Open robertzych opened 5 months ago
I think that the following dependency needs to be updated.
@robertzych Does your tool (Anchore) provide the versions that need to be bumped to?
No, the scan results don't include the versions to upgrade to. I'm in the process of upgrading calcite-core to 1.32.0 and should have updated scan results later today.
The dependencies of calcite-core 1.32.0 also have CVEs.
The only dependency that had to be whitelisted was avatica-core 1.24.0 as it couldn't be excluded without introducing a regression. It's CVE (CVE-2022-39135) doesn't apply.
Here are the upgrades and exclusions I had to address all of the other CVEs:
<dependency>
<groupId>org.apache.pinot</groupId>
<artifactId>pinot-java-client</artifactId>
<version>1.0.0-hotfix</version>
<exclusions>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-metrics</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api-2.17</artifactId>
</exclusion>
<exclusion>
<groupId>com.typesafe.netty</groupId>
<artifactId>netty-reactive-streams</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.calcite</groupId>
<artifactId>calcite-babel</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>32.1.3-jre</version>
<exclusions>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>failureaccess</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.calcite</groupId>
<artifactId>calcite-core</artifactId>
<version>1.36.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-metrics</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.helix</groupId>
<artifactId>helix-core</artifactId>
<version>1.3.0</version>
</dependency>
<dependency>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-core</artifactId>
<version>1.24.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-metrics</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>2.4.10</version>
</dependency>
@robertzych Would you help on filing pr for the above changes? By the way, I think that we should bump up one library per PR to make the rollback process easy if any issue happens due to the library version upgrade.
@snleee Of the dependencies that I upgraded, all but calcite-core hasn't been upgraded yet. I have created a PR to upgrade calcite-core to the latest version (1.36.0), but because it also contains transitive dependencies that contain CVEs, exclusions/whitelisting will still be required.
just a question: shouldn't the already running dependabot find most of the updates needed and update a good part of them automatically?
if we need a tool which tells us to which version we need to upgrade at least, trivy maybe a good choice... https://github.com/aquasecurity/trivy
it is used e.g. on artifacthub.io and provides results like this (also for repositories)
see: https://artifacthub.io/packages/helm/apache/pulsar?modal=security-report
In using
pinot-java-client : 1.0.0-hotfix
andpinot-common : 1.0.0
and scanning the dependencies with Anchore the following CVEs were detected: