search

apache / pinot

Apache Pinot - A realtime distributed OLAP datastore
https://pinot.apache.org/
Apache License 2.0
5.25k stars 1.23k forks source link

CVEs detected in dependencies of pinot-java-client and pinot-common #12341

Open robertzych opened 5 months ago

robertzych commented 5 months ago

In using pinot-java-client : 1.0.0-hotfix and pinot-common : 1.0.0 and scanning the dependencies with Anchore the following CVEs were detected:

CVE-2022-39135+org.apache.calcite.avatica.avatica-core-1.20.0.jar   vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.avatica.avatica-core-1.20.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2022-39135+org.apache.calcite.calcite-linq4j-1.30.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-linq4j-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2021-37136+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams   vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2021-37136 - https://nvd.nist.gov/vuln/detail/CVE-2021-37136)
CVE-2022-41881+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams   vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2022-41881 - https://nvd.nist.gov/vuln/detail/CVE-2022-41881)
CVE-2019-20444+com.typesafe.netty.netty-reactive-streams-2.0.4.jar  vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-20444 - https://nvd.nist.gov/vuln/detail/CVE-2019-20444)
CVE-2019-20445+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams   vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-20445 - https://nvd.nist.gov/vuln/detail/CVE-2019-20445)
CVE-2015-2156+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams    vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2015-2156 - https://nvd.nist.gov/vuln/detail/CVE-2015-2156)
CVE-2019-16869+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams   vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-16869 - https://nvd.nist.gov/vuln/detail/CVE-2019-16869)
CVE-2023-26464+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar    vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2023-26464 - https://nvd.nist.gov/vuln/detail/CVE-2023-26464)
CVE-2022-39135+org.apache.calcite.calcite-core-1.30.0.jar   vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-core-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2019-17571+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar    vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2019-17571 - https://nvd.nist.gov/vuln/detail/CVE-2019-17571)
CVE-2019-20444+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams   vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-20444 - https://nvd.nist.gov/vuln/detail/CVE-2019-20444)
CVE-2022-41881+com.typesafe.netty.netty-reactive-streams-2.0.4.jar  vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2022-41881 - https://nvd.nist.gov/vuln/detail/CVE-2022-41881)
CVE-2022-23302+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar    vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2022-23302 - https://nvd.nist.gov/vuln/detail/CVE-2022-23302)
CVE-2021-37137+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams   vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2021-37137 - https://nvd.nist.gov/vuln/detail/CVE-2021-37137)
CVE-2023-2976+com.google.guava.guava-32.0.0-jre.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.google.guava.guava-32.0.0-jre.jar (CVE-2023-2976 - https://nvd.nist.gov/vuln/detail/CVE-2023-2976)
CVE-2019-16869+com.typesafe.netty.netty-reactive-streams-2.0.4.jar  vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-16869 - https://nvd.nist.gov/vuln/detail/CVE-2019-16869)
CVE-2021-37136+com.typesafe.netty.netty-reactive-streams-2.0.4.jar  vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2021-37136 - https://nvd.nist.gov/vuln/detail/CVE-2021-37136)
CVE-2022-39135+org.apache.calcite.calcite-babel-1.30.0.jar  vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-babel-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2021-37137+com.typesafe.netty.netty-reactive-streams-2.0.4.jar  vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2021-37137 - https://nvd.nist.gov/vuln/detail/CVE-2021-37137)
CVE-2023-2976+com.google.guava.failureaccess-1.0.1.jar  vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.google.guava.failureaccess-1.0.1.jar (CVE-2023-2976 - https://nvd.nist.gov/vuln/detail/CVE-2023-2976)
CVE-2015-2156+com.typesafe.netty.netty-reactive-streams-2.0.4.jar   vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2015-2156 - https://nvd.nist.gov/vuln/detail/CVE-2015-2156)
CVE-2019-20445+com.typesafe.netty.netty-reactive-streams-2.0.4.jar  vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-20445 - https://nvd.nist.gov/vuln/detail/CVE-2019-20445)
CVE-2022-39135+org.apache.calcite.avatica.avatica-metrics-1.20.0.jar    vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.avatica.avatica-metrics-1.20.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
snleee commented 5 months ago

I think that the following dependency needs to be updated.

