Ignore CVEs from htrace and ambari transitive deps (#10353)
* Ignore CVEs from htrace and ambari transitive deps
htrace CVEs are suppressed for now as addressing them requires updating
the hadoop version.
ambari CVEs are suppressed for now since ambari is updated to the latest
version and is no longer actively maintained.
* Fix compilation issue from ambari upgrade
* Add missing test coverage
diff --git a/extensions-contrib/ambari-metrics-emitter/pom.xml b/extensions-contrib/ambari-metrics-emitter/pom.xml
index 27b4b67..7e48add 100644
--- a/extensions-contrib/ambari-metrics-emitter/pom.xml
+++ b/extensions-contrib/ambari-metrics-emitter/pom.xml
@@ -51,7 +51,7 @@
<dependency>
<groupId>org.apache.ambari</groupId>
<artifactId>ambari-metrics-common</artifactId>
- <version>2.6.1.0.0</version>
+ <version>2.7.0.0.0</version>
<exclusions>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
diff --git a/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java b/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
index 6b4bbd5..905b6cf 100644
--- a/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
+++ b/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
@@ -185,6 +185,24 @@
return config.getHostname();
}
+ @Override
+ protected boolean isHostInMemoryAggregationEnabled()
+ {
+ return false;
+ }
+
+ @Override
+ protected int getHostInMemoryAggregationPort()
+ {
+ return 0; // since host in-memory aggregation is disabled, this return value is unimportant
+ }
+
+ @Override
+ protected String getHostInMemoryAggregationProtocol()
+ {
+ return ""; // since host in-memory aggregation is disabled, this return value is unimportant
+ }
+
private class ConsumerRunnable implements Runnable
{
@Override
diff --git a/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java b/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
index 9903554..9a01413 100644
--- a/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
+++ b/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
@@ -66,5 +66,9 @@
Assert.assertEquals("hostname", emitter.getHostname());
Assert.assertNull(emitter.getZookeeperQuorum());
Assert.assertEquals(Collections.singleton("hostname"), emitter.getConfiguredCollectorHosts());
+
+ Assert.assertFalse(emitter.isHostInMemoryAggregationEnabled());
+ Assert.assertEquals(0, emitter.getHostInMemoryAggregationPort());
+ Assert.assertEquals("", emitter.getHostInMemoryAggregationProtocol());
}
}
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 304606e..998e5c6 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -147,7 +147,7 @@
<cve>CVE-2019-17195</cve>
</suppress>
<suppress>
- <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage -->
+ <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
<notes><![CDATA[
file name: libthrift-0.6.1.jar
]]></notes>
@@ -157,6 +157,28 @@
<cve>CVE-2019-0205</cve>
</suppress>
<suppress>
+ <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
+ <notes><![CDATA[
+ file name: snakeyaml-1.6.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
+ <cve>CVE-2017-18640</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0)
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@2.4.0$</packageUrl>
+ <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-annotations:2.4.0 since it is via htrace-core4 -->
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@2.4.0$</packageUrl>
+ <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-core:2.4.0 since it is via htrace-core4 -->
+ </suppress>
+ <suppress>
<!--
~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change
~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well.
@@ -173,10 +195,10 @@
~ TODO: Fix by updating parquet version in extensions-core/parquet-extensions.
-->
<notes><![CDATA[
- file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.9.10)
+ file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-{core,databind}:2.9.10)
]]></notes>
- <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.9.10$</packageUrl>
- <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-databind:2.9.0 since it is via parquet transitive dependencies -->
+ <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-.*@2.9.10$</packageUrl>
+ <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-{core,databind}:2.9.0 since it is via parquet transitive dependencies -->
</suppress>
<suppress>
<notes><![CDATA[
@@ -229,4 +251,34 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
+ <suppress>
+ <!--
+ - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
+ -->
+ <notes><![CDATA[
+ file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final)
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
+ <cve>CVE-2019-16869</cve>
+ <cve>CVE-2019-20444</cve>
+ <cve>CVE-2019-20445</cve>
+ </suppress>
+ <suppress>
+ <!--
+ - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018.
+ -->
+ <notes><![CDATA[
+ file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0)
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
+ <cve>CVE-2015-1776</cve>
+ <cve>CVE-2016-3086</cve>
+ <cve>CVE-2016-5393</cve>
+ <cve>CVE-2016-6811</cve>
+ <cve>CVE-2017-3162</cve>
+ <cve>CVE-2018-11768</cve>
+ <cve>CVE-2018-1296</cve>
+ <cve>CVE-2018-8009</cve>
+ <cve>CVE-2018-8029</cve>
+ </suppress>
</suppressions>
