You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/04/08 15:10:32 UTC
[GitHub] [druid] bolkedebruin opened a new pull request #9649: Document
possible vulnerabilities for the druid-ranger-security
bolkedebruin opened a new pull request #9649: Document possible vulnerabilities for the druid-ranger-security
URL: https://github.com/apache/druid/pull/9649
In certain configurations the ranger plugin can expose vulnerabilities due
to some of its dependencies having CVEs.
@ccaominh @himanshug I have chosen to document rather than exclude. For log4j it seems not to be a full drop in replacement. In both it will only manifest itself in certain configurations which are non default.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9649: Document possible
vulnerabilities for the druid-ranger-security
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9649: Document possible vulnerabilities for the druid-ranger-security
URL: https://github.com/apache/druid/pull/9649#issuecomment-611121176
LGTM , can you verify that the build gets fixed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9649: Document possible
vulnerabilities for the druid-ranger-security
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9649: Document possible vulnerabilities for the druid-ranger-security
URL: https://github.com/apache/druid/pull/9649#issuecomment-611121850
I did a `mvn clean && mvn install -DskipTests=true -Dtar -T 8` and a `mvn dependency-check:check` both passed locally.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on a change in pull request #9649:
Document possible vulnerabilities for the druid-ranger-security
Posted by GitBox <gi...@apache.org>.
himanshug commented on a change in pull request #9649: Document possible vulnerabilities for the druid-ranger-security
URL: https://github.com/apache/druid/pull/9649#discussion_r405730466
##########
File path: owasp-dependency-check-suppressions.xml
##########
@@ -187,4 +187,36 @@
<packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
<vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
</suppress>
+ <suppress>
+ <!--
+ ~ TODO: Fix when Apache Ranger 2.1 is released
Review comment:
can you create a github issue for this ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9649: Document possible
vulnerabilities for the druid-ranger-security
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9649: Document possible vulnerabilities for the druid-ranger-security
URL: https://github.com/apache/druid/pull/9649#issuecomment-611337438
sgtm, but I will let @ccaominh approve this as he is more familiar with the specifics.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] ccaominh merged pull request #9649: Document possible
vulnerabilities for the druid-ranger-security
Posted by GitBox <gi...@apache.org>.
ccaominh merged pull request #9649: Document possible vulnerabilities for the druid-ranger-security
URL: https://github.com/apache/druid/pull/9649
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on a change in pull request #9649:
Document possible vulnerabilities for the druid-ranger-security
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on a change in pull request #9649: Document possible vulnerabilities for the druid-ranger-security
URL: https://github.com/apache/druid/pull/9649#discussion_r405733421
##########
File path: owasp-dependency-check-suppressions.xml
##########
@@ -187,4 +187,36 @@
<packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
<vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
</suppress>
+ <suppress>
+ <!--
+ ~ TODO: Fix when Apache Ranger 2.1 is released
Review comment:
Done
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org