You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2022/04/14 18:22:24 UTC
[GitHub] [druid] jihoonson opened a new pull request, #12437: Suppress CVE-2021-43138
jihoonson opened a new pull request, #12437:
URL: https://github.com/apache/druid/pull/12437
### Description
The Travis CI cron job flagged https://nvd.nist.gov/vuln/detail/CVE-2021-43138. This failure is a false alarm as the CVE is about the Async javascript library (https://github.com/caolan/async), not `async-http-client-netty-utils`. Even though we do use the Async library for the web console development, I think we can still suppress this CVE as the Async library is a [dev dependency](https://github.com/apache/druid/blob/master/web-console/package-lock.json#L6394-L6402).
This PR also cleans up a stale suppression for netty-3.10.5.Final which we no longer use.
<hr>
<!-- Check the items by putting "x" in the brackets for the done things. Not all of these items apply to every PR. Remove the items which are not done or not relevant to the PR. None of the items from the checklist below are strictly necessary, but it would be very helpful if you at least self-review the PR. -->
This PR has:
- [x] been self-reviewed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on a diff in pull request #12437: Suppress CVE-2021-43138
Posted by GitBox <gi...@apache.org>.
jihoonson commented on code in PR #12437:
URL: https://github.com/apache/druid/pull/12437#discussion_r851544444
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -287,20 +287,6 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
- <suppress>
- <!--
- - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
- -->
- <notes><![CDATA[
- file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
- <cve>CVE-2019-16869</cve>
- <cve>CVE-2019-20444</cve>
- <cve>CVE-2019-20445</cve>
- <cve>CVE-2021-37136</cve>
- <cve>CVE-2021-37137</cve>
- </suppress>
Review Comment:
> This PR also cleans up a stale suppression for netty-3.10.5.Final which we no longer use.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] suneet-s merged pull request #12437: Suppress CVE-2021-43138
Posted by GitBox <gi...@apache.org>.
suneet-s merged PR #12437:
URL: https://github.com/apache/druid/pull/12437
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on a diff in pull request #12437: Suppress CVE-2021-43138
Posted by GitBox <gi...@apache.org>.
jihoonson commented on code in PR #12437:
URL: https://github.com/apache/druid/pull/12437#discussion_r852486219
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -287,20 +287,6 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
- <suppress>
- <!--
- - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
- -->
- <notes><![CDATA[
- file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
- <cve>CVE-2019-16869</cve>
- <cve>CVE-2019-20444</cve>
- <cve>CVE-2019-20445</cve>
- <cve>CVE-2021-37136</cve>
- <cve>CVE-2021-37137</cve>
- </suppress>
Review Comment:
I see what's going on. I was using the same command of `mvn dependency-check:check` as what we are running on Travis. [This command checks only the project dependencies](https://jeremylong.github.io/DependencyCheck/dependency-check-maven/plugin-info.html). The command @suneet-s ran was `mvn dependency-check:aggregate` which checks the project dependencies as well as the dependencies of all child modules. This is why I missed the error about the netty 3.10.5.Final in Ambari. I reverted my change for the netty.
Looking at the github history, we tried to change the command to `mvn dependency-check:aggregate` in https://github.com/apache/druid/pull/10883. But we reverted that change in https://github.com/apache/druid/pull/11709 because it was not correctly configured and blocking our release. I think we should use `mvn dependency-check:aggregate` again with a proper configuration such as [skipTestScope](https://jeremylong.github.io/DependencyCheck/dependency-check-maven/aggregate-mojo.html#skipTestScope) to skip tests. This should be done in a separate PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on a diff in pull request #12437: Suppress CVE-2021-43138
Posted by GitBox <gi...@apache.org>.
jihoonson commented on code in PR #12437:
URL: https://github.com/apache/druid/pull/12437#discussion_r851544444
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -287,20 +287,6 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
- <suppress>
- <!--
- - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
- -->
- <notes><![CDATA[
- file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
- <cve>CVE-2019-16869</cve>
- <cve>CVE-2019-20444</cve>
- <cve>CVE-2019-20445</cve>
- <cve>CVE-2021-37136</cve>
- <cve>CVE-2021-37137</cve>
- </suppress>
Review Comment:
> This PR also cleans up a stale suppression for netty-3.10.5.Final which we no longer use.
