Closed planetf1 closed 3 years ago
The ranger gaian plugin has the following issues - which do not affect any other modules in egeria
apache-beanutils:common-beanutils:1.7.0
- CVE-2014-0114 (7)
common-beanutils:common-beanutils-core:1.8.0
- CVE-2014-0114 (7)
io.netty:netty:3.7.0.Final - CVE-2015-2156 (7)
- CVE-2014-0193 (5)
org.apache.hadoop:hadoop-common:2.9.2
- CVE-2018-8009 (8)
org.apache.kafka:kafka_2.11:1.0.0
- CVE-2018-17196 (8)
- CVE-2018-1288 (5)
org.apache.zookeeper:zookeeper:3.4.6
- CVE-2017-5637 (7)
- CVE-2018-8012 (7)
- CVE-2019-0201 (5)
org.codehaus.jackson:jackson-mapper-asl:1.9.13
- CVE-2017-7525 (9)
org.apache.httpcomponents:httpclient:4.5.2
- SONATYPE-2017-0359 (7)
This last one only also affects janus - but this will be addressed in https://github.com/odpi/egeria/issues/1828
These issues are transitive dependencies from pulling in Apache Ranger client code.
Possible mitigation strategies to consider:
The ranger (and to a lesser extent gaian) code is raising many security scan issues and liable to quite a number of CVEs
This is brought in through the current ranger code we use, and in particular the client libraries.
We either need to be able to get the client very thin, or more likely move the ranger code to it's own repo
We had also discussed the potential to move this into a Hadoop-oriented connector repository (and do the same with the Apache Atlas connector) -- that could be a reasonable compromise between proliferating too many repositories while still keeping logical units together?
(Apache Atlas relies on many of these same underlying libraries, so there should hopefully also be some synergies in addressing the CVEs in a common way across them.)
See also https://github.com/odpi/egeria/issues/2739 for a broader discussion (my notes) in terms of how we might manage repos.
Broadly in agreement though that for the hadoop case moving both items mentioned there would make sense
Also to add to the hadoop list -- the docker build for atlas/ranger
Starting work on this today ... in conjunction with #odpi/egeria-connector-hadoop-ecosystem#147
We should move
to our hadoop ecosystem repo
and setup appropriate build pipelines
Anything related to the helm charts can go to the samples repo
cc: @cmgrote
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.
I believe you are looking at this first. Please assign back/raise issue with any remaining tasks you need me to look at as part of the migration
Yes - I can do this ... :)
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.
I propose to now remove our ranger/gaian related code from the egeria repo. This includes the ranger security connector, gaian, and docker containers.
They will be recreated in an alternative repo when we are ready to continue working for them, as we can retrieve from history.
Currently they are not functional or used, and are contributing to the cost of build performance, security issues etc
Review CLM reports for ranger-gaian plugin -- multiple issues reported
see https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/reports/odpi-egeria/5c16abc7c09d40c8a28358f959c68ef7