This is an automated email from the ASF dual-hosted git repository.
xvrl pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 3c7dec56ca2 update kubernetes java client to 19.0.0 and docker-java to
3.3.4 (#15449)
3c7dec56ca2 is described below
commit 3c7dec56ca274ea411e0aee780e42f84627c55a3
Author: Jan Werner <[email protected]>
AuthorDate: Tue Dec 12 17:27:57 2023 -0500
update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (#15449)
Update of direct dependencies:
* kubernetes java-client to 19.0.0
* docker-java-bom to 3.3.4
In order to update transitive dependencies:
* okio to 3.6.0
* bcjava to 1.76
To address CVES:
- CVE-2023-3635 in okio
- CVE-2023-33201 in bcjava
---------
Co-authored-by: Xavier Léauté <[email protected]>
---
extensions-core/kubernetes-extensions/pom.xml | 39 +++--
.../druid/k8s/discovery/DefaultK8sApiClient.java | 6 +-
extensions-core/protobuf-extensions/pom.xml | 14 ++
licenses.yaml | 163 ++++++++++++---------
owasp-dependency-check-suppressions.xml | 15 +-
pom.xml | 23 +--
6 files changed, 144 insertions(+), 116 deletions(-)
diff --git a/extensions-core/kubernetes-extensions/pom.xml
b/extensions-core/kubernetes-extensions/pom.xml
index 895fb9f219e..304a5af0a7a 100644
--- a/extensions-core/kubernetes-extensions/pom.xml
+++ b/extensions-core/kubernetes-extensions/pom.xml
@@ -35,9 +35,22 @@
</parent>
<properties>
- <kubernetes.client.version>11.0.4</kubernetes.client.version>
+ <kubernetes.client.version>19.0.0</kubernetes.client.version>
</properties>
+
+ <dependencyManagement>
+ <dependencies>
+ <!-- This is an indirect dependency of io.kubernetes.client-java
+ update to address vulnerability in transitive dependency okio used by
okhttp -->
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>okhttp</artifactId>
+ <version>4.12.0</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>
@@ -80,18 +93,6 @@
<scope>test</scope>
</dependency>
- <!-- Version override to address CVE-2020-28052 -->
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk15on</artifactId>
- <scope>runtime</scope>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-ext-jdk15on</artifactId>
- <scope>runtime</scope>
- </dependency>
-
<!-- others -->
<dependency>
<groupId>com.google.code.findbugs</groupId>
@@ -137,6 +138,18 @@
</dependencies>
<build>
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-dependency-plugin</artifactId>
+ <configuration>
+ <!-- analyze incorrectly flags this dependency as missing when
omitted, and unused when declared -->
+
<ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:19.0.0</ignoredDependencies>
+ </configuration>
+ </plugin>
+ </plugins>
+ </pluginManagement>
<plugins>
<plugin>
<groupId>org.jacoco</groupId>
diff --git
a/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
b/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
index e17f8360e50..ab2c3b20952 100644
---
a/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
+++
b/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
@@ -65,7 +65,7 @@ public class DefaultK8sApiClient implements K8sApiClient
public void patchPod(String podName, String podNamespace, String
jsonPatchStr)
{
try {
- coreV1Api.patchNamespacedPod(podName, podNamespace, new
V1Patch(jsonPatchStr), "true", null, null, null);
+ coreV1Api.patchNamespacedPod(podName, podNamespace, new
V1Patch(jsonPatchStr), "true", null, null, null, null);
}
catch (ApiException ex) {
throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].",
podNamespace, podName, ex.getCode(), ex.getResponseBody());
@@ -80,7 +80,7 @@ public class DefaultK8sApiClient implements K8sApiClient
)
{
try {
- V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null,
null, null, null, labelSelector, 0, null, null, null, null);
+ V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null,
null, null, null, labelSelector, 0, null, null, null, null, null);
Preconditions.checkState(podList != null, "WTH: NULL podList");
Map<String, DiscoveryDruidNode> allNodes = new HashMap();
@@ -114,7 +114,7 @@ public class DefaultK8sApiClient implements K8sApiClient
Watch.createWatch(
realK8sClient,
coreV1Api.listNamespacedPodCall(namespace, null, true, null,
null,
- labelSelector, null,
lastKnownResourceVersion, null, 0, true, null
+ labelSelector, null,
lastKnownResourceVersion, null, null, 0, true, null
),
new TypeReference<Watch.Response<V1Pod>>()
{
diff --git a/extensions-core/protobuf-extensions/pom.xml
b/extensions-core/protobuf-extensions/pom.xml
index ad0d4396ebd..091b6b133ef 100644
--- a/extensions-core/protobuf-extensions/pom.xml
+++ b/extensions-core/protobuf-extensions/pom.xml
@@ -36,6 +36,7 @@
<properties>
<commons-io.version>2.11.0</commons-io.version>
+ <okio.version>3.6.0</okio.version>
</properties>
<repositories>
@@ -45,6 +46,19 @@
</repository>
