This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new c3f84f9ea0 Suppress CVEs (#14291)
c3f84f9ea0 is described below
commit c3f84f9ea07e034f23f4252ac9b90d49988791da
Author: Tejaswini Bandlamudi <[email protected]>
AuthorDate: Mon Jul 10 15:19:26 2023 +0530
Suppress CVEs (#14291)
Address various CVEs by upgrading dependencies or adding suppression with a
justification
---
.github/workflows/cron-job-its.yml | 10 +++++---
owasp-dependency-check-suppressions.xml | 43 +++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/cron-job-its.yml
b/.github/workflows/cron-job-its.yml
index cc4e9d198f..3752b6c60e 100644
--- a/.github/workflows/cron-job-its.yml
+++ b/.github/workflows/cron-job-its.yml
@@ -27,7 +27,7 @@ on:
jobs:
build:
- if: github.event_name == 'schedule'
+ if: (github.event_name == 'schedule' && github.repository ==
'apache/druid')
name: build (jdk8)
runs-on: ubuntu-latest
steps:
@@ -107,10 +107,12 @@ jobs:
group: other
security_vulnerabilities:
+ if: github.repository == 'apache/druid'
name: security vulnerabilities
strategy:
+ fail-fast: false
matrix:
- HADOOP_PROFILE: [ '', '-Phadoop3' ]
+ HADOOP_PROFILE: [ '', '-Phadoop2' ]
runs-on: ubuntu-latest
steps:
- name: Checkout branch
@@ -123,9 +125,11 @@ jobs:
distribution: 'zulu'
cache: maven
+ - name: maven build # needed to rebuild incase of maven snapshot
resolution fails
+ run: mvn clean install dependency:go-offline -P dist -P
skip-static-checks,skip-tests -Dmaven.javadoc.skip=true -Dcyclonedx.skip=true
-Dweb.console.skip=true
+
- name: security vulnerabilities check
env:
- MVN: mvn --no-snapshot-updates
HADOOP_PROFILE: ${{ matrix.HADOOP_PROFILE }}
run: |
mvn dependency-check:purge dependency-check:check ${HADOOP_PROFILE}
|| { echo "
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 207cafb3bf..465d4cb0b1 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -122,6 +122,8 @@
https://github.com/FasterXML/jackson-databind/issues/3328
-->
<cve>CVE-2021-46877</cve>
+ <!-- According to jackson community, this is not a security issue, see
https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098,
https://github.com/jeremylong/DependencyCheck/issues/5779 -->
+ <cve>CVE-2023-35116</cve>
</suppress>
@@ -192,10 +194,14 @@
~ ... 27 more
-->
<notes><![CDATA[
+ file name: hibernate-validator-5.3.6.Final.jar
file name: hibernate-validator-5.2.5.Final.jar
]]></notes>
<packageUrl
regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
<cve>CVE-2017-7536</cve>
+ <cve>CVE-2019-10219</cve> <!-- We don't use SafeHtml validator annotation
https://nvd.nist.gov/vuln/detail/CVE-2019-10219 -->
+ <cve>CVE-2019-14900</cve> <!-- Not applicable to hibernate validator
https://github.com/hibernate/hibernate-orm/pull/3438 -->
+ <cve>CVE-2020-10693</cve> <!-- We don't take user input in constraint
violation message https://hibernate.atlassian.net/browse/HV-1774 -->
<cve>CVE-2020-25638</cve>
</suppress>
<suppress>
@@ -216,8 +222,13 @@
<cve>CVE-2019-20444</cve>
<cve>CVE-2019-20445</cve>
<cve>CVE-2020-11612</cve>
+ <cve>CVE-2021-21290</cve> <!-- We don't use HttpPostRequestDecoder or
HttpPostMultiPartRequestDecoder which uses vulnerable AbstractDiskHttpData -
https://github.com/advisories/GHSA-5mcr-gq6c-3hq2 -->
+ <cve>CVE-2021-21295</cve> <!-- We don't use HTTP2MultiplexCodec or
Http2FrameCodec or Http2StreamFrameToHttpObjectCodec affected or convert HTTP/2
to HTTP/1.1 requests - https://github.com/advisories/GHSA-wm47-8v5p-wjpj -->
+ <cve>CVE-2021-21409</cve> <!-- We don't use Http2HeaderFrame or convert
HTTP/2 to HTTP/1.1 requests https://github.com/advisories/GHSA-f256-j965-7f32
-->
<cve>CVE-2021-37136</cve>
<cve>CVE-2021-37137</cve>
+ <cve>CVE-2021-43797</cve> <!-- We don't decode user HTTP requests nor
forward them to remote systems, we also don't support for java 6 or lower -
https://github.com/advisories/GHSA-wx5j-54mm-rqqq -->
+ <cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor
forward them to remote systems, we also don't support for java 6 or lower -
https://github.com/advisories/GHSA-269q-hmxg-m83q -->
<cve>CVE-2022-41881</cve>
</suppress>
<suppress>
@@ -799,6 +810,14 @@
<cve>CVE-2022-26612</cve>
<!-- this one seems to apply to backend server -
https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
<cve>CVE-2023-25613</cve>
+ <cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using
com.google.common.io.FileBackedOutputStream -->
+ </suppress>
+ <suppress>
+ <!-- from extensions using hadoop-client-api, these dependencies are
shaded in the jar -->
+ <notes><![CDATA[
+ file name: hadoop-client-api-3.3.6.jar: jquery.dataTables.min.js
(pkg:javascript/[email protected])
+ ]]></notes>
+ <vulnerabilityName>prototype pollution</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
@@ -808,4 +827,28 @@
<!-- applies to ranger-hive-plugin which afaict we do not use
https://nvd.nist.gov/vuln/detail/CVE-2021-40331 -->
<cve>CVE-2021-40331</cve>
</suppress>
+
+ <!-- filed against random script set, doesn't apply to any Maven artifacts -
https://github.com/jeremylong/DependencyCheck/issues/5213 -->
+ <suppress>
+ <notes><![CDATA[
+ file name: plexus-utils-3.0.24.jar
+ file name: async-http-client-netty-utils-2.5.3.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/.*/.*@.*$</packageUrl>
+ <cve>CVE-2021-4277</cve>
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: guava-16.0.1.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.guava/[email protected]$</packageUrl>
+ <!--
+ ~ We don't either use AtomicDoubleArray (when serialized with Java
serialization) or
+ ~ CompoundOrdering (when serialized with GWT serialization) nor do we
use Java or GWT serialization. https://nvd.nist.gov/vuln/detail/cve-2018-10237
+ -->
+ <cve>CVE-2018-10237</cve>
+ <cve>CVE-2020-8908</cve> <!-- We do not use
com.google.common.io.Files.createTempDir()
https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -->
+ <cve>CVE-2023-2976</cve> <!-- We do not use
com.google.common.io.FileBackedOutputStream
https://nvd.nist.gov/vuln/detail/CVE-2023-2976 -->
+ </suppress>
</suppressions>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
