search

nextflow-io / nextflow

A DSL for data-driven computational pipelines
http://nextflow.io
Apache License 2.0
2.61k stars 606 forks source link

Upgrade libraries on 23.10.1 #5001

Closed arnaualcazar closed 2 weeks ago

arnaualcazar commented 1 month ago

Some libraries found in version 23.10.1 do have vulnerabilities. They need to be updated to the following min version:

Affected library Severity Min version needed
org.pf4j/pf4j High 3.10.0
ch.qos.logback/logback-classic High 1.4.14
ch.qos.logback/logback-core High 1.4.14
io.projectreactor.netty:reactor-netty-http High 1.1.13
io.projectreactor.netty/reactor-netty-core High 1.1.13
io.netty:netty-codec-http2 High 4.1.100.Final
org.apache.commons/commons-compress High 1.26.0
com.squareup.okio:okio High 3.4.0
com.google.guava/guava High 32.0.0-jre
io.netty:netty-codec-http2 High 4.1.100.Final
org.eclipse.jgit/org.eclipse.jgit High 6.6.1.202309021850-r
io.grpc/grpc-protobuf High 1.53.0
arnaualcazar commented 1 month ago

In the merged fix, I see that io.netty:netty-codec-http2 is in version 4.1.86.Final, which has a high severity vulnerability. Weren't you able to upgrade it?

pditommaso commented 1 month ago

Likely these are deps in the Azure plugin. @bentsherman any clue?

bentsherman commented 1 month ago

It is not a direct dependency of Nextflow or any core plugin, so it must be a transitive dep. I assumed it would be fixed by upgrading the other packages but I guess not.

What's that gradle command to view the whole dependency tree?

bentsherman commented 1 month ago

It is a dependency of the azure blob SDK. It is already up to date on 24.04, so you just need to backport this commit: https://github.com/nextflow-io/nextflow/commit/1bcbaf0d838303a3724eb587efa1124c32ecce8d

bentsherman commented 1 month ago

@arnaualcazar was that the only remaining vulnerability?

arnaualcazar commented 1 month ago

I have performed a more in deep analysis. Adding pending High and critical vulnerabilities along with the paths were are they found.

Affected library Severity Min version needed Filepath
io.projectreactor.netty:reactor-netty-http High 1.1.13 .nextflow/plugins/nf-azure-1.3.3-patch1/lib/reactor-netty-core-1.0.28.jar
io.netty:netty-codec-http2 High 4.1.100.Final .nextflow/plugins/nf-azure-1.3.3-patch1/lib/reactor-netty-http-1.0.28.jar
com.squareup.okio:okio High 3.4.0 .nextflow/plugins/nf-azure-1.3.3-patch1/lib/okio-1.15.0.jar
com.google.guava/guava High 32.0.0-jre .nextflow/plugins/nf-google-1.8.3-patch1/lib/guava-31.1-jre.jar
io.netty:netty-codec-http2 High 4.1.100.Final .nextflow/plugins/nf-amazon-2.1.4-patch1/lib/netty-codec-http2-4.1.86.Final.jar
io.grpc/grpc-protobuf High 1.53.0 .nextflow/plugins/nf-google-1.8.3-patch1/lib/grpc-protobuf-1.52.1.jar
arnaualcazar commented 2 weeks ago

Will we have these vulnerabilities patched for the new platform release?

pditommaso commented 2 weeks ago

@arnaualcazar can you please check the dependencies provided by #5057 solves the problem? I'm reporting below for your convenience 

