From 108070f602f5f142ddb60326358b82ec376673a6 Mon Sep 17 00:00:00 2001 From: Ronak Date: Thu, 6 Jan 2022 20:59:07 +0530 Subject: [PATCH 01/10] chore: extend the helm template for spanDropFilter --- span-normalizer/helm/templates/span-normalizer-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/span-normalizer/helm/templates/span-normalizer-config.yaml b/span-normalizer/helm/templates/span-normalizer-config.yaml index 18f167c46..fde209541 100644 --- a/span-normalizer/helm/templates/span-normalizer-config.yaml +++ b/span-normalizer/helm/templates/span-normalizer-config.yaml @@ -57,6 +57,10 @@ data: spanDropCriterion = {{ .Values.spanNormalizerConfig.processor.spanDropCriterion | toJson }} {{- end }} + {{- if hasKey .Values.spanNormalizerConfig.processor "spanDropFilters" }} + spanDropFilters = {{ .Values.spanNormalizerConfig.processor.spanDropFilters | indent 4 | trim }} + {{- end }} + {{- if hasKey .Values.spanNormalizerConfig.processor "rootExitSpanDropCriterion" }} rootExitSpanDropCriterion = {{ .Values.spanNormalizerConfig.processor.rootExitSpanDropCriterion | toJson }} {{- end }} From 36eed79676265415203e03b026610c14c3af81bd Mon Sep 17 00:00:00 2001 From: Ronak Date: Thu, 6 Jan 2022 21:27:13 +0530 Subject: [PATCH 02/10] updates log4j libs --- .../hypertrace-trace-enricher/build.gradle.kts | 2 +- hypertrace-trace-enricher/trace-reader/build.gradle.kts | 2 +- raw-spans-grouper/raw-spans-grouper/build.gradle.kts | 2 +- span-normalizer/span-normalizer/build.gradle.kts | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts b/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts index ecb195eb6..37da7cfd7 100644 --- a/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts +++ b/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts @@ -50,7 +50,7 @@ dependencies { // Logging implementation("org.slf4j:slf4j-api:1.7.30") - runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.0") + runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") testImplementation(project(":hypertrace-trace-enricher:hypertrace-trace-enricher")) testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") diff --git a/hypertrace-trace-enricher/trace-reader/build.gradle.kts b/hypertrace-trace-enricher/trace-reader/build.gradle.kts index 256f0d399..120765f98 100644 --- a/hypertrace-trace-enricher/trace-reader/build.gradle.kts +++ b/hypertrace-trace-enricher/trace-reader/build.gradle.kts @@ -22,7 +22,7 @@ dependencies { testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-inline:3.8.0") testImplementation("org.mockito:mockito-junit-jupiter:3.8.0") - testRuntimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.0") + testRuntimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") tasks.test { useJUnitPlatform() diff --git a/raw-spans-grouper/raw-spans-grouper/build.gradle.kts b/raw-spans-grouper/raw-spans-grouper/build.gradle.kts index dc1435027..63f9bdcd0 100644 --- a/raw-spans-grouper/raw-spans-grouper/build.gradle.kts +++ b/raw-spans-grouper/raw-spans-grouper/build.gradle.kts @@ -45,7 +45,7 @@ dependencies { // Logging implementation("org.slf4j:slf4j-api:1.7.30") - runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.0") + runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") diff --git a/span-normalizer/span-normalizer/build.gradle.kts b/span-normalizer/span-normalizer/build.gradle.kts index d3a4f1512..c579dc45d 100644 --- a/span-normalizer/span-normalizer/build.gradle.kts +++ b/span-normalizer/span-normalizer/build.gradle.kts @@ -57,7 +57,7 @@ dependencies { // Logging implementation("org.slf4j:slf4j-api:1.7.30") - runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.0") + runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.26") From ee7bfbedb9f9ec60584eba53ad42ac92064fb4f3 Mon Sep 17 00:00:00 2001 From: Ronak Date: Thu, 6 Jan 2022 21:33:50 +0530 Subject: [PATCH 03/10] update snyk file for IONETTY issue --- .snyk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.snyk b/.snyk index cf64b478f..bacd4401c 100644 --- a/.snyk +++ b/.snyk @@ -5,5 +5,5 @@ ignore: SNYK-JAVA-IONETTY-1042268: - '*': reason: no available replacement - expires: 2021-12-31T00:00:00.000Z + expires: 2021-01-31T00:00:00.000Z patch: {} From 4f089a161fcff516dc7abb27c14845701044fc40 Mon Sep 17 00:00:00 2001 From: Ronak Date: Thu, 6 Jan 2022 21:35:31 +0530 Subject: [PATCH 04/10] corrected the date --- .snyk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.snyk b/.snyk index bacd4401c..6fd29b18b 100644 --- a/.snyk +++ b/.snyk @@ -5,5 +5,5 @@ ignore: SNYK-JAVA-IONETTY-1042268: - '*': reason: no available replacement - expires: 2021-01-31T00:00:00.000Z + expires: 2022-01-31T00:00:00.000Z patch: {} From 22e2a11790e5e2fe2c3de437dff56d4f78a481a3 Mon Sep 17 00:00:00 2001 From: Ronak Date: Thu, 6 Jan 2022 21:50:01 +0530 Subject: [PATCH 05/10] updates framework libs --- hypertrace-ingester/build.gradle.kts | 6 +++--- .../hypertrace-metrics-exporter/build.gradle.kts | 4 ++-- .../hypertrace-metrics-generator/build.gradle.kts | 6 +++--- .../hypertrace-metrics-processor/build.gradle.kts | 6 +++--- .../hypertrace-trace-enricher-impl/build.gradle.kts | 2 +- .../hypertrace-trace-enricher/build.gradle.kts | 6 +++--- .../hypertrace-view-generator/build.gradle.kts | 4 ++-- raw-spans-grouper/raw-spans-grouper/build.gradle.kts | 6 +++--- span-normalizer/span-normalizer/build.gradle.kts | 8 ++++---- 9 files changed, 24 insertions(+), 24 deletions(-) diff --git a/hypertrace-ingester/build.gradle.kts b/hypertrace-ingester/build.gradle.kts index e9968c9e9..6057dc487 100644 --- a/hypertrace-ingester/build.gradle.kts +++ b/hypertrace-ingester/build.gradle.kts @@ -25,9 +25,9 @@ hypertraceDocker { } dependencies { - implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.21") - implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.30") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.30") + implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.23") + implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.33") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") implementation("org.hypertrace.core.datamodel:data-model:0.1.20") implementation("org.hypertrace.core.viewgenerator:view-generator-framework:0.3.9") implementation("com.typesafe:config:1.4.1") diff --git a/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts b/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts index c339ef430..c0fb35850 100644 --- a/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts +++ b/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts @@ -26,8 +26,8 @@ tasks.test { dependencies { // common and framework - implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.30") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.30") + implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.33") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") // open telemetry implementation("io.opentelemetry:opentelemetry-sdk-metrics:1.7.0-alpah") diff --git a/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts b/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts index 2ea44f87d..aee28e12a 100644 --- a/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts +++ b/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts @@ -28,9 +28,9 @@ dependencies { // common and framework implementation(project(":hypertrace-metrics-generator:hypertrace-metrics-generator-api")) implementation(project(":hypertrace-view-generator:hypertrace-view-generator-api")) - implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.31") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.31") - implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.21") + implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.33") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") + implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.23") // open telemetry proto implementation("io.opentelemetry:opentelemetry-proto:1.6.0-alpha") diff --git a/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts b/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts index 903ace6d3..c0e8653c7 100644 --- a/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts +++ b/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts @@ -29,9 +29,9 @@ dependencies { implementation(project(":hypertrace-view-generator:hypertrace-view-generator-api")) // frameworks - implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.30") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.30") - implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.21") + implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.33") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") + implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.23") // open telemetry proto implementation("io.opentelemetry:opentelemetry-proto:1.6.0-alpha") diff --git a/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts b/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts index 285a81653..ddf057547 100644 --- a/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts +++ b/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts @@ -18,7 +18,7 @@ dependencies { implementation("org.hypertrace.core.datamodel:data-model:0.1.20") implementation("org.hypertrace.entity.service:entity-service-client:0.8.5") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.28") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.6.2") implementation("org.hypertrace.config.service:spaces-config-service-api:0.1.0") implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.6.2") diff --git a/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts b/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts index 37da7cfd7..122ef3f0b 100644 --- a/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts +++ b/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts @@ -31,12 +31,12 @@ tasks.test { dependencies { implementation(project(":hypertrace-trace-enricher:hypertrace-trace-enricher-impl")) implementation("org.hypertrace.core.datamodel:data-model:0.1.20") - implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.30") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.30") + implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.33") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") implementation("org.hypertrace.entity.service:entity-service-client:0.8.5") implementation("com.typesafe:config:1.4.1") - implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.21") + implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.23") constraints { runtimeOnly("io.netty:netty-codec-http2:4.1.71.Final") runtimeOnly("io.netty:netty-handler-proxy:4.1.71.Final") diff --git a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts index 0bd7ae2c5..d9d0d3128 100644 --- a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts @@ -34,13 +34,13 @@ dependencies { // TODO: migrate in core implementation("org.hypertrace.core.viewgenerator:view-generator-framework:0.3.9") implementation("org.hypertrace.core.datamodel:data-model:0.1.20") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.26") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") implementation("org.hypertrace.entity.service:entity-service-api:0.8.5") implementation("org.apache.avro:avro:1.10.2") implementation("org.apache.commons:commons-lang3:3.12.0") - implementation("com.fasterxml.jackson.core:jackson-databind:2.12.2") + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") diff --git a/raw-spans-grouper/raw-spans-grouper/build.gradle.kts b/raw-spans-grouper/raw-spans-grouper/build.gradle.kts index 63f9bdcd0..7d997e17c 100644 --- a/raw-spans-grouper/raw-spans-grouper/build.gradle.kts +++ b/raw-spans-grouper/raw-spans-grouper/build.gradle.kts @@ -34,10 +34,10 @@ dependencies { } implementation(project(":span-normalizer:span-normalizer-api")) implementation("org.hypertrace.core.datamodel:data-model:0.1.20") - implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.30") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.30") + implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.33") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") - implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.21") + implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.23") implementation("com.typesafe:config:1.4.1") implementation("de.javakaffee:kryo-serializers:0.45") implementation("io.confluent:kafka-avro-serializer:5.5.0") diff --git a/span-normalizer/span-normalizer/build.gradle.kts b/span-normalizer/span-normalizer/build.gradle.kts index c579dc45d..ef360747a 100644 --- a/span-normalizer/span-normalizer/build.gradle.kts +++ b/span-normalizer/span-normalizer/build.gradle.kts @@ -35,9 +35,9 @@ dependencies { implementation(project(":semantic-convention-utils")) implementation("org.hypertrace.core.datamodel:data-model:0.1.20") - implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.30") - implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.30") - implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.21") + implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.33") + implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") + implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.1.23") // Required for the GRPC clients. runtimeOnly("io.grpc:grpc-netty:1.42.0") @@ -60,7 +60,7 @@ dependencies { runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") - testImplementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.26") + testImplementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") testImplementation("org.junit-pioneer:junit-pioneer:1.3.8") testImplementation("org.mockito:mockito-core:3.8.0") testImplementation("org.apache.kafka:kafka-streams-test-utils:6.0.1-ccs") From b566c69af9df9cb97e33b109a3a11ed11f897995 Mon Sep 17 00:00:00 2001 From: Ronak Date: Fri, 7 Jan 2022 10:57:07 +0530 Subject: [PATCH 06/10] addressed comments --- span-normalizer/helm/templates/span-normalizer-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/span-normalizer/helm/templates/span-normalizer-config.yaml b/span-normalizer/helm/templates/span-normalizer-config.yaml index fde209541..3ff4e4797 100644 --- a/span-normalizer/helm/templates/span-normalizer-config.yaml +++ b/span-normalizer/helm/templates/span-normalizer-config.yaml @@ -58,7 +58,7 @@ data: {{- end }} {{- if hasKey .Values.spanNormalizerConfig.processor "spanDropFilters" }} - spanDropFilters = {{ .Values.spanNormalizerConfig.processor.spanDropFilters | indent 4 | trim }} + spanDropFilters = {{ .Values.spanNormalizerConfig.processor.spanDropFilters | toJson }} {{- end }} {{- if hasKey .Values.spanNormalizerConfig.processor "rootExitSpanDropCriterion" }} From dd1e27c8da724c07bb77ab35a7aef3a3643cd5e4 Mon Sep 17 00:00:00 2001 From: Ronak Date: Fri, 7 Jan 2022 11:32:26 +0530 Subject: [PATCH 07/10] handles jackson related snyk failure --- .../hypertrace-metrics-exporter/build.gradle.kts | 9 +++++++++ .../hypertrace-metrics-generator/build.gradle.kts | 5 +++++ .../hypertrace-metrics-processor/build.gradle.kts | 5 +++++ .../enriched-span-constants/build.gradle.kts | 8 ++++++++ .../hypertrace-trace-enricher-api/build.gradle.kts | 9 +++++++++ .../hypertrace-trace-enricher-impl/build.gradle.kts | 8 ++++++++ .../hypertrace-trace-enricher/build.gradle.kts | 5 +++++ .../hypertrace-trace-visualizer/build.gradle.kts | 8 ++++++++ hypertrace-trace-enricher/trace-reader/build.gradle.kts | 8 ++++++++ .../hypertrace-view-creator/build.gradle.kts | 5 +++++ .../hypertrace-view-generator-api/build.gradle.kts | 5 +++++ raw-spans-grouper/raw-spans-grouper/build.gradle.kts | 8 ++++++++ semantic-convention-utils/build.gradle.kts | 8 ++++++++ span-normalizer/span-normalizer-api/build.gradle.kts | 5 +++++ span-normalizer/span-normalizer/build.gradle.kts | 5 +++++ 15 files changed, 101 insertions(+) diff --git a/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts b/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts index c0fb35850..cee80f8a8 100644 --- a/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts +++ b/hypertrace-metrics-exporter/hypertrace-metrics-exporter/build.gradle.kts @@ -43,6 +43,15 @@ dependencies { // kafka implementation("org.apache.kafka:kafka-clients:2.7.2") + // constrains + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } + // test testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") diff --git a/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts b/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts index aee28e12a..711e1371a 100644 --- a/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts +++ b/hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts @@ -40,6 +40,11 @@ dependencies { implementation("org.glassfish.jersey.core:jersey-common:2.34") { because("https://snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYCORE-1255637") } + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } } // test diff --git a/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts b/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts index c0e8653c7..eade074f6 100644 --- a/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts +++ b/hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts @@ -43,6 +43,11 @@ dependencies { "io.confluent:kafka-schema-registry-client@6.0.1 > " + "org.glassfish.jersey.core:jersey-common@2.30") } + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } } // test diff --git a/hypertrace-trace-enricher/enriched-span-constants/build.gradle.kts b/hypertrace-trace-enricher/enriched-span-constants/build.gradle.kts index 2e4136a7a..004fc3e89 100644 --- a/hypertrace-trace-enricher/enriched-span-constants/build.gradle.kts +++ b/hypertrace-trace-enricher/enriched-span-constants/build.gradle.kts @@ -71,6 +71,14 @@ dependencies { implementation(project(":semantic-convention-utils")) implementation("org.hypertrace.entity.service:entity-service-api:0.8.5") + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } + testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") } diff --git a/hypertrace-trace-enricher/hypertrace-trace-enricher-api/build.gradle.kts b/hypertrace-trace-enricher/hypertrace-trace-enricher-api/build.gradle.kts index fa8994840..9adfe8609 100644 --- a/hypertrace-trace-enricher/hypertrace-trace-enricher-api/build.gradle.kts +++ b/hypertrace-trace-enricher/hypertrace-trace-enricher-api/build.gradle.kts @@ -13,6 +13,15 @@ dependencies { implementation("org.slf4j:slf4j-api:1.7.30") implementation("org.apache.commons:commons-lang3:3.12.0") + + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } + testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.9.0") testImplementation("org.mockito:mockito-inline:3.9.0") diff --git a/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts b/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts index ddf057547..54b94552c 100644 --- a/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts +++ b/hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts @@ -30,6 +30,14 @@ dependencies { implementation("net.sf.uadetector:uadetector-resources:2014.10") implementation("io.reactivex.rxjava3:rxjava:3.0.11") + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } + testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") testImplementation("org.mockito:mockito-junit-jupiter:3.8.0") diff --git a/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts b/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts index 122ef3f0b..943f53156 100644 --- a/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts +++ b/hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts @@ -43,6 +43,11 @@ dependencies { implementation("org.glassfish.jersey.core:jersey-common:2.34") { because("https://snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYCORE-1255637") } + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } } // Required