pinot
pinot copied to clipboard
apache
CVEs detected in dependencies of pinot-java-client and pinot-common
In using pinot-java-client : 1.0.0-hotfix and pinot-common : 1.0.0 and scanning the dependencies with Anchore the following CVEs were detected:
CVE-2022-39135+org.apache.calcite.avatica.avatica-core-1.20.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.avatica.avatica-core-1.20.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2022-39135+org.apache.calcite.calcite-linq4j-1.30.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-linq4j-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2021-37136+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2021-37136 - https://nvd.nist.gov/vuln/detail/CVE-2021-37136)
CVE-2022-41881+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2022-41881 - https://nvd.nist.gov/vuln/detail/CVE-2022-41881)
CVE-2019-20444+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-20444 - https://nvd.nist.gov/vuln/detail/CVE-2019-20444)
CVE-2019-20445+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-20445 - https://nvd.nist.gov/vuln/detail/CVE-2019-20445)
CVE-2015-2156+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2015-2156 - https://nvd.nist.gov/vuln/detail/CVE-2015-2156)
CVE-2019-16869+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-16869 - https://nvd.nist.gov/vuln/detail/CVE-2019-16869)
CVE-2023-26464+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2023-26464 - https://nvd.nist.gov/vuln/detail/CVE-2023-26464)
CVE-2022-39135+org.apache.calcite.calcite-core-1.30.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-core-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2019-17571+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2019-17571 - https://nvd.nist.gov/vuln/detail/CVE-2019-17571)
CVE-2019-20444+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-20444 - https://nvd.nist.gov/vuln/detail/CVE-2019-20444)
CVE-2022-41881+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2022-41881 - https://nvd.nist.gov/vuln/detail/CVE-2022-41881)
CVE-2022-23302+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2022-23302 - https://nvd.nist.gov/vuln/detail/CVE-2022-23302)
CVE-2021-37137+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2021-37137 - https://nvd.nist.gov/vuln/detail/CVE-2021-37137)
CVE-2023-2976+com.google.guava.guava-32.0.0-jre.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.google.guava.guava-32.0.0-jre.jar (CVE-2023-2976 - https://nvd.nist.gov/vuln/detail/CVE-2023-2976)
CVE-2019-16869+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-16869 - https://nvd.nist.gov/vuln/detail/CVE-2019-16869)
CVE-2021-37136+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2021-37136 - https://nvd.nist.gov/vuln/detail/CVE-2021-37136)
CVE-2022-39135+org.apache.calcite.calcite-babel-1.30.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-babel-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
CVE-2021-37137+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2021-37137 - https://nvd.nist.gov/vuln/detail/CVE-2021-37137)
CVE-2023-2976+com.google.guava.failureaccess-1.0.1.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.google.guava.failureaccess-1.0.1.jar (CVE-2023-2976 - https://nvd.nist.gov/vuln/detail/CVE-2023-2976)
CVE-2015-2156+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2015-2156 - https://nvd.nist.gov/vuln/detail/CVE-2015-2156)
CVE-2019-20445+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-20445 - https://nvd.nist.gov/vuln/detail/CVE-2019-20445)
CVE-2022-39135+org.apache.calcite.avatica.avatica-metrics-1.20.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.avatica.avatica-metrics-1.20.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135)
I think that the following dependency needs to be updated.
- [ ] typesafe.netty.netty-reactive-streams-2.0.4
- [ ] org.apache.logging.log4j.log4j-1.2-api-2.17.1
- [ ] org.apache.calcite.avatica.avatica-core-1.20.0
- [ ] org.apache.calcite.avatica.avatica-metrics-1.20.0
- [ ] org.apache.calcite.calcite-linq4j-1.30.0
- [ ] org.apache.calcite.calcite-core-1.30.0
- [ ] org.apache.calcite.calcite-babel-1.30.0
- [ ] com.google.guava.guava-32.0.0-jre
- [ ] com.google.guava.failureaccess-1.0.1
@robertzych Does your tool (Anchore) provide the versions that need to be bumped to?
No, the scan results don't include the versions to upgrade to. I'm in the process of upgrading calcite-core to 1.32.0 and should have updated scan results later today.
The only dependency that had to be whitelisted was avatica-core 1.24.0 as it couldn't be excluded without introducing a regression. It's CVE (CVE-2022-39135) doesn't apply.
Here are the upgrades and exclusions I had to address all of the other CVEs:
<dependency>
<groupId>org.apache.pinot</groupId>
<artifactId>pinot-java-client</artifactId>
<version>1.0.0-hotfix</version>
<exclusions>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-metrics</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api-2.17</artifactId>
</exclusion>
<exclusion>
<groupId>com.typesafe.netty</groupId>
<artifactId>netty-reactive-streams</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.calcite</groupId>
<artifactId>calcite-babel</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>32.1.3-jre</version>
<exclusions>
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>failureaccess</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.calcite</groupId>
<artifactId>calcite-core</artifactId>
<version>1.36.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-metrics</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.helix</groupId>
<artifactId>helix-core</artifactId>
<version>1.3.0</version>
</dependency>
<dependency>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-core</artifactId>
<version>1.24.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica-metrics</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>2.4.10</version>
</dependency>
@robertzych Would you help on filing pr for the above changes? By the way, I think that we should bump up one library per PR to make the rollback process easy if any issue happens due to the library version upgrade.
@snleee Of the dependencies that I upgraded, all but calcite-core hasn't been upgraded yet. I have created a PR to upgrade calcite-core to the latest version (1.36.0), but because it also contains transitive dependencies that contain CVEs, exclusions/whitelisting will still be required.
just a question: shouldn't the already running dependabot find most of the updates needed and update a good part of them automatically?
if we need a tool which tells us to which version we need to upgrade at least, trivy maybe a good choice... https://github.com/aquasecurity/trivy
it is used e.g. on artifacthub.io and provides results like this (also for repositories)
see: https://artifacthub.io/packages/helm/apache/pulsar?modal=security-report