You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by ha...@apache.org on 2021/06/16 04:14:59 UTC
[skywalking] branch master updated: Upgrade OAP dependencies (#7119)
This is an automated email from the ASF dual-hosted git repository.
hanahmily pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new 669fe15 Upgrade OAP dependencies (#7119)
669fe15 is described below
commit 669fe1593c8cd3591652c13d1088c72d2c45ab89
Author: Gao Hongtao <ha...@gmail.com>
AuthorDate: Wed Jun 16 12:14:39 2021 +0800
Upgrade OAP dependencies (#7119)
* Introduce trivy to scan images
Signed-off-by: Gao Hongtao <ha...@gmail.com>
* Fix CVE
Signed-off-by: Gao Hongtao <ha...@gmail.com>
* Update licenses
Signed-off-by: Gao Hongtao <ha...@gmail.com>
* Remove log4j 1.x
Signed-off-by: Gao Hongtao <ha...@gmail.com>
* Update CHANGES.md
Signed-off-by: Gao Hongtao <ha...@gmail.com>
* Update LICENSE refer to webapp
Signed-off-by: Gao Hongtao <ha...@gmail.com>
Co-authored-by: 吴晟 Wu Sheng <wu...@foxmail.com>
---
CHANGES.md | 20 ++++++++++++++++
apm-webapp/pom.xml | 27 ++++++++++++++++++++--
dist-material/release-docs/LICENSE | 11 ++++-----
docker/oap/Dockerfile.oap | 18 ++++++++++++++-
docker/ui/Dockerfile.ui | 4 ++--
oap-server/pom.xml | 12 ++++++++--
.../cluster-consul-plugin/pom.xml | 2 +-
.../known-oap-backend-dependencies-es7.txt | 21 ++++++++---------
.../known-oap-backend-dependencies.txt | 21 ++++++++---------
9 files changed, 100 insertions(+), 36 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 670deab..4f58e17 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -14,6 +14,26 @@ Release Notes.
* Disable Spring sleuth meter analyzer by default.
* Use MAL to calculate JVM metrics, remove OAL dependency.
* Only count 5xx as error in Envoy ALS receiver.
+* Upgrade apollo core caused by CVE-2020-15170.
+* Upgrade kubernetes client caused by CVE-2020-28052.
+* Upgrade Elasticsearch 7 client caused by CVE-2020-7014.
+* Upgrade jackson related libs caused by CVE-2018-11307, CVE-2018-14718~CVE-2018-14721, CVE-2018-19360~CVE-2018-19362,
+ CVE-2019-14379, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
+ CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548,
+ CVE-2018-12022, CVE-2018-12023, CVE-2019-12086, CVE-2019-14439, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968,
+ CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060,
+ CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-35490,
+ CVE-2020-35491, CVE-2020-35728 and CVE-2020-36179~CVE-2020-36190.
+* Exclude log4j 1.x caused by CVE-2019-17571.
+* Upgrade log4j 2.x caused by CVE-2020-9488.
+* Upgrade nacos libs caused by CVE-2021-29441 and CVE-2021-29442.
+* Upgrade netty caused by CVE-2019-20444, CVE-2019-20445, CVE-2019-16869, CVE-2020-11612, CVE-2021-21290, CVE-2021-21295
+ and CVE-2021-21409.
+* Upgrade consul client caused by CVE-2018-1000844, CVE-2018-1000850.
+* Upgrade zookeeper caused by CVE-2019-0201.
+* Upgrade snake yaml caused by CVE-2017-18640.
+* Upgrade embed tomcat caused by CVE-2020-13935.
+
#### UI
diff --git a/apm-webapp/pom.xml b/apm-webapp/pom.xml
index 16eb9d5..b2dade8 100644
--- a/apm-webapp/pom.xml
+++ b/apm-webapp/pom.xml
@@ -30,14 +30,17 @@
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <spring.boot.version>1.5.11.RELEASE</spring.boot.version>
+ <spring.boot.version>1.5.22.RELEASE</spring.boot.version>
<log4j.version>2.6.2</log4j.version>
<gson.version>2.8.2</gson.version>
<apache-httpclient.version>4.5.3</apache-httpclient.version>
<spring-cloud-dependencies.version>Edgware.SR1</spring-cloud-dependencies.version>
<frontend-maven-plugin.version>1.11.0</frontend-maven-plugin.version>
<logback-classic.version>1.2.3</logback-classic.version>
- <jackson-version>2.9.10</jackson-version>
+ <jackson-version>2.12.2</jackson-version>
+ <yaml.version>1.28</yaml.version>
+ <netty.version>4.1.65.Final</netty.version>
+ <tomcat.version>8.5.66</tomcat.version>
<ui.path>${project.parent.basedir}/skywalking-ui</ui.path>
</properties>
@@ -102,6 +105,26 @@
<version>${logback-classic.version}</version>
</dependency>
<dependency>
+ <groupId>org.yaml</groupId>
+ <artifactId>snakeyaml</artifactId>
+ <version>${yaml.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>${tomcat.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-websocket</artifactId>
+ <version>${tomcat.version}</version>
+ </dependency>
+ <dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>${spring.boot.version}</version>
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index 9749066..8336e69 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -251,7 +251,7 @@ The text of each license is the standard Apache 2.0 license.
Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0
Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0
Spring Framework 4.3.14.RELEASE: https://github.com/spring-projects/spring-framework, Apache 2.0
- Spring Boot 1.5.10: https://spring.io/, Apache 2.0
+ Spring Boot 1.5.22.RELEASE: https://spring.io/, Apache 2.0
Spring Cloud Config 1.4.1: https://github.com/spring-cloud/spring-cloud-config, Apache-2.0
Spring Cloud Netflix Zuul 1.3.0: https://github.com/spring-cloud/spring-cloud-netflix, Apache 2.0
Apache: commons-logging 1.1.3: https://github.com/apache/commons-logging, Apache 2.0
@@ -263,7 +263,6 @@ The text of each license is the standard Apache 2.0 license.
Apache: commons-beanutils 1.9.4: https://github.com/apache/commons-beanutils, Apache 2.0
Apache: lucene 7.3.1, 8.3.0: https://github.com/apache/lucene-solr/tree/master/lucene, Apache 2.0
Apache: httpasyncclient 4.1.2, 4.1.4: https://github.com/apache/httpasyncclient/tree/4.1.2, Apache 2.0
- Apache: log4j 1.2.17: http://logging.apache.org/log4j/1.2/, Apache 2.0
Apache: log4j2 2.14.1: https://github.com/apache/logging-log4j2, Apache 2.0
Apache: zookeeper 3.5.7: https://github.com/apache/zookeeper, Apache 2.0
Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0
@@ -271,7 +270,7 @@ The text of each license is the standard Apache 2.0 license.
Apache: commons-io 2.4: https://github.com/apache/commons-io, Apache 2.0
Apache: commons-compress 1.20: https://github.com/apache/commons-compress, Apache 2.0
Apache: commons-collections4 4.4: https://mvnrepository.com/artifact/org.apache.commons/commons-collections4, Apache 2.0
- Apache: tomcat 8.5.27: https://github.com/apache/tomcat/tree/trunk, Apache 2.0
+ Apache: tomcat 8.5.66: https://github.com/apache/tomcat/tree/trunk, Apache 2.0
Apache: freemarker 2.3.28: https://github.com/apache/freemarker, Apache 2.0
netty 4.1.65: https://github.com/netty/netty/blob/4.1/LICENSE.txt, Apache 2.0
annotations 13.0: http://www.jetbrains.org, Apache 2.0
@@ -310,8 +309,8 @@ The text of each license is the standard Apache 2.0 license.
kubernetes-client 12.0.1: https://github.com/kubernetes-client/java, Apache 2.0
proto files from istio/istio: https://github.com/istio/istio Apache 2.0
proto files from istio/api: https://github.com/istio/api Apache 2.0
- nacos 1.3.1: https://github.com/alibaba/nacos, Apache 2.0
- consul-client 1.2.6: https://github.com/rickfast/consul-client, Apache 2.0
+ nacos 1.4.2: https://github.com/alibaba/nacos, Apache 2.0
+ consul-client 1.4.2: https://github.com/rickfast/consul-client, Apache 2.0
okhttp 3.14.9: https://github.com/square/okhttp, Apache 2.0
prometheus client_java(simpleclient) 0.6.0: https://github.com/prometheus/client_java, Apache 2.0
proto files from istio/istio: https://github.com/istio/istio Apache 2.0
@@ -324,7 +323,7 @@ The text of each license is the standard Apache 2.0 license.