This part removed is what I mentioned in the PR description.
> When I ran the dependency check job on top of this PR I still got some failures
What was the failure you saw? I guess it was the jackson-bind that should be fixed in https://github.com/apache/druid/pull/12411?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] suneet-s commented on a diff in pull request #12437: Suppress CVE-2021-43138
Posted by GitBox <gi...@apache.org>.
suneet-s commented on code in PR #12437:
URL: https://github.com/apache/druid/pull/12437#discussion_r851553622
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -287,20 +287,6 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
- <suppress>
- <!--
- - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
- -->
- <notes><![CDATA[
- file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
- <cve>CVE-2019-16869</cve>
- <cve>CVE-2019-20444</cve>
- <cve>CVE-2019-20445</cve>
- <cve>CVE-2021-37136</cve>
- <cve>CVE-2021-37137</cve>
- </suppress>
Review Comment:
```ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.0.3:aggregate (default-cli) on project druid:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] ambari-metrics-common-2.7.0.0.0.jar/META-INF/maven/io.netty/netty/pom.xml: CVE-2019-16869, CVE-2021-37136, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444
[ERROR] ambari-metrics-common-2.7.0.0.0.jar/META-INF/maven/org.apache.hadoop/hadoop-annotations/pom.xml: CVE-2022-26612
[ERROR] hadoop-yarn-server-common-2.8.5.jar: CVE-2022-26612
[ERROR] jackson-databind-2.10.5.1.jar: CVE-2020-36518
[ERROR] jackson-xc-1.9.13.jar: CVE-2020-36518
[ERROR] jedis-2.9.0.jar: CVE-2021-32626
[ERROR] log4j-1.2.17.jar: CVE-2021-4104, CVE-2020-9493, CVE-2022-23307, CVE-2022-23305, CVE-2022-23302
[ERROR] pom.xml: CVE-2022-26612
[ERROR] pac4j-core-3.8.3.jar: CVE-2021-44878
[ERROR] parquet-jackson-1.12.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2020-36518
[ERROR] solr-solrj-7.7.1.jar: CVE-2021-44548
[ERROR]
[ERROR] See the dependency-check report for more details.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] suneet-s commented on a diff in pull request #12437: Suppress CVE-2021-43138
Posted by GitBox <gi...@apache.org>.
suneet-s commented on code in PR #12437:
URL: https://github.com/apache/druid/pull/12437#discussion_r851461542
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -287,20 +287,6 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
- <suppress>
- <!--
- - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
- -->
- <notes><![CDATA[
- file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
- <cve>CVE-2019-16869</cve>
- <cve>CVE-2019-20444</cve>
- <cve>CVE-2019-20445</cve>
- <cve>CVE-2021-37136</cve>
- <cve>CVE-2021-37137</cve>
- </suppress>
Review Comment:
This change seems unrelated?
When I ran the dependency check job on top of this PR I still got some failures
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on a diff in pull request #12437: Suppress CVE-2021-43138
Posted by GitBox <gi...@apache.org>.
jihoonson commented on code in PR #12437:
URL: https://github.com/apache/druid/pull/12437#discussion_r851592069
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -287,20 +287,6 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
- <suppress>
- <!--
- - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
- -->
- <notes><![CDATA[
- file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
- <cve>CVE-2019-16869</cve>
- <cve>CVE-2019-20444</cve>
- <cve>CVE-2019-20445</cve>
- <cve>CVE-2021-37136</cve>
- <cve>CVE-2021-37137</cve>
- </suppress>
Review Comment:
Hmm, it's strange. This is what I see.
```
$ mvn dependency-check:purge dependency-check:check
...
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] jackson-databind-2.10.5.1.jar: CVE-2020-36518
[ERROR]
[ERROR] See the dependency-check report for more details.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org