spring-cloud / spring-cloud-sleuth

Distributed tracing for spring cloud
https://spring.io/projects/spring-cloud-sleuth
Apache License 2.0
1.78k stars 782 forks source link

Update guava and okhttp versions #2224

Closed usharik closed 9 months ago

usharik commented 2 years ago

Describe the bug There are plenty of well-known vulnerable third parties in Sleath. Why is it so and could that be fixed?

marcingrzejszczak commented 2 years ago

Excuse me but i don't understand what you are talking about. What vulnerable third parties?

usharik commented 2 years ago

At least this one https://mvnrepository.com/artifact/com.google.guava/guava/20.0

marcingrzejszczak commented 2 years ago

We're not using Guava and you have not properly created an issue report. I have no idea which libraries are you referring to, what are the vulnerable versions, where do you think we're setting these versions and how we're using those libraries. You're also not mentioning the version of Sleuth that you think is vulnerable.

usharik commented 2 years ago

@marcingrzejszczak you have it specified in the parent pom of the project

        <guava.version>20.0</guava.version>
marcingrzejszczak commented 2 years ago

Ah indeed we have it for the grpc module (we're actually forcing that version to align with brave). Can you provide the whole list of the dependencies you think we should update?

usharik commented 2 years ago

Here are all I manage to find. Hope that's going to be useful.

https://mvnrepository.com/artifact/com.google.guava/guava/20.0 https://mvnrepository.com/artifact/com.h2database/h2/1.4.200 https://mvnrepository.com/artifact/com.squareup.okhttp3/mockwebserver/4.8.0 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.8.0 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.9.0 https://mvnrepository.com/artifact/com.zaxxer/HikariCP/4.0.3 https://mvnrepository.com/artifact/io.github.openfeign/feign-core/11.8 https://mvnrepository.com/artifact/io.github.openfeign.form/feign-form-spring/3.8.0 https://mvnrepository.com/artifact/io.lettuce/lettuce-core/6.1.9.RELEASE https://mvnrepository.com/artifact/io.micrometer/micrometer-core/1.8.9 https://mvnrepository.com/artifact/io.projectreactor.netty/reactor-netty/1.0.22 https://mvnrepository.com/artifact/io.r2dbc/r2dbc-h2/0.8.5.RELEASE https://mvnrepository.com/artifact/io.zipkin.brave/brave-instrumentation-mongodb/5.13.9 https://mvnrepository.com/artifact/io.zipkin.brave/brave-instrumentation-spring-rabbit/5.13.9 https://mvnrepository.com/artifact/io.zipkin.zipkin2/zipkin/2.23.2 https://mvnrepository.com/artifact/net.ttddyy/datasource-proxy/1.7 https://mvnrepository.com/artifact/org.apache.activemq/activemq-client/5.16.5 https://mvnrepository.com/artifact/org.apache.commons/commons-dbcp2/2.8.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpasyncclient/4.1.5 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 https://mvnrepository.com/artifact/org.apache.kafka/kafka-streams/3.0.1 https://mvnrepository.com/artifact/org.awaitility/awaitility/4.0.3 https://mvnrepository.com/artifact/org.jboss.forge.roaster/roaster-api/2.22.3.Final https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure/2.6.11 https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-parent/2.6.11 https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter/2.6.11 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-config-server/3.1.4 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-sleuth-autoconfigure/3.1.4 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-sleuth-instrumentation/3.1.4 https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-starter-config/3.1.4 https://mvnrepository.com/artifact/org.springframework.integration/spring-integration-core/5.5.14 https://mvnrepository.com/artifact/org.springframework.kafka/spring-kafka/2.8.8 https://mvnrepository.com/artifact/org.springframework.security/spring-security-core/5.6.7 https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-client/5.6.7 https://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2/2.2.0.RELEASE https://mvnrepository.com/artifact/org.springframework.security.oauth.boot/spring-security-oauth2-autoconfigure/2.3.4.RELEASE https://mvnrepository.com/artifact/org.springframework.session/spring-session-data-redis/2.6.3 https://mvnrepository.com/artifact/org.springframework.vault/spring-vault-core/2.3.2

spencergibb commented 2 years ago

Is there anything in that list besides guava that is managed directly by sleuth? I think most are managed by spring boot or spring integration that aren't spring cloud projects

usharik commented 2 years ago

I see also version for this one in yor parent pom https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.9.0

spencergibb commented 2 years ago

Guava may need to wait until brave is updated because it breaks compatibility so often

usharik commented 2 years ago

Honestly, I'm very impressed.

Sleath as a tracing tool is brilliant but also the most loyal software compliance never going to approve a tool with so many vulnerabilities. Do you really never have such problems?

marcingrzejszczak commented 2 years ago

First of all we don't have any reported vulnerabilities and please stop repeating that because you haven't provided any proof for these statements. Also, nobody has reported any problems with the tool.

Second thing is that most of our dependencies are optional.

spencergibb commented 2 years ago

Security vulnerabilities are to be reported here https://spring.io/security-policy as was noted when you created this issue. There are many large projects using sleuth.

jonatan-ivanov commented 2 years ago

Do I understand correctly that the version (20.0) of Guava we use has one low level and one medium level vulnerabilities? The low level does not seem to be fixed (please correct me if I'm wrong), the feature is deprecated. The medium level is only exploitable if you serialize certain classes using Java or GWT serialization. I think there is a very high chance that this is not happening in Sleuth.

The version (4.9.0) of okhttp we use has one high level vulnerability that is only exploitable if you let unsanitized user input into your HTTP headers. Other than this is a bad practice, Sleuth does not do such thing. Also, it seems okhttp is an optional dependency so Sleuth will not bring it to you if you don't explicitly ask for it. When you do, you should be able easily define the patched version: 4.9.2.

Regardless of these, we should upgrade but the fix seems very simple if you are concerned.