You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by "janjwerner-confluent (via GitHub)" <gi...@apache.org> on 2023/11/30 17:15:28 UTC

[PR] update few minor dependencies to resolve CVEs (druid)

janjwerner-confluent opened a new pull request, #15464:
URL: https://github.com/apache/druid/pull/15464

   ### Description
   Update multiple dependencies to clear CVEs
   Update dropwizard-metrics to 4.2.22 to address https://github.com/advisories/GHSA-mm8h-8587-p46h in com.rabbitmq:amqp-client
   Update ant to 1.10.14 to resolve https://github.com/advisories/GHSA-f62v-xpxf-3v68 https://github.com/advisories/GHSA-4p6w-m9wc-c9c9 https://github.com/advisories/GHSA-q5r4-cfpx-h6fh https://github.com/advisories/GHSA-5v34-g2px-j4fw
   Update comomons-compress to resolve https://github.com/advisories/GHSA-cgwf-w82q-5jrr
   Update jose4j to 0.9.3 to resolve https://github.com/advisories/GHSA-7g24-qg88-p43q https://github.com/advisories/GHSA-jgvc-jfgh-rjvv
   Update kotlin-stdlib to 1.4.21 to resolve https://github.com/advisories/GHSA-cqj8-47ch-rvvq
   
   
   This PR has:
   
   - [ ] been self-reviewed.
      - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
   - [ ] added documentation for new or modified features or behaviors.
   - [ ] a release note entry in the PR description.
   - [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
   - [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
   - [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
   - [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
   - [ ] added integration tests.
   - [ ] been tested in a test Druid cluster.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] update few minor dependencies to resolve CVEs (druid)

Posted by "janjwerner-confluent (via GitHub)" <gi...@apache.org>.

janjwerner-confluent commented on code in PR #15464:
URL: https://github.com/apache/druid/pull/15464#discussion_r1412514413


##########
pom.xml:
##########
@@ -388,6 +388,21 @@
                 <artifactId>bcutil-jdk15on</artifactId>
                 <version>1.70</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.ant</groupId>

Review Comment:
   It would be worthwhile to separate sections of direct and transitive dependencies, as well as identify the dependencies that belong to specific modules. 
   Adding clarifications to the dependencies specification that were added. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] update few minor dependencies to resolve CVEs (druid)

Posted by "janjwerner-confluent (via GitHub)" <gi...@apache.org>.

janjwerner-confluent commented on code in PR #15464:
URL: https://github.com/apache/druid/pull/15464#discussion_r1412132754


##########
pom.xml:
##########
@@ -388,6 +388,21 @@
                 <artifactId>bcutil-jdk15on</artifactId>
                 <version>1.70</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.ant</groupId>

Review Comment:
   This isn't adding new deps, just pinning the versions to avoid vulnerable components. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] update few minor dependencies to resolve CVEs (druid)

Posted by "xvrl (via GitHub)" <gi...@apache.org>.

xvrl commented on code in PR #15464:
URL: https://github.com/apache/druid/pull/15464#discussion_r1412484841


##########
pom.xml:
##########
@@ -388,6 +388,21 @@
                 <artifactId>bcutil-jdk15on</artifactId>
                 <version>1.70</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.ant</groupId>

Review Comment:
   can we add some comments to separate those dependency declarations from the ones we depend on directly? We should also note which dependencies pull in those affected versions. We'll want to remove them as soon as possible to avoid pinning to older versions whenever the direct dependencies upgrade or remove the affected ones.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] update few minor dependencies to resolve CVEs (druid)

Posted by "abhishekagarwal87 (via GitHub)" <gi...@apache.org>.

abhishekagarwal87 merged PR #15464:
URL: https://github.com/apache/druid/pull/15464


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] update few minor dependencies to resolve CVEs (druid)

Posted by "cryptoe (via GitHub)" <gi...@apache.org>.

cryptoe commented on code in PR #15464:
URL: https://github.com/apache/druid/pull/15464#discussion_r1411859732


##########
pom.xml:
##########
@@ -388,6 +388,21 @@
                 <artifactId>bcutil-jdk15on</artifactId>
                 <version>1.70</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.ant</groupId>

Review Comment:
   What's the reasoning behind adding new deps ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] update few minor dependencies to resolve CVEs (druid)

Posted by "janjwerner-confluent (via GitHub)" <gi...@apache.org>.

janjwerner-confluent commented on code in PR #15464:
URL: https://github.com/apache/druid/pull/15464#discussion_r1412514413


##########
pom.xml:
##########
@@ -388,6 +388,21 @@
                 <artifactId>bcutil-jdk15on</artifactId>
                 <version>1.70</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.ant</groupId>

Review Comment:
   It would be worthwhile to separate sections of direct and transitive dependencies, as well as identify the dependencies that belong to specific modules. 
   Adding clarifications to the dependencies specification that was added.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org