build/libs/nextflow-23.10.3-RC1-all
├── Capsule.class
├── JavaEWAH-1.2.3.jar
├── MavenCapsule.class
├── NextflowLoader.class
├── activation-1.1.1.jar
├── animal-sniffer-annotations-1.23.jar
├── annotations-2.25.69.jar
├── annotations-4.1.1.4.jar
├── apache-client-2.25.69.jar
├── api-common-2.19.0.jar
├── auth-2.25.69.jar
├── auto-value-annotations-1.10.4.jar
├── aws-core-2.25.69.jar
├── aws-java-sdk-batch-1.12.429.jar
├── aws-java-sdk-codecommit-1.12.429.jar
├── aws-java-sdk-core-1.12.429.jar
├── aws-java-sdk-ec2-1.12.429.jar
├── aws-java-sdk-ecs-1.12.429.jar
├── aws-java-sdk-iam-1.12.429.jar
├── aws-java-sdk-kms-1.12.429.jar
├── aws-java-sdk-logs-1.12.429.jar
├── aws-java-sdk-s3-1.12.429.jar
├── aws-java-sdk-ses-1.12.429.jar
├── aws-java-sdk-sts-1.12.429.jar
├── aws-json-protocol-2.25.69.jar
├── bcpkix-jdk15on-1.67.jar
├── bcprov-jdk15on-1.67.jar
├── checker-qual-3.33.0.jar
├── checker-qual-3.39.0.jar
├── checksums-2.25.69.jar
├── checksums-spi-2.25.69.jar
├── commons-codec-1.15.jar
├── commons-codec-1.16.0.jar
├── commons-compress-1.26.0.jar
├── commons-io-2.11.0.jar
├── commons-io-2.15.1.jar
├── commons-lang-2.6.jar
├── commons-lang3-3.14.0.jar
├── conscrypt-openjdk-uber-2.5.2.jar
├── endpoints-spi-2.25.69.jar
├── error_prone_annotations-2.18.0.jar
├── error_prone_annotations-2.22.0.jar
├── eventstream-1.0.1.jar
├── failsafe-3.1.0.jar
├── failureaccess-1.0.1.jar
├── fastdoubleparser-0.8.0.jar
├── gax-2.36.0.jar
├── gax-grpc-2.36.0.jar
├── gax-httpjson-2.36.0.jar
├── google-api-client-1.35.1.jar
├── google-api-services-lifesciences-v2beta-rev20210527-1.31.5.jar
├── google-api-services-storage-v1-rev20220705-1.32.1.jar
├── google-auth-library-credentials-1.20.0.jar
├── google-auth-library-oauth2-http-1.20.0.jar
├── google-cloud-batch-0.29.0.jar
├── google-cloud-core-2.8.0.jar
├── google-cloud-core-grpc-2.6.0.jar
├── google-cloud-core-http-2.8.0.jar
├── google-cloud-logging-3.8.0.jar
├── google-cloud-nio-0.124.8.jar
├── google-cloud-storage-2.9.3.jar
├── google-http-client-1.43.3.jar
├── google-http-client-apache-v2-1.42.0.jar
├── google-http-client-appengine-1.42.0.jar
├── google-http-client-gson-1.43.3.jar
├── google-http-client-jackson2-1.42.0.jar
├── google-oauth-client-1.34.1.jar
├── gpars-1.2.1.jar
├── grengine-3.0.0.jar
├── groovy-3.0.19.jar
├── groovy-json-3.0.19.jar
├── groovy-nio-3.0.19.jar
├── groovy-templates-3.0.19.jar
├── groovy-xml-3.0.19.jar
├── groovy-yaml-3.0.19.jar
├── grpc-alts-1.58.0.jar
├── grpc-api-1.58.0.jar
├── grpc-auth-1.58.0.jar
├── grpc-context-1.58.0.jar
├── grpc-core-1.58.0.jar
├── grpc-google-common-protos-2.27.0.jar
├── grpc-google-iam-v1-1.22.0.jar
├── grpc-googleapis-1.58.0.jar
├── grpc-grpclb-1.58.0.jar
├── grpc-inprocess-1.58.0.jar
├── grpc-netty-shaded-1.58.0.jar
├── grpc-protobuf-1.58.0.jar
├── grpc-protobuf-lite-1.58.0.jar
├── grpc-services-1.58.0.jar
├── grpc-stub-1.58.0.jar
├── grpc-util-1.58.0.jar
├── grpc-xds-1.58.0.jar
├── gson-2.10.1.jar
├── guava-32.0.0-jre.jar
├── guava-32.1.2-jre.jar
├── http-auth-2.25.69.jar
