason.
- This is potentially being breaking change. Any json-path expression using append today would have silently been ignored, but would now cause an error.
My suggestion would be to:
- update the test to check that we do get the exception
- make a note in the PR description that we should call this out in the release notes as a potential issue to watch out for when upgrading.
xvrl
reviewed
Jan 30, 2024
xvrl
reviewed
Feb 7, 2024
xvrl
reviewed
Feb 8, 2024
…data/input/orc/OrcReaderTest.java Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
…data/input/orc/OrcReaderTest.java Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Member
|
I tried rerunning the flaky test. Didn’t seem to help. Since the failure doesn’t appear to related I’m ok merging this. |
xvrl
approved these changes
Feb 15, 2024
pagrawal10
added a commit
to confluentinc/druid
that referenced
this pull request
Feb 15, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074. Its latest version 2.9.0 fixes the above CVE. Append function has been added to json-path and so the unit test to check for the append function not present has been updated. --------- Co-authored-by: Xavier Léauté <xvrl@apache.org>
pagrawal10
added a commit
to confluentinc/druid
that referenced
this pull request
Feb 15, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074. Its latest version 2.9.0 fixes the above CVE. Append function has been added to json-path and so the unit test to check for the append function not present has been updated. --------- Co-authored-by: Xavier Léauté <xvrl@apache.org>
pagrawal10
added a commit
to confluentinc/druid
that referenced
this pull request
Feb 15, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074. Its latest version 2.9.0 fixes the above CVE. Append function has been added to json-path and so the unit test to check for the append function not present has been updated. --------- Co-authored-by: Xavier Léauté <xvrl@apache.org>
sreemanamala
pushed a commit
to sreemanamala/druid
that referenced
this pull request
Feb 20, 2024
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074. Its latest version 2.9.0 fixes the above CVE. Append function has been added to json-path and so the unit test to check for the append function not present has been updated. --------- Co-authored-by: Xavier Léauté <xvrl@apache.org>
pagrawal10
added a commit
to confluentinc/druid
that referenced
this pull request
Mar 8, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522) * Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage * CVE Fix: Update json-path version (apache#15772) Apache Druid brings the dependency json-path which is affected by CVE-2023-51074. Its latest version 2.9.0 fixes the above CVE. Append function has been added to json-path and so the unit test to check for the append function not present has been updated. --------- Co-authored-by: Xavier Léauté <xvrl@apache.org> * Update protocol for MemcachedCache (apache#16035) --------- Co-authored-by: Keerthana Srikanth <ksrikanth@confluent.io> Co-authored-by: Xavier Léauté <xvrl@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.
This PR modifies pom file, license file, OrcReaderTest and OWASP Dependency Check suppression file.
Append function has been added to json-path and so the unit test to check for the append function not present has been removed.
Release Note:
JSON-Path upgrade now allows append functionality. However, we do not support json-path append function for ORC format (see #11722). Earlier, if the user tried to use JsonPath function append earlier, it would have not appended the item, but now the same function will return an exception. We are overriding the parse function used when append is invoked. So, row.getDimension("append") results in java.lang.UnsupportedOperationException: Unused coming from
druid/processing/src/main/java/org/apache/druid/java/util/common/parsers/FlattenerJsonProvider.java
This is a potential issue to watch out for when upgrading.
This PR has: