You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by cw...@apache.org on 2023/05/11 04:55:43 UTC
[druid] branch 26.0.0 updated: suppress some cves and fix javadoc build when using java 17 (#14241) (#14251)
This is an automated email from the ASF dual-hosted git repository.
cwylie pushed a commit to branch 26.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/26.0.0 by this push:
new 9f2f751e60 suppress some cves and fix javadoc build when using java 17 (#14241) (#14251)
9f2f751e60 is described below
commit 9f2f751e60c6cd4f20182ef99f2d70a4cbf48124
Author: Clint Wylie <cw...@apache.org>
AuthorDate: Wed May 10 21:55:34 2023 -0700
suppress some cves and fix javadoc build when using java 17 (#14241) (#14251)
---
.../query/movingaverage/BucketingAccumulator.java | 2 +-
owasp-dependency-check-suppressions.xml | 19 ++++++++++++++++++-
.../druid/java/util/common/guava/ConcatSequence.java | 2 +-
.../druid/java/util/common/guava/LimitedSequence.java | 2 +-
.../druid/java/util/common/guava/MergeSequence.java | 4 ++--
.../common/guava/ParallelMergeCombiningSequence.java | 2 +-
.../apache/druid/java/util/common/guava/Yielders.java | 2 +-
.../druid/query/scan/ScanQueryLimitRowIterator.java | 2 +-
8 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/extensions-contrib/moving-average-query/src/main/java/org/apache/druid/query/movingaverage/BucketingAccumulator.java b/extensions-contrib/moving-average-query/src/main/java/org/apache/druid/query/movingaverage/BucketingAccumulator.java
index a79e24bf3d..7179b9dcdc 100644
--- a/extensions-contrib/moving-average-query/src/main/java/org/apache/druid/query/movingaverage/BucketingAccumulator.java
+++ b/extensions-contrib/moving-average-query/src/main/java/org/apache/druid/query/movingaverage/BucketingAccumulator.java
@@ -55,7 +55,7 @@ public class BucketingAccumulator extends YieldingAccumulator<RowBucket, Row>
rows.add(in);
RowBucket nextBucket = new RowBucket(in.getTimestamp(), rows);
accumulated.setNextBucket(nextBucket);
- yield();
+ this.yield();
} else {
// still on the same day
rows = accumulated.getRows();
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index c5e8efea71..47ac67c9f7 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -247,6 +247,7 @@
<cve>CVE-2022-40150</cve>
<cve>CVE-2022-45685</cve>
<cve>CVE-2022-45693</cve>
+ <cve>CVE-2023-1436</cve>
</suppress>
<suppress>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
@@ -256,6 +257,8 @@
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
<cve>CVE-2017-18640</cve>
<cve>CVE-2022-25857</cve>
+ <cve>CVE-2023-2251</cve>
+ <cve>CVE-2022-3064</cve>
</suppress>
<suppress>
<!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
@@ -264,6 +267,9 @@
]]></notes>
<cve>CVE-2022-25857</cve>
<cve>CVE-2022-1471</cve>
+ <!-- false positive -->
+ <cve>CVE-2023-2251</cve>
+ <cve>CVE-2022-3064</cve>
</suppress>
<suppress>
<notes><![CDATA[
@@ -343,6 +349,7 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl>
<cve>CVE-2019-12399</cve>
<cve>CVE-2018-17196</cve>
+ <cve>CVE-2023-25194</cve>
</suppress>
<suppress>
<notes><![CDATA[
@@ -353,7 +360,7 @@
</suppress>
<suppress>
<!--
- ~ TODO: Fix when Apache Ranger is released with updated log4j
+ ~ ambari-metrics-emitter, druid-ranger-security
-->
<notes><![CDATA[
file name: log4j-1.2.17.jar
@@ -365,6 +372,7 @@
<cve>CVE-2022-23307</cve>
<cve>CVE-2022-23305</cve>
<cve>CVE-2022-23302</cve>
+ <cve>CVE-2023-26464</cve>
</suppress>
<suppress>
<notes><![CDATA[
@@ -392,6 +400,7 @@
<cve>CVE-2022-23305</cve>
<cve>CVE-2022-23302</cve>
<cve>CVE-2022-41881</cve>
+ <cve>CVE-2020-11612</cve>
</suppress>
<suppress>
<!--
@@ -789,4 +798,12 @@
<vulnerabilityName>1070209</vulnerabilityName>
<cve>CVE-2020-7774</cve>
</suppress>
+ <suppress>
+ <!-- druid-ranger-security -->
+ <notes><![CDATA[
+ file name: ranger-plugins-common-2.0.0.jar
+ ]]></notes>
+ <!-- seems not applicable to plugin -->
+ <cve>CVE-2022-45048</cve>
