blob: 9b46f2265ae536d16daa38789f73e471276e985f [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
<suppressions xmlns="">
<!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
file name: org.apache.druid:druid-indexing-hadoop
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
<!-- druid-processing.jar is mistaken for org.processing:processing -->
file name: org.apache.druid:druid-processing
<packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-processing@.*$</packageUrl>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
file name: openstack-swift
<packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-swift@.*$</packageUrl>
<!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
file name: openstack-keystone-1.9.3.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
~ CVE-2021-27568:
~ dependency on hadoop 2.8.5 is blocking us from updating this dependency. Not a major concern since Druid
~ eats uncaught exceptions, and only displays them in logs. This issue also should only affect ingestion
~ jobs which can only be run by admin type users.
file name: json-smart-2.3.jar
<packageUrl regex="true">^pkg:maven/net\.minidev/json\-smart@.*$</packageUrl>
<!-- Not much for us to do as a user of the client lib, and no patch is available,
see -->
file name: client-java-10.0.1.jar
<packageUrl regex="true">^pkg:maven/io\.kubernetes/client\-java.*@10.0.1$</packageUrl>
<!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
~ TODO: Fix by updating hibernate-validator.
~ Note hibernate-validator:5.3.1 introduces a change that requires an EL implementation to be in the classpath:
~ For example, updating hibernate-validator causes hadoop ingestion tasks to fail:
~ Error: Unable to create injector, see the following errors:
~ 1) An exception was caught and reported. Message: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
~ at$
~ 2) No implementation for javax.validation.Validator was bound.
~ at org.apache.druid.guice.ConfigModule.configure(
~ 2 errors
~ at
~ at
~ at
~ at
~ at
~ at org.apache.druid.guice.GuiceInjectors.makeStartupInjector(
~ at org.apache.druid.indexer.HadoopDruidIndexerConfig.<clinit>(
~ at org.apache.druid.indexer.HadoopDruidIndexerMapper.setup(
~ at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.setup(
~ at org.apache.druid.indexer.DetermineHashedPartitionsJob$
~ at org.apache.hadoop.mapred.MapTask.runNewMapper(
~ at
~ at org.apache.hadoop.mapred.YarnChild$
~ at Method)
~ at
~ at
~ at org.apache.hadoop.mapred.YarnChild.main(
~ Caused by: javax.validation.ValidationException: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(
~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.<init>(
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolator(
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolatorConfiguredWithClassLoader(
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.getMessageInterpolator(
~ at org.hibernate.validator.internal.engine.ValidatorFactoryImpl.<init>(
~ at org.hibernate.validator.HibernateValidator.buildValidatorFactory(
~ at org.hibernate.validator.internal.engine.ConfigurationImpl.buildValidatorFactory(
~ at javax.validation.Validation.buildDefaultValidatorFactory(
~ at org.apache.druid.guice.ConfigModule.configure(
~ at$RecordingBinder.install(
~ at
~ at$
~ at
~ ... 14 more
~ Caused by: java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory;
~ at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(
~ ... 27 more
file name: hibernate-validator-5.2.5.Final.jar
<packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
<!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop -->
file name: jackson-mapper-asl-1.9.13.jar
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@1.9.13$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-mapper-asl:1.9.13 ince it is via curator-x-discovery -->
<!-- TODO: Fix by updating to use netty 4 -->
file name: netty-3.10.6.Final.jar
<packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.6.Final$</packageUrl>
<!-- TODO: Fix by upgrading hadoop-auth version -->
file name: nimbus-jose-jwt-4.41.1.jar
<packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@4.41.1$</packageUrl>
<!-- This CVE is a false positive. The CVE is not for apacheds-i18n -->
file name: apacheds-i18n-2.0.0-M15.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-i18n@.*$</packageUrl>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of in extensions-contrib/cassandra-storage -->
file name: libthrift-0.6.1.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.6.1$</packageUrl>
<!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of in extensions-contrib/cassandra-storage -->
file name: snakeyaml-1.6.jar
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0)
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@2.4.0$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-annotations:2.4.0 since it is via htrace-core4 -->
file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@2.4.0$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-core:2.4.0 since it is via htrace-core4 -->
~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change
~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well.
file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.4.0$</packageUrl>
<cve>CVE-2018-14721</cve> <!-- cvss of 10.0 -->
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-databind:2.4.0 since it is via htrace-core4 -->
~ TODO: Fix by updating parquet version in extensions-core/parquet-extensions.
file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-{core,databind}:2.9.10)
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-.*@2.9.10$</packageUrl>
<cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-{core,databind}:2.9.0 since it is via parquet transitive dependencies -->
file name: node-sass:4.13.1
The vulnerability is fixed in 4.13.1:
But the dependency check plugin thinks it's still broken as the affected/fixed versions has not been updated on
Sonatype OSS Index:
<packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
<vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
Druid is not a native app, so the vulnerability flagged is a false positive.
<packageUrl regex="true">^pkg:maven/com\.google\.oauth-client/google\-oauth\-client@.*$</packageUrl>
~ TODO: Fix when Apache Ranger 2.1 is released
file name: kafka_2.11-2.0.0.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka_2.11@2.0.0$</packageUrl>
~ TODO: Fix when Apache Ranger 2.1 is released
- transitive dep from apache-ranger, upgrading to 2.1.0 adds other CVEs, staying at ranger 2.0.0 for now
file name: kafka-clients-2.0.0.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl>
~ TODO: Fix when Apache Ranger is released with updated log4j
file name: log4j-1.2.17.jar
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
- TODO: The lastest version of ambari-metrics-common is, released in July 2018.
file name: ambari-metrics-common- (shaded: io.netty:netty:3.10.5.Final)
<packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
- TODO: The lastest version of ambari-metrics-common is, released in July 2018.
file name: ambari-metrics-common- (shaded: org.apache.hadoop:hadoop-annotations:2.6.0)
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
file name: hadoop-*-2.8.5.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl>
<!-- The CVE is not applicable to kafka-clients. -->
file name: kafka-clients-2.8.0.jar
<suppress until="2021-05-30">
<!-- Suppress this until is resolved. -->
This vulnerability should be fixed soon and the suppression should be removed.
<!-- (avro, parquet, integration-tests) we don't allow velocity templates to be uploaded by untrusted users -->
file name: velocity-engine-core-2.2.jar:
<!-- (ranger, ambari, and aliyun-oss) these vulnerabilities are legit, but their latest releases still use the vulnerable jackson version -->
file name: jackson-xc-1.9.x.jar or jackson-jaxrs-1.9.x.jar
<packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson-(xc|jaxrs)@1.9.*$</packageUrl>
<!-- Transitive dependency from apache-ranger, latest ranger version 2.1.0 still uses solr 7.7.1-->
file name: solr-solrj-7.7.1.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr-solrj@7.7.1$</packageUrl>
<!-- Transitive dependency from aliyun-sdk-oss, there is currently no newer version of jdom2 as well-->
file name: jdom2-2.0.6.jar
<packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@2.0.6$</packageUrl>
<!-- Upgrading to libthrift-0.14.2 adds many tomcat CVEs, suppress and stay at 0.13.0 for now-->
file name: libthrift-0.13.0.jar
<packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@0.13.0$</packageUrl>