You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by "tejaswini-imply (via GitHub)" <gi...@apache.org> on 2023/05/16 07:40:58 UTC

[GitHub] [druid] tejaswini-imply opened a new pull request, #14291: Suppress CVEs

tejaswini-imply opened a new pull request, #14291:
URL: https://github.com/apache/druid/pull/14291

   Security vulnerabilities check Cron job failure - https://github.com/apache/druid/actions/runs/4976066408/jobs/8903803838
   - CVE-2021-4277 -> `plexus-utils-3.0.24.jar, async-http-client-netty-utils-2.5.3.jar` are falsely flagged - https://github.com/jeremylong/DependencyCheck/issues/5213
   - CVE-2018-10237, CVE-2020-8908 -> reported for `guava-16.0.1.jar` seem legit and has to be upgraded to or above `30.0-jre` version
   - CVE-2019-10219, CVE-2019-14900, CVE-2020-10693 -> from dependencies of `hibernate-validator-5.3.6.Final.jar`
   - CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-43797, CVE-2022-24823 -> from dependencies of `netty-3.10.6.Final.jar`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Suppress CVEs (druid)

Posted by "abhishekagarwal87 (via GitHub)" <gi...@apache.org>.

abhishekagarwal87 commented on code in PR #14291:
URL: https://github.com/apache/druid/pull/14291#discussion_r1254259060


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -122,6 +122,8 @@
     https://github.com/FasterXML/jackson-databind/issues/3328
     -->
     <cve>CVE-2021-46877</cve>
+    <!-- according to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 -->

Review Comment:
   ```suggestion
       <!-- According to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 -->
   ```



##########
owasp-dependency-check-suppressions.xml:
##########
@@ -825,4 +844,31 @@
     <!-- applies to ranger-hive-plugin which afaict we do not use https://nvd.nist.gov/vuln/detail/CVE-2021-40331 -->
     <cve>CVE-2021-40331</cve>
   </suppress>
+
+  <!-- filed against random script set, doesn't apply to any Maven artifacts - https://github.com/jeremylong/DependencyCheck/issues/5213 -->
+  <suppress>
+    <notes><![CDATA[
+      file name: plexus-utils-3.0.24.jar
+      file name: async-http-client-netty-utils-2.5.3.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/.*/.*@.*$</packageUrl>
+    <cve>CVE-2021-4277</cve>
+  </suppress>
+
+  <!--
+    ~ TODO: Update guava to any version after 29.0
+  -->

Review Comment:
   let's remove this. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Suppress CVEs (druid)

Posted by "abhishekagarwal87 (via GitHub)" <gi...@apache.org>.

abhishekagarwal87 commented on code in PR #14291:
URL: https://github.com/apache/druid/pull/14291#discussion_r1250861763


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -826,6 +826,14 @@
     <cve>CVE-2022-26612</cve>
     <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
     <cve>CVE-2023-25613</cve>
+    <cve>CVE-2023-2976</cve> <!-- this is from shaded guava dependency -->

Review Comment:
   we need better reasoning here. Yes, they are shaded but it could still be a problem though? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Suppress CVEs (druid)

Posted by "tejaswini-imply (via GitHub)" <gi...@apache.org>.

tejaswini-imply commented on PR #14291:
URL: https://github.com/apache/druid/pull/14291#issuecomment-1623754376

   Thanks for the review @abhishekagarwal87. I have addressed your comments in the latest commit.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Suppress CVEs (druid)

Posted by "abhishekagarwal87 (via GitHub)" <gi...@apache.org>.

abhishekagarwal87 merged PR #14291:
URL: https://github.com/apache/druid/pull/14291


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Suppress CVEs (druid)

Posted by "tejaswini-imply (via GitHub)" <gi...@apache.org>.

tejaswini-imply commented on code in PR #14291:
URL: https://github.com/apache/druid/pull/14291#discussion_r1251009770


##########
owasp-dependency-check-suppressions.xml:
##########
@@ -826,6 +826,14 @@
     <cve>CVE-2022-26612</cve>
     <!-- this one seems to apply to backend server - https://nvd.nist.gov/vuln/detail/CVE-2023-25613 -->
     <cve>CVE-2023-25613</cve>
+    <cve>CVE-2023-2976</cve> <!-- this is from shaded guava dependency -->

Review Comment:
   I have gone through the Hadoop repository and found no instance of usage of `com.google.common.io.FileBackedOutputStream` which is responsible for CVE-2023-2976. I'll update the description.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org