search

Azure / azure-cosmosdb-java

Java Async SDK for SQL API of Azure Cosmos DB
MIT License
54 stars 61 forks source link

Remove dependency on commons-validator #140

Closed David-Noble-at-work closed 5 years ago

David-Noble-at-work commented 5 years ago

We have benchmark, sample, and test code that utilizes commons-validator:commons-validator:1.6. This dependency is brought into our build system here:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ azure-cosmosdb-commons ---
[INFO] com.microsoft.azure:azure-cosmosdb-commons:jar:2.4.5
[INFO] \- commons-validator:commons-validator:jar:1.6:compile
[INFO]    \- commons-beanutils:commons-beanutils:jar:1.9.2:compile

Notice thatcommons-validator depends on commons-beanutils:1.9.2 and that Snyk reports this version of commons-beanutils contains a security vulnerability:

High severity vulnerability found in commons-beanutils:commons-beanutils
  Description: Arbitrary Code Execution
  Info: https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077
  Introduced through: com.microsoft.azure:azure-cosmosdb-benchmark@2.4.5
  From: com.microsoft.azure:azure-cosmosdb-benchmark@2.4.5 > com.microsoft.azure:azure-cosmosdb@2.4.5 > com.microsoft.azure:azure-cosmosdb-commons@2.4.5 > commons-beanutils:commons-beanutils@1.9.2

A fix to this issue is under development but is not yet released:

https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077

We should update our dependencies as soon as the fix is available. Here is the full list of direct dependencies on commons-validator reported by maven.

 com.microsoft.azure:azure-cosmosdb-commons:jar:2.4.5
[INFO] \- commons-validator:commons-validator:jar:1.6:compile
[INFO]    \- commons-beanutils:commons-beanutils:jar:1.9.2:compile
com.microsoft.azure:azure-cosmosdb-commons-test-utils:jar:2.4.5
[INFO] \- com.microsoft.azure:azure-cosmosdb-commons:jar:2.4.5:compile
[INFO]    \- commons-validator:commons-validator:jar:1.6:compile
[INFO]       \- commons-beanutils:commons-beanutils:jar:1.9.2:compile
com.microsoft.azure:azure-cosmosdb-gateway:jar:2.4.5
[INFO] \- com.microsoft.azure:azure-cosmosdb-commons:jar:2.4.5:compile
[INFO]    \- commons-validator:commons-validator:jar:1.6:compile
[INFO]       \- commons-beanutils:commons-beanutils:jar:1.9.2:compile
com.microsoft.azure:azure-cosmosdb:jar:2.4.5
[INFO] \- com.microsoft.azure:azure-cosmosdb-commons:jar:2.4.5:compile
[INFO]    \- commons-validator:commons-validator:jar:1.6:compile
[INFO]       \- commons-beanutils:commons-beanutils:jar:1.9.2:compile
moderakh commented 5 years ago

I don't see any code using org.apache.commons.validator

$:~/github/azure/azure-cosmosdb-java$ grep "org.apache.commons.validator" -r .
$:~/github/azure/azure-cosmosdb-java$

Does any code use it? if not maybe we can remove that instead.

David-Noble-at-work commented 5 years ago

Root cause: com.microsoft.azure.cosmosdb.internal.directconnectivity.EndpointMock was using commons-collections, not commons-collections4 which is what we use elsewhere. All is well after changing this EndpointMock import from:

import org.apache.commons.collections.map.HashedMap;

to:

import org.apache.commons.collections4.map.HashedMap;

I will port this change in my current working branch to PR #137.

David-Noble-at-work commented 5 years ago

The fix to this issue is now being tested in PR#137.