You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by "clintropolis (via GitHub)" <gi...@apache.org> on 2023/05/10 23:23:54 UTC

[GitHub] [druid] clintropolis opened a new pull request, #14252: suppress hadoop3 cve that seem not applicable to us

clintropolis opened a new pull request, #14252:
URL: https://github.com/apache/druid/pull/14252

   follw-up to #14241


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] clintropolis commented on a diff in pull request #14252: suppress hadoop3 cve that seem not applicable to us

Posted by "clintropolis (via GitHub)" <gi...@apache.org>.

clintropolis commented on code in PR #14252:
URL: https://github.com/apache/druid/pull/14252#discussion_r1190482559


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -806,4 +806,13 @@
     <!-- seems not applicable to plugin -->
     <cve>CVE-2022-45048</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+     file name: hadoop-client-runtime-3.3.5.jar
+     ]]></notes>
+    <!-- this one is windows only? https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+    <cve>CVE-2022-26612</cve>
+    <!-- this one seems to apply to backend server? https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->

Review Comment:
   we are on the newest version unfortunately, 3.3.5 https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-client-runtime, so not an option either.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] gianm commented on a diff in pull request #14252: suppress hadoop3 cve that seem not applicable to us

Posted by "gianm (via GitHub)" <gi...@apache.org>.

gianm commented on code in PR #14252:
URL: https://github.com/apache/druid/pull/14252#discussion_r1190481465


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -806,4 +806,13 @@
     <!-- seems not applicable to plugin -->
     <cve>CVE-2022-45048</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+     file name: hadoop-client-runtime-3.3.5.jar
+     ]]></notes>
+    <!-- this one is windows only? https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+    <cve>CVE-2022-26612</cve>
+    <!-- this one seems to apply to backend server? https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->

Review Comment:
   Could we upgrade the hadoop client?
   
   If we can't do any of this stuff, then I agree this appears to be about the backend server, which presumably we wouldn't be using in a client. So I think a suppression is OK. But it should be a last resort due to the severity. (Even if it's a false positive, suppressed high-sev false positives creates a bunch of work for downstream consumers that run their own scans.)
   
   Ditch the "?" in the comment, though, once this analysis is complete. We need to be confident when suppressing things.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] clintropolis merged pull request #14252: suppress hadoop3 cve that seem not applicable to us

Posted by "clintropolis (via GitHub)" <gi...@apache.org>.

clintropolis merged PR #14252:
URL: https://github.com/apache/druid/pull/14252


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] clintropolis commented on a diff in pull request #14252: suppress hadoop3 cve that seem not applicable to us

Posted by "clintropolis (via GitHub)" <gi...@apache.org>.

clintropolis commented on code in PR #14252:
URL: https://github.com/apache/druid/pull/14252#discussion_r1190482807


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -806,4 +806,13 @@
     <!-- seems not applicable to plugin -->
     <cve>CVE-2022-45048</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+     file name: hadoop-client-runtime-3.3.5.jar
+     ]]></notes>
+    <!-- this one is windows only? https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+    <cve>CVE-2022-26612</cve>
+    <!-- this one seems to apply to backend server? https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->

Review Comment:
   >Ditch the "?" in the comment, though, once this analysis is complete. We need to be confident when suppressing things.
   
   heh, i'm not sure i'm ever fully confident when suppressing things, this stuff stresses me out



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] gianm commented on a diff in pull request #14252: suppress hadoop3 cve that seem not applicable to us

Posted by "gianm (via GitHub)" <gi...@apache.org>.

gianm commented on code in PR #14252:
URL: https://github.com/apache/druid/pull/14252#discussion_r1190474791


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -806,4 +806,13 @@
     <!-- seems not applicable to plugin -->
     <cve>CVE-2022-45048</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+     file name: hadoop-client-runtime-3.3.5.jar
+     ]]></notes>
+    <!-- this one is windows only? https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+    <cve>CVE-2022-26612</cve>
+    <!-- this one seems to apply to backend server? https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->

Review Comment:
   This one is for Apache Kerby. Can we instead exclude it (if we're not using it) or upgrade it to 2.0.3 (if we are using it transitively)?



##########
owasp-dependency-check-suppressions.xml:
##########
@@ -806,4 +806,13 @@
     <!-- seems not applicable to plugin -->
     <cve>CVE-2022-45048</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+     file name: hadoop-client-runtime-3.3.5.jar
+     ]]></notes>
+    <!-- this one is windows only? https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->

Review Comment:
   This one says it was addressed in 3.2.3. Looks like we're using 3.3.5. I would think it's irrelevant just on that basis.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] clintropolis commented on a diff in pull request #14252: suppress hadoop3 cve that seem not applicable to us

Posted by "clintropolis (via GitHub)" <gi...@apache.org>.

clintropolis commented on code in PR #14252:
URL: https://github.com/apache/druid/pull/14252#discussion_r1190475554


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -806,4 +806,13 @@
     <!-- seems not applicable to plugin -->
     <cve>CVE-2022-45048</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+     file name: hadoop-client-runtime-3.3.5.jar
+     ]]></notes>
+    <!-- this one is windows only? https://nvd.nist.gov/vuln/detail/CVE-2022-26612 -->
+    <cve>CVE-2022-26612</cve>
+    <!-- this one seems to apply to backend server? https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->

Review Comment:
   it's shaded inside the Hadoop client jar, so probably not?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org