This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 388d5ecf78 Fix reported CVEs (#14882)
388d5ecf78 is described below
commit 388d5ecf78de51cbe81a7076a2b23250bff7b8fa
Author: Tejaswini Bandlamudi <[email protected]>
AuthorDate: Thu Aug 24 19:28:55 2023 +0530
Fix reported CVEs (#14882)
Suppress CVEs from dependencies with no available fix or false positives
hadoop-annotations: CVE-2022-25168, CVE-2021-33036
hadoop-client-runtime: CVE-2023-1370, CVE-2023-37475
okio: CVE-2023-3635
Upgrade grpc version to fix CVE-2023-33953
---
extensions-contrib/opentelemetry-emitter/pom.xml | 2 +-
owasp-dependency-check-suppressions.xml | 15 +++++++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/extensions-contrib/opentelemetry-emitter/pom.xml
b/extensions-contrib/opentelemetry-emitter/pom.xml
index 2f1cd06055..58415e7ea3 100644
--- a/extensions-contrib/opentelemetry-emitter/pom.xml
+++ b/extensions-contrib/opentelemetry-emitter/pom.xml
@@ -39,7 +39,7 @@
<!-- These guava and grpc versions are used only in the
opentelemetry-extension.
Look at build section for more details about shading. -->
<shade.guava.version>32.0.1-jre</shade.guava.version>
- <shade.grpc.version>1.41.3</shade.grpc.version>
+ <shade.grpc.version>1.57.2</shade.grpc.version>
</properties>
<dependencyManagement>
<dependencies>
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 1eb7c5a72d..4fcf560533 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -359,6 +359,9 @@
]]></notes>
<cve>CVE-2022-45855</cve>
<cve>CVE-2022-42009</cve>
+ <!-- Suppress hadoop CVEs that not applicable to hadoop-annotations -->
+ <cve>CVE-2022-25168</cve> <!-- Affected FileUtil.unTar(File, File) API
isn't present in hadoop-annotations -->
+ <cve>CVE-2021-33036</cve> <!-- Only applicable to hadoop-yarn-server -->
</suppress>
<suppress>
<!--
@@ -759,6 +762,10 @@
<!-- this one seems to apply to backend server -
https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
<cve>CVE-2023-25613</cve>
<cve>CVE-2023-2976</cve> <!-- hadoop-client-runtime isn't using
com.google.common.io.FileBackedOutputStream -->
+ <!-- CVE from shaded dependency nimbus-jose-jwt, fixed in upcoming Hadoop
release version -
+
https://github.com/apache/hadoop/commit/ad49ddda0e1d9632c8c9fcdc78fca8244e1248c9
-->
+ <cve>CVE-2023-1370</cve>
+ <cve>CVE-2023-37475</cve> <!-- Suppressing since CVE wrongly linked to
apache:avro project - https://github.com/jeremylong/DependencyCheck/issues/5843
-->
</suppress>
<suppress>
<!-- from extensions using hadoop-client-api, these dependencies are
shaded in the jar -->
@@ -785,4 +792,12 @@
<packageUrl regex="true">^pkg:maven/.*/.*@.*$</packageUrl>
<cve>CVE-2021-4277</cve>
</suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: okio-1.17.2.jar, okio-1.15.0.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.squareup\.okio/okio@1..*$</packageUrl>
+ <cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are
internal, and not user-facing -->
+ </suppress>
</suppressions>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