for the GRPC clients. diff --git a/hypertrace-trace-enricher/hypertrace-trace-visualizer/build.gradle.kts b/hypertrace-trace-enricher/hypertrace-trace-visualizer/build.gradle.kts index 0ee4d039e..3fc1b414d 100644 --- a/hypertrace-trace-enricher/hypertrace-trace-visualizer/build.gradle.kts +++ b/hypertrace-trace-enricher/hypertrace-trace-visualizer/build.gradle.kts @@ -7,6 +7,14 @@ dependencies { implementation("org.json:json:20210307") implementation("org.apache.commons:commons-lang3:3.12.0") + + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } } description = "Trace Visualizer to help visualize a structured trace." diff --git a/hypertrace-trace-enricher/trace-reader/build.gradle.kts b/hypertrace-trace-enricher/trace-reader/build.gradle.kts index 120765f98..de0277cb8 100644 --- a/hypertrace-trace-enricher/trace-reader/build.gradle.kts +++ b/hypertrace-trace-enricher/trace-reader/build.gradle.kts @@ -19,6 +19,14 @@ dependencies { annotationProcessor("org.projectlombok:lombok:1.18.20") compileOnly("org.projectlombok:lombok:1.18.20") + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } + testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-inline:3.8.0") testImplementation("org.mockito:mockito-junit-jupiter:3.8.0") diff --git a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts index 675b4e017..12a5e7d70 100644 --- a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts @@ -23,6 +23,11 @@ dependencies { implementation("org.apache.calcite:calcite-babel:1.26.0") { because("https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECALCITE-1038296") } + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } } testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") diff --git a/hypertrace-view-generator/hypertrace-view-generator-api/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-generator-api/build.gradle.kts index be424a5d5..614f4b1df 100644 --- a/hypertrace-view-generator/hypertrace-view-generator-api/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-generator-api/build.gradle.kts @@ -17,5 +17,10 @@ dependencies { api("org.apache.commons:commons-compress:1.21") { because("Multiple vulnerabilities in avro-declared version") } + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } } } diff --git a/raw-spans-grouper/raw-spans-grouper/build.gradle.kts b/raw-spans-grouper/raw-spans-grouper/build.gradle.kts index 7d997e17c..545c15579 100644 --- a/raw-spans-grouper/raw-spans-grouper/build.gradle.kts +++ b/raw-spans-grouper/raw-spans-grouper/build.gradle.kts @@ -47,6 +47,14 @@ dependencies { implementation("org.slf4j:slf4j-api:1.7.30") runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } + testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") testImplementation("org.junit-pioneer:junit-pioneer:1.3.8") diff --git a/semantic-convention-utils/build.gradle.kts b/semantic-convention-utils/build.gradle.kts index fadcd3ce6..208e6caf1 100644 --- a/semantic-convention-utils/build.gradle.kts +++ b/semantic-convention-utils/build.gradle.kts @@ -14,6 +14,14 @@ dependencies { implementation("org.hypertrace.core.datamodel:data-model:0.1.20") implementation("org.apache.commons:commons-lang3:3.12.0") + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } + } + testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") } diff --git a/span-normalizer/span-normalizer-api/build.gradle.kts b/span-normalizer/span-normalizer-api/build.gradle.kts index 68b1dd61d..9804f9178 100644 --- a/span-normalizer/span-normalizer-api/build.gradle.kts +++ b/span-normalizer/span-normalizer-api/build.gradle.kts @@ -62,5 +62,10 @@ dependencies { api("org.apache.commons:commons-compress:1.21") { because("Multiple vulnerabilities in avro-declared version") } + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } } } diff --git a/span-normalizer/span-normalizer/build.gradle.kts b/span-normalizer/span-normalizer/build.gradle.kts index ef360747a..f94a7f667 100644 --- a/span-normalizer/span-normalizer/build.gradle.kts +++ b/span-normalizer/span-normalizer/build.gradle.kts @@ -47,6 +47,11 @@ dependencies { implementation("org.glassfish.jersey.core:jersey-common:2.34") { because("https://snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYCORE-1255637") } + implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") { + because("Denial of Service (DoS) " + + "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") + } } implementation("com.typesafe:config:1.4.1") From 3ef5f6762c732e967df453ac0853021acd3e7f25 Mon Sep 17 00:00:00 2001 From: Ronak Date: Fri, 7 Jan 2022 12:11:58 +0530 Subject: [PATCH 08/10] adding constrains for log4j --- .../hypertrace-view-creator/build.gradle.kts | 4 ++++ .../hypertrace-view-generator/build.gradle.kts | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts index 12a5e7d70..e31e80e79 100644 --- a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts @@ -28,6 +28,10 @@ dependencies { "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") } + implementation("org.apache.logging.log4j:log4j-slf4j-impl@2.17.1") { + because("Arbitrary Code Execution [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] " + + "in org.apache.logging.log4j:log4j-core@2.17.0") + } } testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") diff --git a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts index d9d0d3128..3d68cc150 100644 --- a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts @@ -42,6 +42,13 @@ dependencies { implementation("org.apache.commons:commons-lang3:3.12.0") implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") + constraints { + implementation("org.apache.logging.log4j:log4j-slf4j-impl@2.17.1") { + because("Arbitrary Code Execution [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] " + + "in org.apache.logging.log4j:log4j-core@2.17.0") + } + } + testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") testImplementation("com.google.code.gson:gson:2.8.9") From 1ca3bcce358d33112a50d5a1ec536fd1b75bf00f Mon Sep 17 00:00:00 2001 From: Ronak Date: Fri, 7 Jan 2022 12:21:32 +0530 Subject: [PATCH 09/10] fixed mistake of copying @ notation --- .../hypertrace-view-creator/build.gradle.kts | 2 +- .../hypertrace-view-generator/build.gradle.kts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts index e31e80e79..42d44d805 100644 --- a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts @@ -28,7 +28,7 @@ dependencies { "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") } - implementation("org.apache.logging.log4j:log4j-slf4j-impl@2.17.1") { + implementation("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") { because("Arbitrary Code Execution [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] " + "in org.apache.logging.log4j:log4j-core@2.17.0") } diff --git a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts index 3d68cc150..2d1e40062 100644 --- a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts @@ -43,7 +43,7 @@ dependencies { implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") constraints { - implementation("org.apache.logging.log4j:log4j-slf4j-impl@2.17.1") { + implementation("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") { because("Arbitrary Code Execution [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] " + "in org.apache.logging.log4j:log4j-core@2.17.0") } From 0e245436d4365ba1ba7d498f9ed364b584c7dc7a Mon Sep 17 00:00:00 2001 From: Ronak Date: Fri, 7 Jan 2022 19:32:30 +0530 Subject: [PATCH 10/10] fixed log4j vuln via fixing view-gen-framework --- .../hypertrace-view-creator/build.gradle.kts | 6 +----- .../hypertrace-view-generator/build.gradle.kts | 9 +-------- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts index 42d44d805..7fde01f6a 100644 --- a/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts @@ -17,7 +17,7 @@ tasks.test { dependencies { implementation(project(":hypertrace-view-generator:hypertrace-view-generator-api")) - implementation("org.hypertrace.core.viewcreator:view-creator-framework:0.3.9") + implementation("org.hypertrace.core.viewcreator:view-creator-framework:0.3.10") constraints { // to have calcite libs on the same version implementation("org.apache.calcite:calcite-babel:1.26.0") { @@ -28,10 +28,6 @@ dependencies { "[Medium Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] " + "in com.fasterxml.jackson.core:jackson-databind@2.12.2") } - implementation("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") { - because("Arbitrary Code Execution [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] " + - "in org.apache.logging.log4j:log4j-core@2.17.0") - } } testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") diff --git a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts index 2d1e40062..c1a5def90 100644 --- a/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts +++ b/hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts @@ -32,7 +32,7 @@ dependencies { implementation(project(":semantic-convention-utils")) // TODO: migrate in core - implementation("org.hypertrace.core.viewgenerator:view-generator-framework:0.3.9") + implementation("org.hypertrace.core.viewgenerator:view-generator-framework:0.3.10") implementation("org.hypertrace.core.datamodel:data-model:0.1.20") implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.33") @@ -42,13 +42,6 @@ dependencies { implementation("org.apache.commons:commons-lang3:3.12.0") implementation("com.fasterxml.jackson.core:jackson-databind:2.13.1") - constraints { - implementation("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1") { - because("Arbitrary Code Execution [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] " + - "in org.apache.logging.log4j:log4j-core@2.17.0") - } - } - testImplementation("org.junit.jupiter:junit-jupiter:5.7.1") testImplementation("org.mockito:mockito-core:3.8.0") testImplementation("com.google.code.gson:gson:2.8.9")