[fix][sec] Suppress already covered CVE-2023-2976 in clickhouse-jdbc-0.4.6-all.jar and canal.client-1.1.5.jar
#20792
Conversation
|
@tisonkun thank you for looking into this 🙏🏼 FYI, there is another one lined up for canal.client-1.1.5. jar (refer below photo).
|
|
@tisonkun Sorry, merged |
|
No sorry. You are doing things right :D |
| @@ -181,6 +181,16 @@ | |||
| <sha1>fa9a1ccda7d78edb51a3a33d3493566092786a30</sha1> | |||
| <cve>CVE-2021-25263</cve> | |||
| </suppress> | |||
| <suppress> | |||
| <notes><![CDATA[ | |||
| file name: clickhouse-jdbc-0.4.6-all.jar | |||
There was a problem hiding this comment.
Error: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
Error:
Error: canal.client-1.1.5.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(7.1)
Error: clickhouse-jdbc-0.4.6-all.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(7.1)
It seems this patch doesn't suppress the false positive.
There was a problem hiding this comment.
Will check again, thanks
There was a problem hiding this comment.
So currently canal client passes. but clickhouse doesn't.
What I can't seem to figure out why 🤔🤔🤔
Checksum I used.
https://repo1.maven.org/maven2/com/clickhouse/clickhouse-jdbc/0.4.6/clickhouse-jdbc-0.4.6-all.jar.sha1
There was a problem hiding this comment.
@tisonkun May I ask you for another Github workflow trigger? Because while verifying this PR locally, OWASP check that I ran locally failed on
clickhouse-jdbc-0.4.6-all.jarandcanal.client-1.1.5.jar
yesterday, but today we are failing a bunch.
FYI, command used,
mvn -B -ntp verify -PskipDocker,skip-all,owasp-dependency-check -Dcheckstyle.skip=true -DskipTests
-pl '!pulsar-sql,!distribution/server,!distribution/io,!distribution/offloaders,!pulsar-sql/presto-distribution,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs,!pulsar-io/jdbc/openmldb'[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337(9.8)
[ERROR] avro-1.8.2.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(7.1)
[ERROR] clickhouse-jdbc-0.4.6-all.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2023-2976(7.1)
.... omitted some (JooHyukKim)
There was a problem hiding this comment.
I'll trigger one. But generally you can test in your personal fork and that should be the same.
There was a problem hiding this comment.
@tisonkun Right. I keep forgetting 🫣. Thank you still~
There was a problem hiding this comment.
Phew, took longer than I thought, to figure out why still not worked.
Verified in : https://github.com/JooHyukKim/pulsar/pull/21
JooHyukKim
changed the title
clickhouse-jdbc-0.4.6-all.jarclickhouse-jdbc-0.4.6-all.jar and canal.client-1.1.5.jar
|
@lhotari May I ask if you intentionally triggered this action? Ran into it while debugging on this PR. I am asking this because I assumed there might, or will be bigger fix that covers this PR also. In which case this PR can just be omitted. |
|
/pulsarbot rerun-failure-checks |
|
/pulsarbot rerun-failure-checks |
|
Note that current changes cover both
/cc @tisonkun 👍🏻 |
|
/pulsarbot rerun-failure-checks |
|
Filed #20839 and it got fixed. No more blocker 👍🏻 |
|
Merging... |
Fixes workflows that fails with
Motivation
The OWASP dependency check failed. Link: https://github.com/apache/pulsar/actions/runs/5521854569/jobs/10090413638?pr=20782
The PR already addressed #20699 the CVE-2023-2976. And Pulsar currently uses Guava 32.1.1 version
Modifications
Documentation
docdoc-requireddoc-not-neededdoc-completeMatching PR in forked repository
PR in forked repository: https://github.com/JooHyukKim/pulsar/pull/21