json-flatter 0.6.0: https://github.com/wnameless/json-flattener Apache 2.0
Apache: commons-text 1.4: https://github.com/apache/commons-text Apache 2.0
sundrio 0.9.2: https://github.com/sundrio/sundrio Apache 2.0
- Ctripcorp: apollo 1.4.0: https://github.com/ctripcorp/apollo Apache 2.0
+ Ctripcorp: apollo 1.8.0: https://github.com/ctripcorp/apollo Apache 2.0
etcd4j 2.18.0: https://github.com/jurmous/etcd4j Apache 2.0
javaassist 3.25.0-GA: https://github.com/jboss-javassist/javassist Apache 2.0
jackson-module-afterburner 2.12.2: https://github.com/FasterXML/jackson-modules-base, Apache 2.0
diff --git a/docker/oap/Dockerfile.oap b/docker/oap/Dockerfile.oap
index 430c805..d496477 100644
--- a/docker/oap/Dockerfile.oap
+++ b/docker/oap/Dockerfile.oap
@@ -16,7 +16,23 @@
ARG BASE_IMAGE='adoptopenjdk/openjdk8:alpine'
-FROM apache/skywalking-base:8.1.0-es6 AS cli
+FROM golang:1.14 AS cli
+
+ARG COMMIT_HASH=9f267876493943716434fdaa30047a14c0b5b2d9
+ARG CLI_CODE=${COMMIT_HASH}.tar.gz
+ARG CLI_CODE_URL=https://github.com/apache/skywalking-cli/archive/${CLI_CODE}
+
+ENV CGO_ENABLED=0
+ENV GO111MODULE=on
+
+WORKDIR /cli
+
+ADD ${CLI_CODE_URL} .
+RUN tar -xf ${CLI_CODE} --strip 1
+RUN rm ${CLI_CODE}
+
+RUN mkdir -p /skywalking/bin/
+RUN make linux && mv bin/swctl-latest-linux-amd64 /skywalking/bin/swctl
FROM $BASE_IMAGE
diff --git a/docker/ui/Dockerfile.ui b/docker/ui/Dockerfile.ui
index a52a148..5cb566c 100644
--- a/docker/ui/Dockerfile.ui
+++ b/docker/ui/Dockerfile.ui
@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-FROM openjdk:8u181-jdk-stretch
+FROM adoptopenjdk/openjdk8:alpine
ENV DIST_NAME=apache-skywalking-apm-bin \
JAVA_OPTS=" -Xms256M " \
@@ -37,4 +37,4 @@ COPY logback.xml webapp/
EXPOSE 8080
-ENTRYPOINT ["bash", "docker-entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["sh", "docker-entrypoint.sh"]
\ No newline at end of file
diff --git a/oap-server/pom.xml b/oap-server/pom.xml
index c1bcf04..e659f5c 100755
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -79,8 +79,8 @@
<commons-lang3.version>3.7</commons-lang3.version>
<commons-text.version>1.4</commons-text.version>
<simpleclient.version>0.6.0</simpleclient.version>
- <apollo.version>1.4.0</apollo.version>
- <nacos.version>1.3.1</nacos.version>
+ <apollo.version>1.8.0</apollo.version>
+ <nacos.version>1.4.2</nacos.version>
<maven-docker-plugin.version>0.30.0</maven-docker-plugin.version>
<curator.version>4.3.0</curator.version>
<curator-test.version>2.12.0</curator-test.version>
@@ -484,6 +484,10 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -495,6 +499,10 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ </exclusion>
</exclusions>
<scope>test</scope>
</dependency>
diff --git a/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml b/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml
index 2abf9fb..3d47a2a 100644
--- a/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml
+++ b/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml
@@ -41,7 +41,7 @@
<dependency>
<groupId>com.orbitz.consul</groupId>
<artifactId>consul-client</artifactId>
- <version>1.2.6</version>
+ <version>1.4.2</version>
<exclusions>
<exclusion>
<groupId>com.google.guava</groupId>
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index 589af09..9db7b2f 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -5,8 +5,8 @@ animal-sniffer-annotations-1.18.jar
annotations-13.0.jar
antlr4-runtime-4.7.1.jar
aopalliance-1.0.jar
-apollo-client-1.4.0.jar
-apollo-core-1.4.0.jar
+apollo-client-1.8.0.jar
