Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade dependency-check-maven and remove javax.el #19764

Merged
merged 6 commits into from
Mar 20, 2023
Merged

[fix][sec] Upgrade dependency-check-maven and remove javax.el #19764

merged 6 commits into from
Mar 20, 2023

Conversation

poorbarcode
Copy link
Contributor

@poorbarcode poorbarcode commented Mar 9, 2023
edited
Loading

Motivation

See the report of the OWASP dependency check : https://github.com/apache/pulsar/actions/runs/4362250208/jobs/7632389328

Error:  Failed to execute goal org.owasp:dependency-check-maven:8.0.1:aggregate (default) on project pulsar: 
Error:  
Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
Error:  
Error:  aws-json-protocol-2.10.56.jar: CVE-2022-45688(7.5)
Error:  google-http-client-gson-1.41.0.jar: CVE-2022-45688(7.5)
Error:  jackson-core-2.13.4.jar: CVE-2022-45688(7.5)
Error:  jackson-jaxrs-json-provider-2.13.4.jar: CVE-2022-45688(7.5)
Error:  jackson-module-jsonSchema-2.13.4.jar: CVE-2022-45688(7.5)
Error:  jakarta.json-api-2.0.1.jar: CVE-2022-45688(7.5)
Error:  javax.el-3.0.0.jar: CVE-2021-28170(7.5)
Error:  jjwt-api-0.11.1.jar: CVE-2022-45688(7.5)
Error:  json-utils-2.17.[12](https://github.com/apache/pulsar/actions/runs/4362250208/jobs/7632389328#step:11:13)8.jar: CVE-2022-45688(7.5)
Error:  pom.xml: CVE-2022-34917(7.5), CVE-2023-25194(8.8)
Error:  
Error:  See the dependency-check report for more details.
Error:  -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Error:  
Error:  After correcting the problems, you can resume the build with the command
Error:    mvn <args> -rf :pulsar
Error: Process completed with exit code 1.

Modifications

  • [CVE-2022-45688] is a mistake of the project dependency-check-maven, so do upgrade dependency-check-maven to version 8.1.2.
  • CVE 2020 26939: make the version of project BC unify into 1.69
  • CVE-2021-28170 remove lib javax.el
  • [CVE-2022-34917] & [CVE-2023-25194] is a wrong report, It seems to treat pulsar-io-kafka-connect-adaptor as a lib of Kafka, so remove these two checks
pulsar-io-kafka-connect-adaptor-3.0.0-SNAPSHOT.jar (pkg:maven/org.apache.pulsar/pulsar-io-kafka-connect-adaptor@3.0.0-SNAPSHOT, cpe:2.3:a:apache:kafka:3.0.0:snapshot:*:*:*:*:*:*, cpe:2.3:a:apache:pulsar:3.0.0:snapshot:*:*:*:*:*:*) : CVE-2023-25194, CVE-2022-34917

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Mar 9, 2023
@poorbarcode poorbarcode changed the title [cleanup] [broker] cleanup the lib which may lead to the OWASP Dependency Check faul [fix] [broker] security: upgrade dependency-check-maven and jakarta.el to get rid of CVE-2021-28170 and others Mar 9, 2023
@poorbarcode poorbarcode mentioned this pull request Mar 9, 2023
Merged
14 tasks
@poorbarcode poorbarcode changed the title [fix] [broker] security: upgrade dependency-check-maven and jakarta.el to get rid of CVE-2021-28170 and others [fix] [broker] security: upgrade dependency-check-maven and remove javax.el to get rid of CVE-2021-28170 and others Mar 9, 2023
@tisonkun tisonkun requested review from lhotari and tisonkun March 10, 2023 01:58
@poorbarcode
Copy link
Contributor Author

/pulsarbot rerun-failure-checks

@tisonkun tisonkun changed the title [fix] [broker] security: upgrade dependency-check-maven and remove javax.el to get rid of CVE-2021-28170 and others [fix][sec] Upgrade dependency-check-maven and remove javax.el Mar 11, 2023
@dlg99 dlg99 merged commit c4abe7b into apache:master Mar 20, 2023
@poorbarcode poorbarcode deleted the cleanup/pom_bouncycastle branch March 21, 2023 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tisonkun tisonkun tisonkun approved these changes

@dlg99 dlg99 dlg99 approved these changes

@lhotari lhotari Awaiting requested review from lhotari

@michaeljmarshall michaeljmarshall Awaiting requested review from michaeljmarshall

Assignees
No one assigned
Labels
doc-not-needed Your PR changes do not impact docs ready-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@poorbarcode @dlg99 @tisonkun