@robertzych Does your tool (Anchore) provide the versions that need to be bumped to?

robertzych commented 5 months ago

No, the scan results don't include the versions to upgrade to. I'm in the process of upgrading calcite-core to 1.32.0 and should have updated scan results later today.

robertzych commented 5 months ago

The dependencies of calcite-core 1.32.0 also have CVEs.

robertzych commented 5 months ago

The only dependency that had to be whitelisted was avatica-core 1.24.0 as it couldn't be excluded without introducing a regression. It's CVE (CVE-2022-39135) doesn't apply.

Here are the upgrades and exclusions I had to address all of the other CVEs:

      <dependency>
        <groupId>org.apache.pinot</groupId>
        <artifactId>pinot-java-client</artifactId>
        <version>1.0.0-hotfix</version>
        <exclusions>
          <exclusion>
            <groupId>org.apache.calcite.avatica</groupId>
            <artifactId>avatica-metrics</artifactId>
          </exclusion>
          <exclusion>
            <groupId>org.apache.calcite.avatica</groupId>
            <artifactId>avatica-core</artifactId>
          </exclusion>
          <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-1.2-api-2.17</artifactId>
          </exclusion>
          <exclusion>
            <groupId>com.typesafe.netty</groupId>
            <artifactId>netty-reactive-streams</artifactId>
          </exclusion>
          <exclusion>
            <groupId>org.apache.calcite</groupId>
            <artifactId>calcite-babel</artifactId>
          </exclusion>
          <exclusion>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-1.2-api</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>32.1.3-jre</version>
        <exclusions>
          <exclusion>
            <groupId>com.google.guava</groupId>
            <artifactId>failureaccess</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>org.apache.calcite</groupId>
        <artifactId>calcite-core</artifactId>
        <version>1.36.0</version>
        <exclusions>
          <exclusion>
            <groupId>org.apache.calcite.avatica</groupId>
            <artifactId>avatica-metrics</artifactId>
          </exclusion>
          <exclusion>
            <groupId>org.apache.calcite.avatica</groupId>
            <artifactId>avatica-core</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>org.apache.helix</groupId>
        <artifactId>helix-core</artifactId>
        <version>1.3.0</version>
      </dependency>
      <dependency>
        <groupId>org.apache.calcite.avatica</groupId>
        <artifactId>avatica-core</artifactId>
        <version>1.24.0</version>
        <exclusions>
          <exclusion>
            <groupId>org.apache.calcite.avatica</groupId>
            <artifactId>avatica-metrics</artifactId>
          </exclusion>
        </exclusions>
      </dependency>
      <dependency>
        <groupId>net.minidev</groupId>
        <artifactId>json-smart</artifactId>
        <version>2.4.10</version>
      </dependency>
snleee commented 5 months ago

@robertzych Would you help on filing pr for the above changes? By the way, I think that we should bump up one library per PR to make the rollback process easy if any issue happens due to the library version upgrade.

robertzych commented 5 months ago

@snleee Of the dependencies that I upgraded, all but calcite-core hasn't been upgraded yet. I have created a PR to upgrade calcite-core to the latest version (1.36.0), but because it also contains transitive dependencies that contain CVEs, exclusions/whitelisting will still be required.

hpvd commented 1 week ago

just a question: shouldn't the already running dependabot find most of the updates needed and update a good part of them automatically?

hpvd commented 1 week ago

if we need a tool which tells us to which version we need to upgrade at least, trivy maybe a good choice... https://github.com/aquasecurity/trivy

it is used e.g. on artifacthub.io and provides results like this (also for repositories)

2024-06-21_23h07_02

see: https://artifacthub.io/packages/helm/apache/pulsar?modal=security-report