+apollo-core-1.8.0.jar
audience-annotations-0.5.0.jar
bcpkix-jdk15on-1.68.jar
bcprov-ext-jdk15on-1.68.jar
@@ -25,8 +25,8 @@ commons-lang3-3.7.jar
commons-pool-1.5.4.jar
commons-text-1.4.jar
compiler-0.9.6.jar
-consul-client-1.2.6.jar
-converter-jackson-2.3.0.jar
+consul-client-1.4.2.jar
+converter-jackson-2.5.0.jar
converter-moshi-2.5.0.jar
curator-client-4.3.0.jar
curator-framework-4.3.0.jar
@@ -72,8 +72,8 @@ jackson-databind-2.12.2.jar
jackson-dataformat-cbor-2.10.4.jar
jackson-dataformat-smile-2.10.4.jar
jackson-dataformat-yaml-2.10.4.jar
-jackson-datatype-guava-2.9.5.jar
-jackson-datatype-jdk8-2.9.5.jar
+jackson-datatype-guava-2.9.10.jar
+jackson-datatype-jdk8-2.9.10.jar
jackson-module-afterburner-2.12.2.jar
jackson-module-kotlin-2.8.8.jar
java-dataloader-2.0.2.jar
@@ -99,7 +99,6 @@ kotlin-reflect-1.1.1.jar
kotlin-stdlib-1.1.60.jar
lang-mustache-client-7.10.2.jar
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-1.2.17.jar
log4j-api-2.14.1.jar
log4j-core-2.14.1.jar
log4j-over-slf4j-1.7.30.jar
@@ -125,9 +124,9 @@ minimal-json-0.9.5.jar
moshi-1.5.0.jar
msgpack-core-0.8.16.jar
mvel2-2.4.8.Final.jar
-nacos-api-1.3.1.jar
-nacos-client-1.3.1.jar
-nacos-common-1.3.1.jar
+nacos-api-1.4.2.jar
+nacos-client-1.4.2.jar
+nacos-common-1.4.2.jar
netty-buffer-4.1.65.Final.jar
netty-codec-4.1.65.Final.jar
netty-codec-dns-4.1.65.Final.jar
@@ -154,7 +153,7 @@ protobuf-java-util-3.12.4.jar
rank-eval-client-7.10.2.jar
reactive-streams-1.0.2.jar
reflectasm-1.11.7.jar
-retrofit-2.3.0.jar
+retrofit-2.5.0.jar
s2-geometry-library-java-1.0.0.jar
simpleclient-0.6.0.jar
simpleclient_common-0.6.0.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index b146e09..db5c307 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -5,8 +5,8 @@ animal-sniffer-annotations-1.18.jar
annotations-13.0.jar
antlr4-runtime-4.7.1.jar
aopalliance-1.0.jar
-apollo-client-1.4.0.jar
-apollo-core-1.4.0.jar
+apollo-client-1.8.0.jar
+apollo-core-1.8.0.jar
audience-annotations-0.5.0.jar
bcpkix-jdk15on-1.68.jar
bcprov-ext-jdk15on-1.68.jar
@@ -24,8 +24,8 @@ commons-io-2.6.jar
commons-lang3-3.7.jar
commons-pool-1.5.4.jar
commons-text-1.4.jar
-consul-client-1.2.6.jar
-converter-jackson-2.3.0.jar
+consul-client-1.4.2.jar
+converter-jackson-2.5.0.jar
converter-moshi-2.5.0.jar
curator-client-4.3.0.jar
curator-framework-4.3.0.jar
@@ -70,8 +70,8 @@ jackson-databind-2.12.2.jar
jackson-dataformat-cbor-2.8.10.jar
jackson-dataformat-smile-2.8.10.jar
jackson-dataformat-yaml-2.8.10.jar
-jackson-datatype-guava-2.9.5.jar
-jackson-datatype-jdk8-2.9.5.jar
+jackson-datatype-guava-2.9.10.jar
+jackson-datatype-jdk8-2.9.10.jar
jackson-module-afterburner-2.12.2.jar
jackson-module-kotlin-2.8.8.jar
java-dataloader-2.0.2.jar
@@ -96,7 +96,6 @@ kafka-clients-2.4.1.jar
kotlin-reflect-1.1.1.jar
kotlin-stdlib-1.1.60.jar
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-1.2.17.jar
log4j-api-2.14.1.jar
log4j-core-2.14.1.jar
log4j-over-slf4j-1.7.30.jar
@@ -122,9 +121,9 @@ minimal-json-0.9.5.jar
moshi-1.5.0.jar
msgpack-core-0.8.16.jar
mvel2-2.4.8.Final.jar
-nacos-api-1.3.1.jar
-nacos-client-1.3.1.jar
-nacos-common-1.3.1.jar
+nacos-api-1.4.2.jar
+nacos-client-1.4.2.jar
+nacos-common-1.4.2.jar
netty-buffer-4.1.65.Final.jar
netty-codec-4.1.65.Final.jar
netty-codec-dns-4.1.65.Final.jar
@@ -151,7 +150,7 @@ protobuf-java-util-3.12.4.jar
rank-eval-client-6.3.2.jar
reactive-streams-1.0.2.jar
reflectasm-1.11.7.jar
-retrofit-2.3.0.jar
+retrofit-2.5.0.jar
simpleclient-0.6.0.jar
simpleclient_common-0.6.0.jar
simpleclient_hotspot-0.6.0.jar