Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing high severity CVEs in pinot-adls/pinot-orc/pinot-parquet #12571

Merged
merged 1 commit into from
Mar 6, 2024
Merged

Fixing high severity CVEs in pinot-adls/pinot-orc/pinot-parquet #12571

merged 1 commit into from
Mar 6, 2024

Conversation

xiangfu0
Copy link
Contributor

@xiangfu0 xiangfu0 commented Mar 6, 2024
edited
Loading

  1. Upgrade net.minidev:json-smart to version 2.5.0 to fix CVE-2023-1370
  2. Upgrade org.wildfly.openssl:wildfly-openssl to version 1.1.3.Final to fix CVE-2020-25644
  3. Upgrade org.wildfly.openssl:wildfly-openssl-java to version 1.1.3.Final to fix CVE-2020-25644
  4. Explicitly put com.google.protobuf:protobuf-java version 3.25.2 to pinot-orc pom file
  5. Explicitly put com.google.protobuf:protobuf-java version 3.25.2 to pinot-parquet pom file

@xiangfu0 xiangfu0 added dependencies Pull requests that update a dependency file cve labels Mar 6, 2024
@xiangfu0 xiangfu0 requested a review from gortiz March 6, 2024 10:38
gortiz
gortiz reviewed Mar 6, 2024
View reviewed changes
pinot-plugins/pinot-input-format/pinot-orc/pom.xml
@@ -70,5 +70,9 @@
<artifactId>xml-apis</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should set this in the dependency management section of the root pom. That way it will be enforced for any transitive dependency

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is defined in root pom. However the shading packages another version, so need to explicitly set it here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why that is happening, but lets merge it as it is suggested here.

@codecov-commenter
Copy link

codecov-commenter commented Mar 6, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.57%. Comparing base (59551e4) to head (ea52904).
Report is 67 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master   #12571      +/-   ##
============================================
- Coverage     61.75%   61.57%   -0.18%     
  Complexity      207      207              
============================================
  Files          2436     2451      +15     
  Lines        133233   133732     +499     
  Branches      20636    20704      +68     
============================================
+ Hits          82274    82347      +73     
- Misses        44911    45280     +369     
- Partials       6048     6105      +57
Flag Coverage Δ
custom-integration1 <0.01% <ø> (-0.01%) ⬇️
integration <0.01% <ø> (-0.01%) ⬇️
integration1 <0.01% <ø> (-0.01%) ⬇️
integration2 0.00% <ø> (ø)
java-11 27.64% <ø> (-34.07%) ⬇️
java-21 61.57% <ø> (-0.06%) ⬇️
skip-bytebuffers-false 61.56% <ø> (-0.19%) ⬇️
skip-bytebuffers-true 61.55% <ø> (+33.82%) ⬆️
temurin 61.57% <ø> (-0.18%) ⬇️
unittests 61.57% <ø> (-0.18%) ⬇️
unittests1 46.75% <ø> (-0.14%) ⬇️
unittests2 27.63% <ø> (-0.10%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@xiangfu0 xiangfu0 merged commit edebbab into apache:master Mar 6, 2024
21 checks passed
@xiangfu0 xiangfu0 deleted the upgrade-protobuf-java-version branch March 6, 2024 11:22
gviedma
gviedma reviewed Mar 7, 2024
View reviewed changes
pinot-plugins/pinot-file-system/pinot-adls/pom.xml
<dependency>
<groupId>org.wildfly.openssl</groupId>
<artifactId>wildfly-openssl</artifactId>
<version>${wildfly-openssl.version}</version>
Copy link
Contributor

@gviedma gviedma Mar 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xiangfu0 We have noticed that by overriding the version within this module, this creates a discrepancy in versions relative to any shaded jars (1.0.7.Final in the shaded jar vs 1.1.3.Final here), breaking our internal build. This discrepancy is not ideal as it would be preferable to manage the dependencies centrally from the root pom's dependency management section as suggested by @gortiz This also opens up the door to folks that need to override dependency versions in their builds for compliance reasons.
Given the above, would it be possible to move the version settings to dependencyManagement in the root pom?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#12597

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gviedma gviedma gviedma left review comments

@gortiz gortiz gortiz approved these changes

Assignees
No one assigned
Labels
cve dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@xiangfu0 @codecov-commenter @gortiz @gviedma