fix vulnerabilties

hypertrace · Jun 28, 2023 · 032c0ab · 032c0ab
1 parent 058832e
commit 032c0ab
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 52 deletions.
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -30,7 +30,7 @@ jobs:
         with: 
           args: build dockerBuildImages
 
-      - name: Run Trivy vulnerability scanner for ingester
+      - name: Run Trivy vulnerability scanner for query service
         uses: hypertrace/github-actions/trivy-image-scan@main
         with:
           image: hypertrace/query-service

diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -8,4 +8,63 @@
     <cpe>cpe:/a:grpc:grpc</cpe>
     <cpe>cpe:/a:utils_project:utils</cpe>
   </suppress>
+
+  <!-- This is the final version, and its coming via transitive dep. -->
+  <suppress>
+    <notes><![CDATA[
+   file name: commons-httpclient-3.1.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/commons\-httpclient/commons\-httpclient@.*$</packageUrl>
+    <cpe>cpe:/a:apache:commons-httpclient</cpe>
+    <cpe>cpe:/a:apache:httpclient</cpe>
+    <cve>CVE-2012-5783</cve>
+  </suppress>
+
+  <!-- This is the final version -->
+  <suppress>
+    <notes><![CDATA[
+   file name: zookeeper-api-1.2.0.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.helix/zookeeper\-api@.*$</packageUrl>
+    <cpe>cpe:/a:apache:zookeeper</cpe>
+    <cpe>cpe:/a:apache:helix</cpe>
+  </suppress>
+
+  <!-- This is the final version -->
+  <suppress>
+    <notes><![CDATA[
+   file name: snakeyaml-1.33.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+    <cpe>cpe:/a:snakeyaml_project:snakeyaml</cpe>
+    <cve>CVE-2022-1471</cve>
+  </suppress>
+
+  <!-- Same vulnerability even in latest version -->
+  <suppress>
+    <notes><![CDATA[
+   file name: commons-compiler-3.1.8.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.janino/commons\-compiler@.*$</packageUrl>
+    <cpe>cpe:/a:janino_project:janino</cpe>
+  </suppress>
+
+  <!-- Same vulnerability even in latest version -->
+  <suppress>
+    <notes><![CDATA[
+   file name: janino-3.1.8.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.janino/janino@.*$</packageUrl>
+    <cpe>cpe:/a:janino_project:janino</cpe>
+    <cve>CVE-2023-33546</cve>
+  </suppress>
+
+  <!-- Disputed vulnerability -->
+  <suppress>
+    <notes><![CDATA[
+     file name: jackson-databind-2.14.2.jar
+     ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+    <cpe>cpe:/a:fasterxml:jackson-databind</cpe>
+  </suppress>
 </suppressions> 
diff --git a/query-service-api/build.gradle.kts b/query-service-api/build.gradle.kts
@@ -1,13 +1,8 @@
-import com.google.protobuf.gradle.generateProtoTasks
 import com.google.protobuf.gradle.id
-import com.google.protobuf.gradle.ofSourceSet
-import com.google.protobuf.gradle.plugins
-import com.google.protobuf.gradle.protobuf
-import com.google.protobuf.gradle.protoc
 
 plugins {
   `java-library`
-  id("com.google.protobuf") version "0.8.15"
+  id("com.google.protobuf") version "0.9.2"
   id("org.hypertrace.publish-plugin")
   id("org.hypertrace.jacoco-report-plugin")
 }
@@ -16,38 +11,18 @@ val generateLocalGoGrpcFiles = false
 
