datahub icon indicating copy to clipboard operation
datahub copied to clipboard
verified publisher icon datahub-project

Remediate CVEs found in datahub-gms image

Open RobertSLane opened this issue 3 years ago • 2 comments

This PR updates/removes dependencies responsible for some of the HIGH CVEs mentioned in the following issues: https://github.com/datahub-project/datahub/issues/4750 https://github.com/datahub-project/datahub/issues/4804

It does not fully resolve all of the CVEs but is a step in the right direction

Checklist

RobertSLane avatar Jun 24 '22 09:06 RobertSLane

Unit Test Results (build & test)

88 tests   - 301   88 :heavy_check_mark:  - 299   25s :stopwatch: - 9m 52s 13 suites  -   79     0 :zzz: ±    0  13 files    -   79     0 :x:  -     2 

Results for commit 79a1d1cb. ± Comparison against base commit 13d57344.

This pull request removes 301 tests. 
com.datahub.authentication.authenticator.AuthenticatorChainTest ‑ testAuthenticateFailure
com.datahub.authentication.authenticator.AuthenticatorChainTest ‑ testAuthenticateSuccess
com.datahub.authentication.authenticator.AuthenticatorChainTest ‑ testAuthenticateThrows
com.datahub.authentication.authenticator.DataHubSystemAuthenticatorTest ‑ testAuthenticateFailureMismatchingCredentials
com.datahub.authentication.authenticator.DataHubSystemAuthenticatorTest ‑ testAuthenticateFailureMissingAuthorizationHeader
com.datahub.authentication.authenticator.DataHubSystemAuthenticatorTest ‑ testAuthenticateFailureMissingBasicCredentials
com.datahub.authentication.authenticator.DataHubSystemAuthenticatorTest ‑ testAuthenticateSuccessDelegatedActor
com.datahub.authentication.authenticator.DataHubSystemAuthenticatorTest ‑ testAuthenticateSuccessNoDelegatedActor
com.datahub.authentication.authenticator.DataHubSystemAuthenticatorTest ‑ testInit
com.datahub.authentication.authenticator.DataHubTokenAuthenticatorTest ‑ testAuthenticateFailureInvalidToken
…

:recycle: This comment has been updated with latest results.

github-actions[bot] avatar Jun 24 '22 17:06 github-actions[bot]

@RobertSLane : we would prefer to handle this as part of the java 11 upgrade here. Can you check if the CVE-s you care about are addressed there?

shirshanka avatar Jul 05 '22 16:07 shirshanka

Jackson, opentelemetry, and other versions updated in main branch. Closing this one, feel free to open with neo4j updates if in a good state. Thanks!

david-leifker avatar Dec 05 '22 23:12 david-leifker