+ </suppress>
</suppressions>
diff --git a/processing/src/main/java/org/apache/druid/java/util/common/guava/ConcatSequence.java b/processing/src/main/java/org/apache/druid/java/util/common/guava/ConcatSequence.java
index 577b3d6bb2..ca1ff489ee 100644
--- a/processing/src/main/java/org/apache/druid/java/util/common/guava/ConcatSequence.java
+++ b/processing/src/main/java/org/apache/druid/java/util/common/guava/ConcatSequence.java
@@ -55,7 +55,7 @@ public class ConcatSequence<T> implements Sequence<T>
@Override
public Sequence<T> accumulate(Sequence<T> accumulated, Sequence<T> in)
{
- yield();
+ this.yield();
return in;
}
}
diff --git a/processing/src/main/java/org/apache/druid/java/util/common/guava/LimitedSequence.java b/processing/src/main/java/org/apache/druid/java/util/common/guava/LimitedSequence.java
index 3fcc834b1e..a8d886f3bd 100644
--- a/processing/src/main/java/org/apache/druid/java/util/common/guava/LimitedSequence.java
+++ b/processing/src/main/java/org/apache/druid/java/util/common/guava/LimitedSequence.java
@@ -132,7 +132,7 @@ final class LimitedSequence<T> extends YieldingSequenceBase<T>
interruptYield = false;
}
if (interruptYield) {
- yield();
+ this.yield();
}
return retVal;
diff --git a/processing/src/main/java/org/apache/druid/java/util/common/guava/MergeSequence.java b/processing/src/main/java/org/apache/druid/java/util/common/guava/MergeSequence.java
index 5b65442fff..ad35f418ff 100644
--- a/processing/src/main/java/org/apache/druid/java/util/common/guava/MergeSequence.java
+++ b/processing/src/main/java/org/apache/druid/java/util/common/guava/MergeSequence.java
@@ -55,7 +55,7 @@ public class MergeSequence<T> extends YieldingSequenceBase<T>
PriorityQueue<Yielder<T>> pQueue = new PriorityQueue<>(
32,
ordering.onResultOf(
- (Function<Yielder<T>, T>) input -> input.get()
+ (Function<Yielder<T>, T>) Yielder::get
)
);
@@ -70,7 +70,7 @@ public class MergeSequence<T> extends YieldingSequenceBase<T>
@Override
public T accumulate(T accumulated, T in)
{
- yield();
+ this.yield();
return in;
}
}
diff --git a/processing/src/main/java/org/apache/druid/java/util/common/guava/ParallelMergeCombiningSequence.java b/processing/src/main/java/org/apache/druid/java/util/common/guava/ParallelMergeCombiningSequence.java
index 9208767634..9c39c29d06 100644
--- a/processing/src/main/java/org/apache/druid/java/util/common/guava/ParallelMergeCombiningSequence.java
+++ b/processing/src/main/java/org/apache/druid/java/util/common/guava/ParallelMergeCombiningSequence.java
@@ -895,7 +895,7 @@ public class ParallelMergeCombiningSequence<T> extends YieldingSequenceBase<T>
accumulated.add(in);
count++;
if (count % batchSize == 0) {
- yield();
+ this.yield();
}
return accumulated;
}
diff --git a/processing/src/main/java/org/apache/druid/java/util/common/guava/Yielders.java b/processing/src/main/java/org/apache/druid/java/util/common/guava/Yielders.java
index f12d5d1718..fbd1db1052 100644
--- a/processing/src/main/java/org/apache/druid/java/util/common/guava/Yielders.java
+++ b/processing/src/main/java/org/apache/druid/java/util/common/guava/Yielders.java
@@ -36,7 +36,7 @@ public class Yielders
@Override
public T accumulate(T accumulated, T in)
{
- yield();
+ this.yield();
return in;
}
}
diff --git a/processing/src/main/java/org/apache/druid/query/scan/ScanQueryLimitRowIterator.java b/processing/src/main/java/org/apache/druid/query/scan/ScanQueryLimitRowIterator.java
index ee90ca17a3..68b311e83a 100644
--- a/processing/src/main/java/org/apache/druid/query/scan/ScanQueryLimitRowIterator.java
+++ b/processing/src/main/java/org/apache/druid/query/scan/ScanQueryLimitRowIterator.java
@@ -76,7 +76,7 @@ public class ScanQueryLimitRowIterator implements CloseableIterator<ScanResultVa
@Override
public ScanResultValue accumulate(ScanResultValue accumulated, ScanResultValue in)
{
- yield();
+ this.yield();
return in;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org