</repositories>
+ <dependencyManagement>
+ <dependencies>
+ <!-- This is an indirect dependency of kafka-protobuf-provider
+ update to address vulnerability in transitive dependency okio -->
+ <dependency>
+ <groupId>com.squareup.okio</groupId>
+ <artifactId>okio</artifactId>
+ <version>${okio.version}</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
+
<dependencies>
<dependency>
<groupId>org.apache.druid</groupId>
diff --git a/licenses.yaml b/licenses.yaml
index 4a863e16f15..3eba322b089 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -843,63 +843,58 @@ libraries:
---
-name: kubernetes official java client
+name: kubernetes fabric java client
license_category: binary
-module: extensions/druid-kubernetes-extensions
+module: extensions-contrib/kubernetes-overlord-extensions
license_name: Apache License version 2.0
-version: 11.0.4
+version: 6.7.2
libraries:
- - io.kubernetes: client-java
+ - io.fabric8: kubernetes-client
---
-name: kubernetes official java client api
+name: kubernetes official java client
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 11.0.4
+version: 19.0.0
libraries:
+ - io.kubernetes: client-java
- io.kubernetes: client-java-api
-
----
-
-name: kubernetes official java client extended
-license_category: binary
-module: extensions/druid-kubernetes-extensions
-license_name: Apache License version 2.0
-version: 11.0.4
-libraries:
- io.kubernetes: client-java-extended
+ - io.kubernetes: client-java-api-fluent
+ - io.kubernetes: client-java-proto
---
-name: kubernetes fabric java client
+name: Swagger
+version: 1.6.2
license_category: binary
-module: extensions-contrib/kubernetes-overlord-extensions
+module: extensions/druid-avro-extensions
license_name: Apache License version 2.0
-version: 6.7.2
libraries:
- - io.fabric8: kubernetes-client
+ - io.swagger: swagger-core
+ - io.swagger: swagger-models
---
-name: io.prometheus simpleclient_common
+name: org.apache.commons commons-collections4
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 0.9.0
+version: 4.4
libraries:
- - io.prometheus: simpleclient_common
+ - org.apache.commons: commons-collections4
---
-name: org.apache.commons commons-collections4
+name: io.sundr builder-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 4.4
+version: 0.22.0
libraries:
- - org.apache.commons: commons-collections4
+ - io.sundr: builder-annotations
---
@@ -927,7 +922,7 @@ name: io.swagger swagger-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 1.6.2
+version: 1.6.11
libraries:
- io.swagger: swagger-annotations
@@ -937,22 +932,23 @@ name: io.swagger swagger-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 2.8.6
+version: 1.6.2
libraries:
- - com.google.code.gson: gson
+ - io.swagger: swagger-annotations
---
-name: io.prometheus simpleclient_httpserver
+name: io.swagger swagger-annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 0.9.0
+version: 2.8.6
libraries:
- - io.prometheus: simpleclient_httpserver
+ - com.google.code.gson: gson
---
+
name: org.bitbucket.b_c jose4j
license_category: binary
module: extensions/druid-kubernetes-extensions
@@ -971,35 +967,54 @@ version: 2.2.1
libraries:
- org.joda: joda-convert
+
---
name: com.squareup.okhttp3 okhttp
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 3.14.9
+version: 4.12.0
libraries:
- com.squareup.okhttp3: okhttp
+ - com.squareup.okhttp3: logging-interceptor
---
-name: io.prometheus simpleclient
+name: com.squareup.okhttp3 okhttp logging-interceptor
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 0.9.0
+version: 4.11.0
libraries:
- - io.prometheus: simpleclient
+ - com.squareup.okhttp3: logging-interceptor
---
-name: io.kubernetes client-java-proto
+name: com.squareup.okio okio
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 11.0.4
+version: 3.6.0
libraries:
- - io.kubernetes: client-java-proto
+ - com.squareup.okio: okio
+ - com.squareup.okio: okio-jvm
+
+---
+
+name: io.prometheus simpleclient
+license_category: binary
+module: extensions/druid-kubernetes-extensions
+license_name: Apache License version 2.0
+version: 0.16.0
+libraries:
+ - io.prometheus: simpleclient
+ - io.prometheus: simpleclient_common
+ - io.prometheus: simpleclient_httpserver
+ - io.prometheus: simpleclient_tracer_common
+ - io.prometheus: simpleclient_tracer_otel
+ - io.prometheus: simpleclient_tracer_otel_agent
+
---
@@ -1017,70 +1032,76 @@ name: com.flipkart.zjsonpatch zjsonpatch
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: Apache License version 2.0
-version: 0.4.11
+version: 0.4.14
libraries:
- com.flipkart.zjsonpatch: zjsonpatch
---
-
-name: org.bouncycastle bcprov-jdk15on
+name: org.bouncycastle bcprov-jdk18on
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
-version: "1.70"
+version: "1.76"
libraries:
