Skip to content

[owasp] Suppress ZooKeeper 3.8.0 vulnerabilities #14630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eolivelli merged 3 commits into from
Mar 17, 2022
Merged

[owasp] Suppress ZooKeeper 3.8.0 vulnerabilities #14630

eolivelli merged 3 commits into from
Mar 17, 2022

Conversation

@nicoloboschi
Copy link
Contributor

@nicoloboschi nicoloboschi commented Mar 9, 2022

Motivation

After the ZK upgrade the OWASP check fails because ZK has known vulnerability. The owasp suppression aims ZK 3.6.2.

Modifications

  • Edited the ZK suppression to 3.8.0
  • no-need-doc

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Mar 9, 2022
@nicoloboschi nicoloboschi changed the title [owasp] Supress ZooKeeper 3.8.0 vulnerabilities [owasp] Suppress ZooKeeper 3.8.0 vulnerabilities Mar 9, 2022
lhotari
lhotari requested changes Mar 9, 2022
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to target specific vulnerabilities? Ignoring all would cause it to ignore all new vulnerabilities too.

@eolivelli
Copy link
Contributor

eolivelli commented Mar 9, 2022

We released 3.8.0 last week and the owasp checker passed (I actually cancelled one RC due to a owasp check failure)

I am not aware of any security issue in ZooKeeper

Please explain more

eolivelli
eolivelli requested changes Mar 9, 2022
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove that exclusion at all.

There is no reported CVE against Apache ZooKeeper 3.8.0

@nicoloboschi
Copy link
Contributor Author

nicoloboschi commented Mar 9, 2022

I get this output

zookeeper-3.8.0.jar (pkg:maven/org.apache.zookeeper/zookeeper@3.8.0, cpe:2.3:a:apache:zookeeper:3.8.0:*:*:*:*:*:*:*) : CVE-2021-28164, CVE-2021-29425, CVE-2021-34429
zookeeper-prometheus-metrics-3.8.0.jar (pkg:maven/org.apache.zookeeper/zookeeper-prometheus-metrics@3.8.0, cpe:2.3:a:apache:zookeeper:3.8.0:*:*:*:*:*:*:*, cpe:2.3:a:prometheus:prometheus:3.8.0:*:*:*:*:*:*:*) : CVE-2021-28164, CVE-2021-29425, CVE-2021-34429

For example
https://nvd.nist.gov/vuln/detail/CVE-2021-34429#match-7614933
https://nvd.nist.gov/vuln/detail/CVE-2021-28164#match-7615085

@nicoloboschi
Copy link
Contributor Author

nicoloboschi commented Mar 9, 2022
edited
Loading

I checked and ZK doesn't contain the mentioned libraries. I don't know how it is the process for that but is a ZooKeeper problem.
I will highlight the problem to the ZooKeeper maintainers (or @eolivelli I'll let you proceed if you want)

For now I think we can keep the specific vulnerabilities; actually they are wrong (at a first glance at the ZK repo) so it makes sense to suppress them. btw they are already suppressed now, this will unblock the CI

@eolivelli
Copy link
Contributor

eolivelli commented Mar 10, 2022
edited
Loading

in the ZK project we added these exclusions due to false positives:
apache/zookeeper@3004c90

<suppress>
      <!-- Seems like false positives about zookeeper-jute -->
      <cve>CVE-2021-29425</cve>
      <cve>CVE-2021-28164</cve>
      <cve>CVE-2021-34429</cve>
   </suppress>

So it is fine to add the same exclusions here

eolivelli
eolivelli requested changes Mar 10, 2022
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the approach is good to me, I left some comments

@eolivelli eolivelli mentioned this pull request Mar 10, 2022
Closed
@nicoloboschi nicoloboschi requested a review from eolivelli March 16, 2022 09:58
@nicoloboschi nicoloboschi mentioned this pull request Mar 16, 2022
Merged
1 task
@nicoloboschi
Copy link
Contributor Author

nicoloboschi commented Mar 16, 2022

/pulsarbot rerun-failure-checks

2 similar comments
@nicoloboschi
Copy link
Contributor Author

nicoloboschi commented Mar 16, 2022

/pulsarbot rerun-failure-checks

@nicoloboschi
Copy link
Contributor Author

nicoloboschi commented Mar 17, 2022

/pulsarbot rerun-failure-checks

@eolivelli eolivelli merged commit 752abd9 into apache:master Mar 17, 2022
aparajita89 pushed a commit to aparajita89/pulsar that referenced this pull request Mar 21, 2022
@nicoloboschi
[owasp] Suppress ZooKeeper 3.8.0 vulnerabilities (apache#14630)
218421b
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Mar 22, 2022
@nicoloboschi
[owasp] Suppress ZooKeeper 3.8.0 vulnerabilities (apache#14630)
247a236 
(cherry picked from commit 752abd9)
Nicklee007 pushed a commit to Nicklee007/pulsar that referenced this pull request Apr 20, 2022
@nicoloboschi
[owasp] Suppress ZooKeeper 3.8.0 vulnerabilities (apache#14630)
347476a
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Apr 28, 2022
@nicoloboschi
[owasp] Suppress ZooKeeper 3.8.0 vulnerabilities (apache#14630)
fa3e73a 
(cherry picked from commit 752abd9)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

@eolivelli eolivelli eolivelli approved these changes

Assignees

@nicoloboschi nicoloboschi

Labels

doc-not-needed Your PR changes do not impact docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicoloboschi @eolivelli @lhotari