Skip to content

[IO] Upgrade mariadb jdbc driver version to address vulnerabilities #14511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lhotari wants to merge 1 commit into from
Closed

[IO] Upgrade mariadb jdbc driver version to address vulnerabilities #14511

lhotari wants to merge 1 commit into from

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Mar 1, 2022
edited
Loading

Motivation

OWASP dependency check fails with this error:

Error:  mariadb-java-client-2.6.0.jar: CVE-2020-28912, CVE-2021-46668, CVE-2021-46669, CVE-2021-46666, CVE-2021-46667, CVE-2021-46664, CVE-2021-46665, CVE-2021-46662, CVE-2021-46663, CVE-2021-46661

Modifications

  • upgrade mariadb jdbc driver version to 3.0.3

@lhotari lhotari added area/connector area/security doc-not-needed Your PR changes do not impact docs labels Mar 1, 2022
@lhotari
Copy link
Member Author

lhotari commented Mar 1, 2022

It looks like a false positive, jeremylong/DependencyCheck#2863 . It seems that the check added by #13972 has never passed? @dlg99 Can you confirm?

@lhotari lhotari mentioned this pull request Mar 1, 2022
Merged
@dlg99
Copy link
Contributor

dlg99 commented Mar 2, 2022

@lhotari the check did pass before it was merged. The threat DB updates independently, sometimes several times a day and owasp plugin may misdetect something. If these are indeed false positives they can be suppressed https://github.com/apache/pulsar/blob/master/src/owasp-dependency-check-suppressions.xml

@dlg99
Copy link
Contributor

dlg99 commented Mar 2, 2022

I'll add that OWASP check had matched server vulnerabilities against client java libraries (e.g. clickhouse db server were matched to clickhouse-jdbc driver etc.) These happen due to too broadly matching patterns in the threat DB, if I understand correctly, and are safe to suppress.

dlg99
dlg99 requested changes Mar 2, 2022
View reviewed changes
Copy link
Contributor

@dlg99 dlg99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please suppress false positives for owasp check

@nodece
Copy link
Member

nodece commented Mar 8, 2022

Any updates?

nodece
nodece reviewed Mar 8, 2022
View reviewed changes
pom.xml
<postgresql-jdbc.version>42.2.25</postgresql-jdbc.version>
<clickhouse-jdbc.version>0.3.2</clickhouse-jdbc.version>
<mariadb-jdbc.version>2.6.0</mariadb-jdbc.version>
<mariadb-jdbc.version>3.0.3</mariadb-jdbc.version>
Copy link
Member

@nodece nodece Mar 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MariaDB Connector/J 3.0.3 is NOT fully compatible with the latest release of version 2.7.

Copy link
Member Author

@lhotari lhotari Mar 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nodece please elaborate more about the incompatibility.

Copy link
Member

@nodece nodece Mar 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The information from https://mariadb.com/kb/en/mariadb-connector-j-303-release-notes/.

NOTE: MariaDB Connector/J 3.0.3 is NOT fully compatible with the latest release of version 2.7.

@nodece nodece mentioned this pull request Mar 8, 2022
Merged
1 task
@lhotari
Copy link
Member Author

lhotari commented Mar 8, 2022

closing this since #14593 resolves the OWASP dependency check false alarm.

@lhotari lhotari closed this Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nodece nodece nodece left review comments

@dlg99 dlg99 dlg99 requested changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

@eolivelli eolivelli Awaiting requested review from eolivelli

@michaeljmarshall michaeljmarshall Awaiting requested review from michaeljmarshall

Assignees

@lhotari lhotari

Labels

area/connector area/security doc-not-needed Your PR changes do not impact docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lhotari @dlg99 @nodece @nicoloboschi