 protobuf {
   protoc {
-    artifact = "com.google.protobuf:protoc:3.19.2"
+    artifact = "com.google.protobuf:protoc:3.21.12"
   }
   plugins {
-    // Optional: an artifact spec for a protoc plugin, with "grpc" as
-    // the identifier, which can be referred to in the "plugins"
-    // container of the "generateProtoTasks" closure.
-    id("grpc_java") {
-      artifact = "io.grpc:protoc-gen-grpc-java:1.45.1"
-    }
-
-    if (generateLocalGoGrpcFiles) {
-      id("grpc_go") {
-        path = "<go-path>/bin/protoc-gen-go"
-      }
+    id("grpc") {
+      artifact = "io.grpc:protoc-gen-grpc-java:1.56.0"
     }
   }
   generateProtoTasks {
-    ofSourceSet("main").forEach {
-      it.plugins {
+    ofSourceSet("main").configureEach {
+      plugins {
         // Apply the "grpc" plugin whose spec is defined above, without options.
-        id("grpc_java")
-
-        if (generateLocalGoGrpcFiles) {
-          id("grpc_go")
-        }
-      }
-      it.builtins {
-        java
-
-        if (generateLocalGoGrpcFiles) {
-          id("go")
-        }
+        id("grpc")
       }
     }
   }
@@ -70,6 +45,11 @@ dependencies {
   api("io.grpc:grpc-protobuf")
   api("io.grpc:grpc-stub")
   api("javax.annotation:javax.annotation-api:1.3.2")
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre") {
+      because("Multiple vulnerabilities")
+    }
+  }
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.7.1")
   testImplementation("com.google.protobuf:protobuf-java-util:3.22.0")

diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
@@ -10,32 +10,32 @@ tasks.test {
 
 dependencies {
   constraints {
-    implementation("io.netty:netty:3.10.6.Final") {
-      because("https://snyk.io/vuln/SNYK-JAVA-IONETTY-30430")
-    }
-    implementation("io.netty:netty-common:4.1.94.Final") {
-      because("https://snyk.io/vuln/SNYK-JAVA-IONETTY-2812456")
-    }
-    implementation("org.apache.zookeeper:zookeeper:3.6.3") {
-      because("Multiple vulnerabilities")
-    }
-    implementation("io.netty:netty-transport-native-epoll:4.1.94.Final") {
-      because("Multiple vulnerabilities")
-    }
-    implementation("io.netty:netty-handler:4.1.94.Final") {
-      because("Multiple vulnerabilities")
-    }
     implementation("org.jetbrains.kotlin:kotlin-stdlib:1.6.0") {
       because(
         "Improper Locking [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385] " +
           "in org.jetbrains.kotlin:[email protected]"
       )
     }
-    implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2") {
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.14.2") {
       because("Multiple vulnerabilities")
     }
-    implementation("com.101tec:zkclient:0.11") {
-      because("Multiple vulnerabilities")
+    implementation("org.apache.calcite:calcite-babel:1.34.0") {
+      because("CVE-2022-39135")
+    }
+    implementation("org.apache.avro:avro:1.11.1") {
+      because("CVE-2021-43045")
+    }
+    implementation("org.apache.helix:helix-core:1.2.0") {
+      because("CVE-2022-47500")
+    }
+    implementation("org.webjars:swagger-ui:5.1.0") {
+      because("CVE-2019-16728,CVE-2020-26870")
+    }
+    implementation("net.minidev:json-smart:2.4.11") {
+      because("CVE-2023-1370")
+    }
+    implementation("org.xerial.snappy:snappy-java:1.1.10.1") {
+      because("CVE-2023-34453, CVE-2023-34454, CVE-2023-34455")
     }
   }
   api(project(":query-service-api"))
@@ -47,7 +47,7 @@ dependencies {
   implementation("org.hypertrace.core.attribute.service:attribute-projection-registry:0.14.26")
   implementation("org.hypertrace.core.attribute.service:caching-attribute-service-client:0.14.26")
   implementation("com.google.inject:guice:5.0.1")
-  implementation("org.apache.pinot:pinot-java-client:0.10.0") {
+  implementation("org.apache.pinot:pinot-java-client:0.12.1") {
     // We want to use log4j2 impl so exclude the log4j binding of slf4j
     exclude("org.slf4j", "slf4j-log4j12")
     exclude("log4j", "log4j")