Snyk Issue with jnr-posix

[prathyush90]

In my organization, we use Snyk as a security measure and Datadog for collecting events. We have encountered a Snyk issue due to the jnr-posix library used by the java-dogstatsd-client. The details of the issue can be found in the following link:

https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422

We have attempted to upgrade jnr-posix(tried 3.1.19 and 18), but the issue persists. Could you please assist us in finding a solution to this problem? If no solution exists, Can i exclude this module in dependency? Does datadog depend on this

[vickenty]

Hi! Thank you for using Datadog.

java-dogstatsd-client is not affected by this vulnerability, because they never call the vulnerable posix_spawn function.

If you are using Java 8 or later, you can use a newer version of jnr-unixsocket in your build by following the instructions here. Or, if you are not using unix sockets at all, the same page has instructions on removing the dependency entirely. Both approaches should help to avoid Snyk warning.

[prathyush90]

Hi @vickenty I tried newer version of jnr-unixsocket it didn't work but when i removed it completely it worked.

I have a query regarding unix sockets. In our code we donot use unix sockets and for Datadog its using DatadogMeterRegistry class which in turn is calling HttpUrlConnectionSender. Is it safe for me to remove the socket dependency?

[vickenty]

DatadogMeterRegistry class comes from micrometer, which is a different library and not related to java-dogstatsd-client in any way.

Please see if your code is using NonBlockingStatsDClientBuilder class, which is the entry point for java-dogstatsd-client. It can be configured to use unix sockets by calling .port(0) method on the builder, or by setting one of DD_DOGSTATSD_PORT or DD_DOGSTATSD_URL environment variables. If the port value is zero, or the URL starts with unix:// then you are using unix sockets.

If there is no places that use NonBlockingStatsDClientBuilder, then it is likely that you are not using java-dogstatsd-client in your application and could perhaps remove the entire dependency.