├── http-auth-aws-2.25.69.jar
├── http-auth-spi-2.25.69.jar
├── http-client-spi-2.25.69.jar
├── httpclient-4.5.13.jar
├── httpclient-4.5.14.jar
├── httpcore-4.4.13.jar
├── httpcore-4.4.16.jar
├── identity-spi-2.25.69.jar
├── ion-java-1.0.2.jar
├── ivy-2.5.2.jar
├── j2objc-annotations-2.8.jar
├── jackson-annotations-2.14.2.jar
├── jackson-annotations-2.15.0.jar
├── jackson-core-2.14.2.jar
├── jackson-core-2.15.0.jar
├── jackson-databind-2.14.2.jar
├── jackson-databind-2.15.0.jar
├── jackson-dataformat-cbor-2.14.2.jar
├── jackson-dataformat-yaml-2.14.2.jar
├── jackson-dataformat-yaml-2.15.0.jar
├── java-semver-0.9.0.jar
├── javax.activation-api-1.2.0.jar
├── javax.annotation-api-1.3.2.jar
├── javax.inject-1.jar
├── jaxb-api-2.3.1.jar
├── jcl-over-slf4j-2.0.7.jar
├── jcommander-1.35.jar
├── jline-2.9.jar
├── jmespath-java-1.12.429.jar
├── joda-time-2.8.1.jar
├── json-utils-2.25.69.jar
├── jsoup-1.15.4.jar
├── jsr166y-1.7.0.jar
├── jsr305-3.0.2.jar
├── jul-to-slf4j-2.0.7.jar
├── kryo-2.24.0.jar
├── leveldb-0.12.jar
├── leveldb-api-0.12.jar
├── listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
├── log4j-over-slf4j-2.0.7.jar
├── logback-classic-1.4.14.jar
├── logback-core-1.4.14.jar
├── mail-1.4.7.jar
├── metrics-spi-2.25.69.jar
├── multiverse-core-0.7.0.jar
├── netty-buffer-4.1.108.Final.jar
├── netty-codec-4.1.108.Final.jar
├── netty-codec-http-4.1.108.Final.jar
├── netty-codec-http2-4.1.108.Final.jar
├── netty-common-4.1.108.Final.jar
├── netty-handler-4.1.108.Final.jar
├── netty-nio-client-2.25.69.jar
├── netty-resolver-4.1.108.Final.jar
├── netty-transport-4.1.108.Final.jar
├── netty-transport-classes-epoll-4.1.108.Final.jar
├── netty-transport-native-unix-common-4.1.108.Final.jar
├── nextflow-23.10.3-RC1.jar
├── nf-amazon-2.1.4-patch1.jar
├── nf-commons-23.10.3-RC1.jar
├── nf-google-1.8.3-patch1.jar
├── nf-httpfs-23.10.3-RC1.jar
├── nf-tower-1.6.3-patch1.jar
├── nf-wave-1.0.1-patch1.jar
├── objenesis-2.1.jar
├── opencensus-api-0.31.1.jar
├── opencensus-contrib-http-util-0.31.1.jar
├── opencensus-proto-0.2.0.jar
├── org.eclipse.jgit-6.6.1.202309021850-r.jar
├── perfmark-api-0.26.0.jar
├── pf4j-3.10.0.jar
├── pf4j-update-2.3.0.jar
├── profiles-2.25.69.jar
├── proto-google-cloud-batch-v1-0.29.0.jar
├── proto-google-cloud-batch-v1alpha-0.29.0.jar
├── proto-google-cloud-logging-v2-0.97.0.jar
├── proto-google-common-protos-2.27.0.jar
├── proto-google-iam-v1-1.22.0.jar
├── protobuf-java-3.24.4.jar
├── protobuf-java-util-3.24.4.jar
├── protocol-core-2.25.69.jar
├── re2j-1.7.jar
├── reactive-streams-1.0.4.jar
├── regions-2.25.69.jar
├── sdk-core-2.25.69.jar
├── slf4j-api-2.0.7.jar
├── snakeyaml-2.0.jar
├── sso-2.25.69.jar
├── ssooidc-2.25.69.jar
├── third-party-jackson-core-2.25.69.jar
├── threetenbp-1.6.8.jar
├── utils-2.25.69.jar
├── wave-api-0.6.0.jar
└── wave-utils-0.7.9.jar
arnaualcazar commented 2 weeks ago

Yes, all of them are solved now. Thanks!

pditommaso commented 2 weeks ago

Released https://github.com/nextflow-io/nextflow/releases/tag/v23.10.3