This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new b8540584910 remove unnecessary elasticsearch dependencies to fix CVE
regressions (#15443)
b8540584910 is described below
commit b85405849108feb8f80bbbcb47ef1343bd32a431
Author: Jan Werner <[email protected]>
AuthorDate: Sun Dec 3 10:26:40 2023 -0500
remove unnecessary elasticsearch dependencies to fix CVE regressions
(#15443)
Recent upgrade of ranger introduced CVE regressions due to outdated
elasticsearch components.
Druid-ranger-plugin does not elasticsearch components , and they have been
explicitly removed.
Update woodstox-core to 6.4.0 to address GHSA-3f7h-mf4q-vrm4
---
extensions-core/druid-ranger-security/pom.xml | 42 +++++++++++++++++++-
licenses.yaml | 56 ++++++---------------------
pom.xml | 1 +
3 files changed, 54 insertions(+), 45 deletions(-)
diff --git a/extensions-core/druid-ranger-security/pom.xml
b/extensions-core/druid-ranger-security/pom.xml
index d30f1a2d236..4b75eaa530d 100644
--- a/extensions-core/druid-ranger-security/pom.xml
+++ b/extensions-core/druid-ranger-security/pom.xml
@@ -34,6 +34,21 @@
<relativePath>../../pom.xml</relativePath>
</parent>
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>com.fasterxml.woodstox</groupId>
+ <artifactId>woodstox-core</artifactId>
+ <version>6.4.0</version>
+ </dependency>
+ <dependency>
+ <groupId>com.amazonaws</groupId>
+ <artifactId>aws-java-sdk-bundle</artifactId>
+ <version>${aws.sdk.version}</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>
@@ -133,6 +148,18 @@
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.elasticsearch</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.elasticsearch.client</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.elasticsearch.plugin</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -144,14 +171,27 @@
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.elasticsearch</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.elasticsearch.client</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.elasticsearch.plugin</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
</exclusions>
<scope>compile</scope>
</dependency>
+
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
- <version>${apache.ranger.gson.version}</version>
<scope>compile</scope>
+ <version>${gson.version}</version>
</dependency>
<!-- Tests -->
diff --git a/licenses.yaml b/licenses.yaml
index 6724c28add7..3ebf7d829a7 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -4608,6 +4608,16 @@ libraries:
---
+name: gson
+license_category: binary
+module: druid-ranger-security
+license_name: Apache License version 2.0
+version: 2.10.1
+libraries:
+ - com.google.code.gson: gson
+
+---
+
name: com.kstruct gethostname4j
license_category: binary
version: 1.0.0
@@ -4620,7 +4630,7 @@ libraries:
name: com.amazonaws aws-java-sdk-bundle
license_category: binary
-version: 1.12.125
+version: 1.12.497
module: druid-ranger-security
license_name: Apache License version 2.0
libraries:
@@ -4699,16 +4709,6 @@ libraries:
---
-name: org.elasticsearch securesm
-license_category: binary
-version: 2.1.9
-module: druid-ranger-security
-license_name: Creative Commons CC0
-libraries:
- - org.hdrhistogram: HdrHistogram
-
----
-
name: Apache Lucene
license_category: binary
version: 8.4.0
@@ -4733,38 +4733,6 @@ libraries:
---
-name: org.elasticsearch securesm
-license_category: binary
-version: 1.2
-module: druid-ranger-security
-license_name: Apache License version 2.0
-libraries:
- - org.elasticsearch: securesm
-
----
-
-name: Elastic Search
-license_category: binary
-version: 7.10.2
-module: druid-ranger-security
-license_name: Apache License version 2.0
-libraries:
- - org.elasticsearch: elasticsearch
- - org.elasticsearch: elasticsearch-cli
- - org.elasticsearch: elasticsearch-core
- - org.elasticsearch: elasticsearch-geo
- - org.elasticsearch: elasticsearch-secure-sm
- - org.elasticsearch: elasticsearch-x-content
- - org.elasticsearch.client: elasticsearch-rest-client
- - org.elasticsearch.client: elasticsearch-rest-high-level-client
- - org.elasticsearch.plugin: aggs-matrix-stats-client
- - org.elasticsearch.plugin: lang-mustache-client
- - org.elasticsearch.plugin: mapper-extras-client
- - org.elasticsearch.plugin: parent-join-client
- - org.elasticsearch.plugin: rank-eval-client
-
----
-
name: org.apache.httpcomponents httpcore-nio
license_category: binary
version: 4.4.6
@@ -4803,7 +4771,7 @@ libraries:
name: Woodstox
license_category: binary
-version: 6.2.4
+version: 6.4.0
module: druid-ranger-security
license_name: Apache License version 2.0
libraries:
diff --git a/pom.xml b/pom.xml
index a62d44a4584..b70045188f5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,6 +78,7 @@
<apache.curator.version>5.5.0</apache.curator.version>
<apache.kafka.version>3.6.0</apache.kafka.version>
<apache.ranger.version>2.4.0</apache.ranger.version>
+ <gson.version>2.10.1</gson.version>
<apache.ranger.gson.version>2.10.1</apache.ranger.gson.version>
<scala.library.version>2.13.11</scala.library.version>
<avatica.version>1.23.0</avatica.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
