Fix snake CVE #4837
Fix snake CVE #4837
Conversation
|
Note that the higher s3mock version requires Java 17, and tests/builds still fail due to cassandra issues |
…to fix ambiguous reference errors
|
Note: to run this with sbt, need to use this command: There are still some errors in Also |
… fix helm errors and warnings
| @@ -162,6 +162,7 @@ lazy val `hmda-platform` = (project in file("hmda")) | |||
| case "logback.xml" => MergeStrategy.concat | |||
| case "META-INF/MANIFEST.MF" => MergeStrategy.discard | |||
| case PathList("META-INF", xs@_*) => MergeStrategy.concat | |||
| case PathList("org", "bouncycastle", xs @_*) => MergeStrategy.first | |||
There was a problem hiding this comment.
Fixes merge strategy errors, added for all services
| @@ -18,7 +18,7 @@ class RealTimeConfig(val cmName: String, val ns: String) { | |||
| val factory = new SharedInformerFactory(client) | |||
| val informer = factory.sharedIndexInformerFor((params: CallGeneratorParams) => { | |||
| api.listNamespacedConfigMapCall( | |||
| ns, null, null, null, s"metadata.name=$cmName", null, null, params.resourceVersion, null, params.timeoutSeconds, params.watch, null) | |||
| ns, null, null, null, s"metadata.name=$cmName", null, null, params.resourceVersion, null, null, params.timeoutSeconds, params.watch, null) | |||
There was a problem hiding this comment.
Due to the kubernetes client-java dependency upgrade, this method now has another parameter, so I added a null parameter value here
There was a problem hiding this comment.
Deleted since it was not used and relied on S3Mock dependency, which I removed to avoid some big dependency version issues
| @@ -17,7 +17,7 @@ import io.lettuce.core.{ ClientOptions, RedisClient } | |||
| import monix.eval.Task | |||
| import slick.basic.DatabaseConfig | |||
| import slick.jdbc.JdbcProfile | |||
| import ch.megard.akka.http.cors.scaladsl.CorsDirectives._ | |||
| import ch.megard.akka.http.cors.scaladsl.CorsDirectives.cors | |||
There was a problem hiding this comment.
All the cors related changes in these files fix the "ambiguous reference errors" from the new akka dependency version.
| @@ -160,38 +160,6 @@ spec: | |||
| key: aws-region | |||
| - name: BROWSER_LOG_LEVEL | |||
| value: {{.Values.databrowser.loglevel}} | |||
| - name: DATABROWSER_PG_TABLE_2017 | |||
There was a problem hiding this comment.
Removed because when I tried to deploy data-browser in hmda dev with a helm command I ran into errors related to missing mlartable tables in the configmap
| //package hmda.publication.lar.publication |
There was a problem hiding this comment.
Commenting out these tests that rely on S3Mock, which is removed in this PR. Leaving the test files here so we can look into re-implementing them without S3Mock somehow in the future.
| lazy val slick = "com.typesafe.slick" %% "slick" % Version.slick | ||
| lazy val slickHikariCP = "com.typesafe.slick" %% "slick-hikaricp" % Version.slick | ||
| lazy val alpakkaSlick = "com.lightbend.akka" %% "akka-stream-alpakka-slick" % Version.alpakka | ||
| lazy val postgres = "org.postgresql" % "postgresql" % Version.postgres | ||
| lazy val h2 = "com.h2database" % "h2" % Version.h2 % Test | ||
| lazy val testContainers = "org.testcontainers" % "testcontainers" % Version.testContainers % "test" | ||
| lazy val s3Mock = "com.adobe.testing" % "s3mock" % "2.1.19" % Test |
There was a problem hiding this comment.
Moving the version numbers into Version.scala
| @@ -37,6 +40,6 @@ object Version { | |||
| val scalacheckShapeless = "1.2.5" | |||
| val diffx = "0.4.0" | |||
| val log4j = "2.15.0" | |||
| val kubernetesApi = "15.0.1" | |||
| val kubernetesApi = "21.0.0-legacy" | |||
There was a problem hiding this comment.
Upgrading this past version 17 will fix the snake.yaml cve issue. I'm using 21.0.0-legacy version here because we would need to make significant code changes if we used the 21.0.0 version, since that version makes a method we rely on private instead of public.
| addSbtPlugin("org.scoverage" % "sbt-scoverage" % "2.0.10") | ||
| addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1") |
There was a problem hiding this comment.
Allows us to generate dependency graphs for our services
| //package hmda.calculator.scheduler |
There was a problem hiding this comment.
Another test that is commented out because it relies on S3Mock
|
Confirmed with @Michaeldremy that the Cypress DEV tests looked good |
Updates Kubernetes api client-java version to 21.0.0-legacy, which fixes CVE issue related to snake.yaml. I chose the
21.0.0-legacyversion because we would need to make significant code changes if we used the21.0.0version, since that version makes a method we rely on private instead of public.Compiles and passes unit tests for hmda-platform and check-digit services, working on testing other services.