update kubernetes java client to 19.0.0 and docker-java to 3.3.4 (#15449

) Update of direct dependencies: * kubernetes java-client to 19.0.0 * docker-java-bom to 3.3.4 In order to update transitive dependencies: * okio to 3.6.0 * bcjava to 1.76 To address CVES: - CVE-2023-3635 in okio - CVE-2023-33201 in bcjava --------- Co-authored-by: Xavier Léauté <[email protected]>
apache · Dec 12, 2023 · 3c7dec5 · 3c7dec5
1 parent debb6b4
commit 3c7dec5
Show file tree

Hide file tree

Showing 6 changed files with 144 additions and 116 deletions.
diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml
@@ -35,9 +35,22 @@
   </parent>
 
   <properties>
-    <kubernetes.client.version>11.0.4</kubernetes.client.version>
+    <kubernetes.client.version>19.0.0</kubernetes.client.version>
   </properties>
 
+
+  <dependencyManagement>
+    <dependencies>
+      <!-- This is an indirect dependency of io.kubernetes.client-java
+      update to address vulnerability in transitive dependency okio used by okhttp -->
+      <dependency>
+          <groupId>com.squareup.okhttp3</groupId>
+          <artifactId>okhttp</artifactId>
+          <version>4.12.0</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
@@ -80,18 +93,6 @@
       <scope>test</scope>
     </dependency>
 
-    <!-- Version override to address CVE-2020-28052 -->
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-ext-jdk15on</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-
     <!-- others -->
     <dependency>
       <groupId>com.google.code.findbugs</groupId>
@@ -137,6 +138,18 @@
   </dependencies>
 
   <build>
+    <pluginManagement>
+        <plugins>
+          <plugin>
+              <groupId>org.apache.maven.plugins</groupId>
+              <artifactId>maven-dependency-plugin</artifactId>
+              <configuration>
+              <!-- analyze incorrectly flags this dependency as missing when omitted, and unused when declared -->
+                <ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:19.0.0</ignoredDependencies>
+              </configuration>
+          </plugin>
+        </plugins>
+    </pluginManagement>
     <plugins>
       <plugin>
         <groupId>org.jacoco</groupId>

diff --git a/...bernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java b/...bernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
@@ -65,7 +65,7 @@ public DefaultK8sApiClient(ApiClient realK8sClient, @Json ObjectMapper jsonMappe
   public void patchPod(String podName, String podNamespace, String jsonPatchStr)
   {
     try {
-      coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null);
+      coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null, null);
     }
     catch (ApiException ex) {
       throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].", podNamespace, podName, ex.getCode(), ex.getResponseBody());
@@ -80,7 +80,7 @@ public DiscoveryDruidNodeList listPods(
   )
   {
     try {
-      V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null);
+      V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null, null);
       Preconditions.checkState(podList != null, "WTH: NULL podList");
 
       Map<String, DiscoveryDruidNode> allNodes = new HashMap();
@@ -114,7 +114,7 @@ public WatchResult watchPods(String namespace, String labelSelector, String last
           Watch.createWatch(
               realK8sClient,
               coreV1Api.listNamespacedPodCall(namespace, null, true, null, null,
-                                              labelSelector, null, lastKnownResourceVersion, null, 0, true, null
+                                              labelSelector, null, lastKnownResourceVersion, null, null, 0, true, null
               ),
               new TypeReference<Watch.Response<V1Pod>>()
               {

diff --git a/extensions-core/protobuf-extensions/pom.xml b/extensions-core/protobuf-extensions/pom.xml
@@ -36,6 +36,7 @@
 
   <properties>
     <commons-io.version>2.11.0</commons-io.version>
+    <okio.version>3.6.0</okio.version>
   </properties>
 
   <repositories>
@@ -45,6 +46,19 @@
     </repository>
   </repositories>
 
+  <dependencyManagement>
+    <dependencies>
+      <!-- This is an indirect dependency of kafka-protobuf-provider
+      update to address vulnerability in transitive dependency okio  -->
+      <dependency>
+          <groupId>com.squareup.okio</groupId>
+          <artifactId>okio</artifactId>
+          <version>${okio.version}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>