- - org.bouncycastle: bcprov-jdk15on
-
+ - org.bouncycastle: bcprov-jdk18on
+ - org.bouncycastle: bcprov-ext-jdk18on
+ - org.bouncycastle: bcpkix-jdk18on
+ - org.bouncycastle: bcutil-jdk18on
---
-name: org.bouncycastle bcprov-ext-jdk15on
+
+name: com.github.vladimir-bukhtoyarov bucket4j-core
license_category: binary
module: extensions/druid-kubernetes-extensions
-license_name: MIT License
-version: "1.70"
+license_name: Apache License version 2.0
+version: 7.6.0
libraries:
- - org.bouncycastle: bcprov-ext-jdk15on
+ - com.github.vladimir-bukhtoyarov: bucket4j-core
---
-name: org.bouncycastle bcpkix-jdk15on
+name: Jetbrains Annotations
license_category: binary
module: extensions/druid-kubernetes-extensions
-license_name: MIT License
-version: "1.70"
+module: extensions/kubernetes-extensions
+license_name: Apache License version 2.0
+version: 13.0
libraries:
- - org.bouncycastle: bcpkix-jdk15on
+ - org.jetbrains: annotations
+
---
-name: org.bouncycastle bcutil-jdk15on
+name: Jetbrains kotlin-stdlib
license_category: binary
-module: extensions/druid-kubernetes-extensions
-license_name: MIT License
-version: "1.70"
+module: extensions/kubernetes-extensions
+license_name: Apache License version 2.0
+version: 1.6.10
libraries:
- - org.bouncycastle: bcutil-jdk15on
+ - org.jetbrains.kotlin: kotlin-stdlib
---
-name: com.squareup.okhttp3 logging-interceptor
+name: Jetbrains kotlin-stdlib common
license_category: binary
-module: extensions/druid-kubernetes-extensions
+module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
-version: 3.14.9
+version: 1.9.10
libraries:
- - com.squareup.okhttp3: logging-interceptor
+ - org.jetbrains.kotlin: kotlin-stdlib-common
---
-
-name: com.github.vladimir-bukhtoyarov bucket4j-core
+name: Jetbrains jdk7 jdk 8
license_category: binary
-module: extensions/druid-kubernetes-extensions
+module: extensions/kubernetes-extensions
license_name: Apache License version 2.0
-version: 4.10.0
+version: 1.8.21
libraries:
- - com.github.vladimir-bukhtoyarov: bucket4j-core
+ - org.jetbrains.kotlin: kotlin-stdlib
+ - org.jetbrains.kotlin: kotlin-stdlib-common
+ - org.jetbrains.kotlin: kotlin-stdlib-jdk7
+ - org.jetbrains.kotlin: kotlin-stdlib-jdk8
---
@@ -4097,6 +4118,16 @@ libraries:
---
+name: org.elasticsearch securesm
+license_category: binary
+version: 2.1.9
+module: druid-ranger-security
+license_name: Creative Commons CC0
+libraries:
+ - org.hdrhistogram: HdrHistogram
+
+---
+
name: Apache Lucene
license_category: binary
version: 8.4.0
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index f9c3146e358..4d68252dcf4 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -440,9 +440,10 @@
<cve>CVE-2021-4277</cve>
</suppress>
+<!-- the remaining uses of vulnerable okio are in contrib-extensions -->
<suppress>
<notes><![CDATA[
- file name: okio-1.17.2.jar, okio-1.15.0.jar okio 2.8.0
+ file name: okio-1.17.2.jar, okio-1.15.0.jar
]]></notes>
<packageUrl
regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl>
<cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are
internal, and not user-facing -->
@@ -460,18 +461,6 @@
<cve>CVE-2023-5072</cve>
</suppress>
- <!--
- ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a
previous version of the Zookeeper, Druid only
- ~ only uses the client classes of the Zookeeper. We do use the older
version in the quickstart & example docker file,
- ~ however in production it is recomended to use your own Zookeeper server
with the CVE patched up, which the Druid's
- ~ older ZK library is still compatible with.
- -->
- <suppress>
- <notes><![CDATA[
- file name: zookeeper-3.8.3.jar
- ]]></notes>
- <cve>CVE-2023-44981</cve>
- </suppress>
<!--
~ Hostname verification is disabled by default in Netty 4.x, therefore the
version that Druid is using gets flagged,
diff --git a/pom.xml b/pom.xml
index f2144a630ee..938c8d77d4b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -369,26 +369,7 @@
<artifactId>snakeyaml</artifactId>
<version>1.33</version>
</dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-jdk15on</artifactId>
- <version>1.70</version>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-ext-jdk15on</artifactId>
- <version>1.70</version>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
- <version>1.70</version>
- </dependency>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcutil-jdk15on</artifactId>
- <version>1.70</version>
- </dependency>
+
<!-- transitive dependency of testng
this would be resolved by updating
testng to 7.8.0 -->
@@ -1113,7 +1094,7 @@
<dependency>
<groupId>com.github.docker-java</groupId>
<artifactId>docker-java-bom</artifactId>
- <version>3.2.13</version>
+ <version>3.3.4</version>
<scope>import</scope>
<type>pom</type>
</dependency>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
