Closed planetf1 closed 5 years ago
Also my own scan -. https://sonarcloud.io/dashboard?id=planetf1_egeria
Reviewing red cves...
Dependency org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13 located at Module org.odpi.egeria:gaian-ranger-plugin:jar:0.3-SNAPSHOT
Routes for this inclusion are:
[INFO] +- org.apache.hadoop:hadoop-core:jar:1.2.1:compile
This is declared as a runtime dependency, so will need to test if it is needed at runtime
The next one is:
Dependency org.apache.derby:derby:jar:10.8.3.0 located at Module org.odpi.egeria:virtualizer:jar:0.3-SNAPSHOT
derby-10.8.3.0.jar located at open-metadata-resources/open-metadata-demos/virtual-data-connector/virtualizer/target/virtualizer-0.3-SNAPSHOT.jar/BOOT-INF/lib
Dependency org.apache.derby:derby:jar:10.8.3.1 located at Module org.odpi.egeria:gaian-impersonation:jar:0.3-SNAPSHOT
Dependency org.apache.derby:derby:jar:10.8.3.1 located at Module org.odpi.egeria:gaian-ranger-plugin:jar:0.3-SNAPSHOT
derby.jar located at open-metadata-implementation/adapters/target/GAIANDB_V2.1.8_20160523.zip/lib
derby.jar located at open-metadata-implementation/adapters/target/lib
.. This is because gaian is using a very old version of derby. Gaian would need to be upgraded to work with current derby levels. Tricky to take an immediate term action other than warn against using in any production environment
Dependency org.apache.hadoop:hadoop-core:jar:1.2.1 located at Module org.odpi.egeria:gaian-ranger-plugin:jar:0.3-SNAPSHOT
Dependency org.apache.zookeeper:zookeeper:jar:3.4.6 located at Module org.odpi.egeria:gaian-ranger-plugin:jar:0.3-SNAPSHOT
Dependency io.netty:netty:jar:3.7.0.Final located at Module org.odpi.egeria:gaian-ranger-plugin:jar:0.3-SNAPSHOT
Dependency commons-httpclient:commons-httpclient:jar:3.0.1 located at Module org.odpi.egeria:gaian-ranger-plugin:jar:0.3-SNAPSHOT
Dependency tomcat:jasper-runtime:jar:5.5.12 located at Module org.odpi.egeria:gaian-ranger-plugin:jar:0.3-SNAPSHOT
Summary
With ranger master, their main build has gone up to: hadoop-core : not present (just hadoop common 2.7.1) jackson-mapper : no change & still pulled in my org.apache.ranger:ranger-plugins-common gaian: n/a zookeeper: no change & still pulled in via plugin library netty: no change & still pulled in:set number
httpclient: upgraded to 3.1 - still pulled in jasper-runtime - up to 5.5.23 - doesn't seem to be pulled in via ranger
Ranger sample code does directly depend on hadoop-common, as well as ranger-plugins-common & ranger-plugins-audit
Trying to rebuild with less dependencies. Many things need the common ranger plugin library
String rangerURL = RangerConfiguration.getInstance().get("ranger.plugin.gaian.policy.rest.url");
during initialization needs org.apache.hadoop.conf.Configuration
This can only be found in hadoop-core, so we can't reduce dependencies at all
There are additional dependencies in
Next will try creating a PR request (do not merge) to rest the effect of using the latest version of all additional dependencies in this module
CLM run complete. Output at https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/reports/odpi-egeria/10a2047ddbd3461eabce41d1c70c3d1c (restricted) Marked as unstable due to warnings (so status above not a concern)
Followed up via email with ranger security team to see if dependencies can be reduced and/or capture info on mitigating CVEs (levels 7-9 only)
dependencies are refreshed. will open new security specific issue
See https://sonar.odpi.org/dashboard?id=org.odpi.egeria%3Aegeria