Deal with it - H2 CVE - Githubissues

cedardevs / onestop

OneStop is a data discovery system being built by CIRES researchers on a grant from the NOAA National Centers for Environmental Information. We welcome contributions from the community!

GNU General Public License v2.0

42 stars 20 forks source link

Deal with it - H2 CVE #817

Open dneufeldcu opened 5 years ago

dneufeldcu commented 5 years ago

Context: H2 was used as authz support for ICAM based metadata upload.

We have two options:

[ ] Need to switch to Postgres (or Oracle)
[ ] Or feature toggle off and remove h2 from dependency tree
[ ] Or other in-mem db

zebdelk commented 5 years ago

Possibly related note: I had trouble deploying api-metadata to a tomcat container with the context path /onestop/admin because of way liquibase and spring tried to resolve the URLs for the migration files, and the way that tomcat handles paths (it creates a directory named onestop#admin, and the # does not appear to place nicely as a URL component. At least I believe that was the issue).

So that's something to keep an eye on as we work on removing the h2 owasp problem.

dneufeldcu commented 5 years ago

Postgres driver also has CVEs, we don't know what to do!

Plan to explore some other in-memory options, otherwise we plan to just remove h2.

zebdelk commented 5 years ago

Finished PR #849 to change the H2 dependency. This issue is being left open until we revisit the ICAM security and verify everything is working again (deliberately dropped for the 2.1 release)