search

RedHatInsights / ubi-hive

GNU Affero General Public License v3.0
1 stars 7 forks source link

Vulnerabilities in Quay don't match dependencies #77

Closed ian-j-abbott-accenture closed 4 months ago

ian-j-abbott-accenture commented 6 months ago

My team has been using the ubi-hive image in the Quay cloudservices repository here: https://quay.io/repository/cloudservices/ubi-hive?tab=info

The Quay Security Scanner is reporting numerous high and critical vulnerabilities in the ubi-hive image: https://quay.io/repository/cloudservices/ubi-hive/manifest/sha256:5375bbb76d0a7cf5219427c76eb5d9c1da9b97025e3a60c29ad3ac4b54053458?tab=vulnerabilities

Upon investigating a few of these, I'm not sure what's causing them. For example, many of the vulnerabilities are caused by the 2.4.0 version of jackson-databind introduced by the following lines in the dockerfile:

RUN \
    curl -L https://downloads.apache.org/hadoop/core/hadoop-${HADOOP_VERSION}/hadoop-${HADOOP_VERSION}.tar.gz | tar -zxf - -C ${HADOOP_HOME} --strip 1 && \
    curl -L https://repo1.maven.org/maven2/org/apache/hive/hive-standalone-metastore/${METASTORE_VERSION}/hive-standalone-metastore-${METASTORE_VERSION}-bin.tar.gz | tar -zxf - -C ${METASTORE_HOME} --strip 1

I took a look at the versions of hadoop and hive-standalone-metastore specified in the ubi-hive dockerfile (3.3.6 and 3.1.3 respectively) and I couldn't find any reference to that version of jackson.

Hadoop lists 2.12.7.1 in their dependency analysis here: https://hadoop.apache.org/docs/stable/hadoop-mapreduce-client/hadoop-mapreduce-client-core/dependency-analysis.html

hive-standalone-metastore also has jackson 2.12.0 in their 3.1.3 release pom file

Other vulnerabilities in the scan also claim outdated dependencies that don't seem accurate.

Can anyone shed some light on this? Are the vulnerabilities false positives? Do we know why they are being flagged? I'm noticing this same issue in a few of our other Quay scans, and I'm hoping to be able to give our security team an explanation.

maskarb commented 5 months ago

@ian-j-abbott-accenture This seems like something that needs to be raised with Quay. I have no explanation around what Quay has identified in that security scan. To your point, I can't find any reference to jackson-databind 2.4.0 anywhere in Hadoop or Hive-metastore. If you search either of the downloads: https://downloads.apache.org/hadoop/core/hadoop-3.3.6/hadoop-3.3.6.tar.gz or https://repo1.maven.org/maven2/org/apache/hive/hive-standalone-metastore/3.1.3/hive-standalone-metastore-3.1.3-src.tar.gz, I can only find jackson-databind-2.12.0.jar (in metastore) and jackson-databind-2.12.7.1.jar (in hadoop common).

ian-j-abbott-accenture commented 5 months ago

After more digging, I'm pretty sure the jackson-databind 2.4.0 reference comes from a shaded dependency brought in with the htrace-core-3.1.0-incubating.jar that gets brought in as part of hadoop-yarn. I don't believe it's ever used by hive-metastore, but since it gets brought in with the Hadoop binary download in the dockerfile, it's getting picked up by the secuity scan.