Merge branch 'develop' into dependabot/maven/java/jackson.version-2.16.2

gchq · Mar 11, 2024 · 74fe9da · 74fe9da
2 parents 02741ea + b6edc6f
commit 74fe9da
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/NOTICES b/NOTICES
@@ -61,6 +61,10 @@ Apache Kerby (org.apache.kerby:*:2.0.3):
 
 - Apache License, Version 2.0
 
+XNIO (org.jboss.xnio:xnio-api:3.8.13.Final):
+
+- Apache License, Version 2.0
+
 Kotlin Stdlib (org.jetbrains.kotlin:*:1.6.20):
 
 - Apache License, Version 2.0

diff --git a/code-style/dependency-check-suppressions.xml b/code-style/dependency-check-suppressions.xml
@@ -224,4 +224,21 @@
         <packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
         <cve>CVE-2024-21634</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        XNIO is a dependency for Hadoop, used by Kerby's kerb-admin module, which is a transitive dependency for Hadoop
+        authentication. At time of writing, there's no version of XNIO without this problem.
+
+        Since HDFS is not used, it doesn't seem like this should be needed as a dependency. We can look at removing this
+        from the classpath.
+
+        We're using Hadoop for our integration with Parquet, and for bulk import jobs on Spark. The Parquet integration
+        only talks to S3 in practice, although the Hadoop integration is designed for HDFS, which may be why this is a
+        dependency. Spark also seems to only use Hadoop authentication when talking to HDFS:
+
+        https://spark.apache.org/docs/latest/security.html#kerberos
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.jboss\.xnio/xnio\-api@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-5685</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/java/pom.xml b/java/pom.xml
@@ -92,6 +92,8 @@
         <json-smart.version>2.4.11</json-smart.version>
         <!-- Hadoop declares an old version of Kerby with vulnerabilities. Managed from 1.0.1. -->
         <kerby.version>2.0.3</kerby.version>
+        <!-- Hadoop declares an old version of XNIO with vulnerabilities. Managed from 3.8.8.Final. -->
+        <xnio.version>3.8.13.Final</xnio.version>
         <!-- Spark declares an old version of OkHttp with vulnerabilities. Managed from 4.10.0. -->
         <okhttp3.version>4.11.0</okhttp3.version>
         <!--
@@ -144,7 +146,7 @@
         <!-- Build module uses Jersey for communicating with GitHub API -->
         <jersey.version>2.38</jersey.version>
         <!-- Netty version is managed because S3, Athena and Arrow depend on it but use incompatible versions -->
-        <netty.version>4.1.94.Final</netty.version>
+        <netty.version>4.1.107.Final</netty.version>
         <!-- Jetty and Jakarta versions are managed because WireMock and Hadoop use different versions. -->
         <!-- We want to avoid mixing them but they should be compatible. -->
         <jetty.version>9.4.53.v20231009</jetty.version>
@@ -490,6 +492,11 @@
                 <artifactId>kerb-simplekdc</artifactId>
                 <version>${kerby.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.jboss.xnio</groupId>
+                <artifactId>xnio-api</artifactId>
+                <version>${xnio.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.squareup.okhttp3</groupId>
                 <artifactId>okhttp</artifactId>