Merge pull request #1976 from gchq/1975-dependency-check

Issue 1975 - Add dependency check suppression for xnio-api
gchq · Mar 11, 2024 · ff53198 · ff53198
2 parents d216bac + f279a1e
commit ff53198
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/NOTICES b/NOTICES
@@ -61,6 +61,10 @@ Apache Kerby (org.apache.kerby:*:2.0.3):
 
 - Apache License, Version 2.0
 
+XNIO (org.jboss.xnio:xnio-api:3.8.13.Final):
+
+- Apache License, Version 2.0
+
 Kotlin Stdlib (org.jetbrains.kotlin:*:1.6.20):
 
 - Apache License, Version 2.0

diff --git a/code-style/dependency-check-suppressions.xml b/code-style/dependency-check-suppressions.xml
@@ -224,4 +224,21 @@
         <packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
         <cve>CVE-2024-21634</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        XNIO is a dependency for Hadoop, used by Kerby's kerb-admin module, which is a transitive dependency for Hadoop
+        authentication. At time of writing, there's no version of XNIO without this problem.
+
+        Since HDFS is not used, it doesn't seem like this should be needed as a dependency. We can look at removing this
+        from the classpath.
+
+        We're using Hadoop for our integration with Parquet, and for bulk import jobs on Spark. The Parquet integration
+        only talks to S3 in practice, although the Hadoop integration is designed for HDFS, which may be why this is a
+        dependency. Spark also seems to only use Hadoop authentication when talking to HDFS:
+
+        https://spark.apache.org/docs/latest/security.html#kerberos
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.jboss\.xnio/xnio\-api@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-5685</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/java/pom.xml b/java/pom.xml
@@ -92,6 +92,8 @@
         <json-smart.version>2.4.11</json-smart.version>
         <!-- Hadoop declares an old version of Kerby with vulnerabilities. Managed from 1.0.1. -->
         <kerby.version>2.0.3</kerby.version>
+        <!-- Hadoop declares an old version of XNIO with vulnerabilities. Managed from 3.8.8.Final. -->
+        <xnio.version>3.8.13.Final</xnio.version>
         <!-- Spark declares an old version of OkHttp with vulnerabilities. Managed from 4.10.0. -->
         <okhttp3.version>4.11.0</okhttp3.version>
         <!--
@@ -490,6 +492,11 @@
                 <artifactId>kerb-simplekdc</artifactId>
                 <version>${kerby.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.jboss.xnio</groupId>
+                <artifactId>xnio-api</artifactId>
+                <version>${xnio.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.squareup.okhttp3</groupId>
                 <artifactId>okhttp</artifactId>