diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
index b2690e28..e527ff77 100644
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -30,7 +30,7 @@ jobs:
with:
args: build dockerBuildImages
- - name: Run Trivy vulnerability scanner for ingester
+ - name: Run Trivy vulnerability scanner for query service
uses: hypertrace/github-actions/trivy-image-scan@main
with:
image: hypertrace/query-service
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index 204a52b4..0088b207 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -8,4 +8,63 @@
cpe:/a:grpc:grpc
cpe:/a:utils_project:utils
+
+
+
+
+ ^pkg:maven/commons\-httpclient/commons\-httpclient@.*$
+ cpe:/a:apache:commons-httpclient
+ cpe:/a:apache:httpclient
+ CVE-2012-5783
+
+
+
+
+
+ ^pkg:maven/org\.apache\.helix/zookeeper\-api@.*$
+ cpe:/a:apache:zookeeper
+ cpe:/a:apache:helix
+
+
+
+
+
+ ^pkg:maven/org\.yaml/snakeyaml@.*$
+ cpe:/a:snakeyaml_project:snakeyaml
+ CVE-2022-1471
+
+
+
+
+
+ ^pkg:maven/org\.codehaus\.janino/commons\-compiler@.*$
+ cpe:/a:janino_project:janino
+
+
+
+
+
+ ^pkg:maven/org\.codehaus\.janino/janino@.*$
+ cpe:/a:janino_project:janino
+ CVE-2023-33546
+
+
+
+
+
+ ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ cpe:/a:fasterxml:jackson-databind
+
diff --git a/query-service-api/build.gradle.kts b/query-service-api/build.gradle.kts
index 94e80263..f95da4c1 100644
--- a/query-service-api/build.gradle.kts
+++ b/query-service-api/build.gradle.kts
@@ -1,13 +1,8 @@
-import com.google.protobuf.gradle.generateProtoTasks
import com.google.protobuf.gradle.id
-import com.google.protobuf.gradle.ofSourceSet
-import com.google.protobuf.gradle.plugins
-import com.google.protobuf.gradle.protobuf
-import com.google.protobuf.gradle.protoc
plugins {
`java-library`
- id("com.google.protobuf") version "0.8.15"
+ id("com.google.protobuf") version "0.9.2"
id("org.hypertrace.publish-plugin")
id("org.hypertrace.jacoco-report-plugin")
}
@@ -16,38 +11,18 @@ val generateLocalGoGrpcFiles = false
protobuf {
protoc {
- artifact = "com.google.protobuf:protoc:3.19.2"
+ artifact = "com.google.protobuf:protoc:3.21.12"
}
plugins {
- // Optional: an artifact spec for a protoc plugin, with "grpc" as
- // the identifier, which can be referred to in the "plugins"
- // container of the "generateProtoTasks" closure.
- id("grpc_java") {
- artifact = "io.grpc:protoc-gen-grpc-java:1.45.1"
- }
-
- if (generateLocalGoGrpcFiles) {
- id("grpc_go") {
- path = "/bin/protoc-gen-go"
- }
+ id("grpc") {
+ artifact = "io.grpc:protoc-gen-grpc-java:1.56.0"
}
}
generateProtoTasks {
- ofSourceSet("main").forEach {
- it.plugins {
+ ofSourceSet("main").configureEach {
+ plugins {
// Apply the "grpc" plugin whose spec is defined above, without options.
- id("grpc_java")
-
- if (generateLocalGoGrpcFiles) {
- id("grpc_go")
- }
- }
- it.builtins {
- java
-
- if (generateLocalGoGrpcFiles) {
- id("go")
- }
+ id("grpc")
}
}
}
@@ -70,6 +45,11 @@ dependencies {
api("io.grpc:grpc-protobuf")
api("io.grpc:grpc-stub")
api("javax.annotation:javax.annotation-api:1.3.2")
+ constraints {
+ implementation("com.google.guava:guava:32.0.1-jre") {
+ because("Multiple vulnerabilities")
+ }
+ }
testImplementation("org.junit.jupiter:junit-jupiter:5.7.1")
testImplementation("com.google.protobuf:protobuf-java-util:3.22.0")
diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index 01fe78bd..a4e3c236 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -10,32 +10,32 @@ tasks.test {
dependencies {
constraints {
- implementation("io.netty:netty:3.10.6.Final") {
- because("https://snyk.io/vuln/SNYK-JAVA-IONETTY-30430")
- }
- implementation("io.netty:netty-common:4.1.94.Final") {
- because("https://snyk.io/vuln/SNYK-JAVA-IONETTY-2812456")
- }
- implementation("org.apache.zookeeper:zookeeper:3.6.3") {
- because("Multiple vulnerabilities")
- }
- implementation("io.netty:netty-transport-native-epoll:4.1.94.Final") {
- because("Multiple vulnerabilities")
- }
- implementation("io.netty:netty-handler:4.1.94.Final") {
- because("Multiple vulnerabilities")
- }
implementation("org.jetbrains.kotlin:kotlin-stdlib:1.6.0") {
because(
"Improper Locking [Medium Severity][https://snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385] " +
"in org.jetbrains.kotlin:kotlin-stdlib@1.4.10"
)
}
- implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2") {
+ implementation("com.fasterxml.jackson.core:jackson-databind:2.14.2") {
because("Multiple vulnerabilities")
}
- implementation("com.101tec:zkclient:0.11") {
- because("Multiple vulnerabilities")
+ implementation("org.apache.calcite:calcite-babel:1.34.0") {
+ because("CVE-2022-39135")
+ }
+ implementation("org.apache.avro:avro:1.11.1") {
+ because("CVE-2021-43045")
+ }
+ implementation("org.apache.helix:helix-core:1.2.0") {
+ because("CVE-2022-47500")
+ }
+ implementation("org.webjars:swagger-ui:5.1.0") {
+ because("CVE-2019-16728,CVE-2020-26870")
+ }
+ implementation("net.minidev:json-smart:2.4.11") {
+ because("CVE-2023-1370")
+ }
+ implementation("org.xerial.snappy:snappy-java:1.1.10.1") {
+ because("CVE-2023-34453, CVE-2023-34454, CVE-2023-34455")
}
}
api(project(":query-service-api"))
@@ -47,7 +47,7 @@ dependencies {
implementation("org.hypertrace.core.attribute.service:attribute-projection-registry:0.14.26")
implementation("org.hypertrace.core.attribute.service:caching-attribute-service-client:0.14.26")
implementation("com.google.inject:guice:5.0.1")
- implementation("org.apache.pinot:pinot-java-client:0.10.0") {
+ implementation("org.apache.pinot:pinot-java-client:0.12.1") {
// We want to use log4j2 impl so exclude the log4j binding of slf4j
exclude("org.slf4j", "slf4j-log4j12")
exclude("log4j", "log4j")