ramackri commented on PR #1006: URL: https://github.com/apache/ranger/pull/1006#issuecomment-4671769692
> Security Analysis Summary No Critical Security Vulnerabilities Identified ✓ > > This PR focuses on fixing CI infrastructure and dependency packaging issues for plugin Docker containers. The changes are primarily operational and dependency management—not introducing new attack surfaces. > > Key Security Findings: > > 1. Dependency Additions (Knox & Ozone plugins) > Added packages: Jersey/JAX-RS, HK2 injection framework, Jackson, Woodstox > Risk Level: ✓ Low — These are standard libraries used for REST client communication in the auditserver functionality, already present in other plugin assemblies (HDFS, Hive) > No new vulnerabilities: The dependencies are explicitly managed and part of Apache's standard ecosystem > 2. Version Upgrades > Knox: 2.0.0 → 2.1.0 > Risk Level: ✓ Low — Upgrade improves security by adding JDK 17 compatibility fixes (KNOX-2923) > Includes internal security fixes for SSL certificate generation > Ozone Runner: 20230615-1 → 20241022-jdk17-1 > Risk Level: ✓ Low — Newer container image with updated JDK 17 and bug fixes > 3. JDK 17 Module Exports (knox-jdk17-env.sh) > Analysis: The PR adds module exports via --add-exports and --add-opens flags: > bash > --add-exports=java.base/sun.security.x509=ALL-UNNAMED > --add-exports=java.base/sun.security.pkcs=ALL-UNNAMED > Risk Level: ✓ Acceptable — These are temporary workarounds for Knox's internal API dependencies (well-documented in KNOX-3210/KNOX-2923) > Best Practice: This is a known pattern for managing JDK internals. However, this should be treated as a technical debt item tracked for future Knox versions that don't rely on internal APIs. > 4. Shell Script Changes > Cache optimization (download-archives.sh, extractOzoneIfNeeded()): > Risk Level: ✓ Low — Removes redundant extraction; improves CI efficiency > No authentication or secrets handling involved > SCM leader wait ([ranger-ozone-setup](https://issues.apache.org/jira/browse/RANGER-ozone-setup).sh): > Risk Level: ✓ Low — Adds timeout-based waiting mechanism; well-guarded against hanging > 5. Dockerfile Changes > Added OZONE_OPTS=-XX:-UseContainerSupport to handle JDK 17 cgroup metrics issues > Risk Level: ✓ Low — Standard JVM tuning flag, no security implication > 6. Dependency Scoping > All new dependencies are properly scoped (compile/runtime, not test) > Assembly files correctly whitelist packages; no overly permissive includes > Potential Considerations (Non-Critical): > Module Export Breadth: The use of ALL-UNNAMED is broad but necessary for compatibility. This is a known limitation with JDK modules. > Implicit Javax→Jakarta Migration: Jersey 2.47/HK2 2.6.1 pull jakarta.inject while code still uses javax.inject. The PR correctly includes both—this is a known pattern during the Java EE → Jakarta EE transition and poses no security risk. cc >> @mneethiraj @kumaab -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
