diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml index 895fb9f219e5..304a5af0a7a9 100644 --- a/extensions-core/kubernetes-extensions/pom.xml +++ b/extensions-core/kubernetes-extensions/pom.xml @@ -35,9 +35,22 @@ </parent> <properties> - <kubernetes.client.version>11.0.4</kubernetes.client.version> + <kubernetes.client.version>19.0.0</kubernetes.client.version> </properties> + + <dependencyManagement> + <dependencies> + <!-- This is an indirect dependency of io.kubernetes.client-java + update to address vulnerability in transitive dependency okio used by okhttp --> + <dependency> + <groupId>com.squareup.okhttp3</groupId> + <artifactId>okhttp</artifactId> + <version>4.12.0</version> + </dependency> + </dependencies> + </dependencyManagement> + <dependencies> <dependency> <groupId>org.apache.druid</groupId> @@ -80,18 +93,6 @@ <scope>test</scope> </dependency> - <!-- Version override to address CVE-2020-28052 --> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-jdk15on</artifactId> - <scope>runtime</scope> - </dependency> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-ext-jdk15on</artifactId> - <scope>runtime</scope> - </dependency> - <!-- others --> <dependency> <groupId>com.google.code.findbugs</groupId> @@ -137,6 +138,18 @@ </dependencies> <build> + <pluginManagement> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-dependency-plugin</artifactId> + <configuration> + <!-- analyze incorrectly flags this dependency as missing when omitted, and unused when declared --> + <ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:19.0.0</ignoredDependencies> + </configuration> + </plugin> + </plugins> + </pluginManagement> <plugins> <plugin> <groupId>org.jacoco</groupId> diff --git a/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java b/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java index e17f8360e506..ab2c3b20952c 100644 --- a/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java +++ b/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java @@ -65,7 +65,7 @@ public DefaultK8sApiClient(ApiClient realK8sClient, @Json ObjectMapper jsonMappe public void patchPod(String podName, String podNamespace, String jsonPatchStr) { try { - coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null); + coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null, null); } catch (ApiException ex) { throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].", podNamespace, podName, ex.getCode(), ex.getResponseBody()); @@ -80,7 +80,7 @@ public DiscoveryDruidNodeList listPods( ) { try { - V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null); + V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null, null); Preconditions.checkState(podList != null, "WTH: NULL podList"); Map<String, DiscoveryDruidNode> allNodes = new HashMap(); @@ -114,7 +114,7 @@ public WatchResult watchPods(String namespace, String labelSelector, String last Watch.createWatch( realK8sClient, coreV1Api.listNamespacedPodCall(namespace, null, true, null, null, - labelSelector, null, lastKnownResourceVersion, null, 0, true, null + labelSelector, null, lastKnownResourceVersion, null, null, 0, true, null ), new TypeReference<Watch.Response<V1Pod>>() { diff --git a/extensions-core/protobuf-extensions/pom.xml b/extensions-core/protobuf-extensions/pom.xml index ad0d4396ebd3..091b6b133efb 100644 --- a/extensions-core/protobuf-extensions/pom.xml +++ b/extensions-core/protobuf-extensions/pom.xml @@ -36,6 +36,7 @@ <properties> <commons-io.version>2.11.0</commons-io.version> + <okio.version>3.6.0</okio.version> </properties> <repositories> @@ -45,6 +46,19 @@ </repository> </repositories> + <dependencyManagement> + <dependencies> + <!-- This is an indirect dependency of kafka-protobuf-provider + update to address vulnerability in transitive dependency okio --> + <dependency> + <groupId>com.squareup.okio</groupId> + <artifactId>okio</artifactId> + <version>${okio.version}</version> + </dependency> + </dependencies> + </dependencyManagement> + + <dependencies> <dependency> <groupId>org.apache.druid</groupId> diff --git a/licenses.yaml b/licenses.yaml index 4a863e16f159..3eba322b089d 100644 --- a/licenses.yaml +++ b/licenses.yaml @@ -843,63 +843,58 @@ libraries: --- -name: kubernetes official java client +name: kubernetes fabric java client license_category: binary -module: extensions/druid-kubernetes-extensions +module: extensions-contrib/kubernetes-overlord-extensions license_name: Apache License version 2.0 -version: 11.0.4 +version: 6.7.2 libraries: - - io.kubernetes: client-java + - io.fabric8: kubernetes-client --- -name: kubernetes official java client api +name: kubernetes official java client license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 11.0.4 +version: 19.0.0 libraries: + - io.kubernetes: client-java - io.kubernetes: client-java-api - ---- - -name: kubernetes official java client extended -license_category: binary -module: extensions/druid-kubernetes-extensions -license_name: Apache License version 2.0 -version: 11.0.4 -libraries: - io.kubernetes: client-java-extended + - io.kubernetes: client-java-api-fluent + - io.kubernetes: client-java-proto --- -name: kubernetes fabric java client +name: Swagger +version: 1.6.2 license_category: binary -module: extensions-contrib/kubernetes-overlord-extensions +module: extensions/druid-avro-extensions license_name: Apache License version 2.0 -version: 6.7.2 libraries: - - io.fabric8: kubernetes-client + - io.swagger: swagger-core + - io.swagger: swagger-models --- -name: io.prometheus simpleclient_common +name: org.apache.commons commons-collections4 license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 0.9.0 +version: 4.4 libraries: - - io.prometheus: simpleclient_common + - org.apache.commons: commons-collections4 --- -name: org.apache.commons commons-collections4 +name: io.sundr builder-annotations license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 4.4 +version: 0.22.0 libraries: - - org.apache.commons: commons-collections4 + - io.sundr: builder-annotations --- @@ -927,7 +922,7 @@ name: io.swagger swagger-annotations license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 1.6.2 +version: 1.6.11 libraries: - io.swagger: swagger-annotations @@ -937,22 +932,23 @@ name: io.swagger swagger-annotations license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 2.8.6 +version: 1.6.2 libraries: - - com.google.code.gson: gson + - io.swagger: swagger-annotations --- -name: io.prometheus simpleclient_httpserver +name: io.swagger swagger-annotations license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 0.9.0 +version: 2.8.6 libraries: - - io.prometheus: simpleclient_httpserver + - com.google.code.gson: gson --- + name: org.bitbucket.b_c jose4j license_category: binary module: extensions/druid-kubernetes-extensions @@ -971,35 +967,54 @@ version: 2.2.1 libraries: - org.joda: joda-convert + --- name: com.squareup.okhttp3 okhttp license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 3.14.9 +version: 4.12.0 libraries: - com.squareup.okhttp3: okhttp + - com.squareup.okhttp3: logging-interceptor --- -name: io.prometheus simpleclient +name: com.squareup.okhttp3 okhttp logging-interceptor license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 0.9.0 +version: 4.11.0 libraries: - - io.prometheus: simpleclient + - com.squareup.okhttp3: logging-interceptor --- -name: io.kubernetes client-java-proto +name: com.squareup.okio okio license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 11.0.4 +version: 3.6.0 libraries: - - io.kubernetes: client-java-proto + - com.squareup.okio: okio + - com.squareup.okio: okio-jvm + +--- + +name: io.prometheus simpleclient +license_category: binary +module: extensions/druid-kubernetes-extensions +license_name: Apache License version 2.0 +version: 0.16.0 +libraries: + - io.prometheus: simpleclient + - io.prometheus: simpleclient_common + - io.prometheus: simpleclient_httpserver + - io.prometheus: simpleclient_tracer_common + - io.prometheus: simpleclient_tracer_otel + - io.prometheus: simpleclient_tracer_otel_agent + --- @@ -1017,70 +1032,76 @@ name: com.flipkart.zjsonpatch zjsonpatch license_category: binary module: extensions/druid-kubernetes-extensions license_name: Apache License version 2.0 -version: 0.4.11 +version: 0.4.14 libraries: - com.flipkart.zjsonpatch: zjsonpatch --- - -name: org.bouncycastle bcprov-jdk15on +name: org.bouncycastle bcprov-jdk18on license_category: binary module: extensions/druid-kubernetes-extensions license_name: MIT License -version: "1.70" +version: "1.76" libraries: - - org.bouncycastle: bcprov-jdk15on - + - org.bouncycastle: bcprov-jdk18on + - org.bouncycastle: bcprov-ext-jdk18on + - org.bouncycastle: bcpkix-jdk18on + - org.bouncycastle: bcutil-jdk18on --- -name: org.bouncycastle bcprov-ext-jdk15on + +name: com.github.vladimir-bukhtoyarov bucket4j-core license_category: binary module: extensions/druid-kubernetes-extensions -license_name: MIT License -version: "1.70" +license_name: Apache License version 2.0 +version: 7.6.0 libraries: - - org.bouncycastle: bcprov-ext-jdk15on + - com.github.vladimir-bukhtoyarov: bucket4j-core --- -name: org.bouncycastle bcpkix-jdk15on +name: Jetbrains Annotations license_category: binary module: extensions/druid-kubernetes-extensions -license_name: MIT License -version: "1.70" +module: extensions/kubernetes-extensions +license_name: Apache License version 2.0 +version: 13.0 libraries: - - org.bouncycastle: bcpkix-jdk15on + - org.jetbrains: annotations + --- -name: org.bouncycastle bcutil-jdk15on +name: Jetbrains kotlin-stdlib license_category: binary -module: extensions/druid-kubernetes-extensions -license_name: MIT License -version: "1.70" +module: extensions/kubernetes-extensions +license_name: Apache License version 2.0 +version: 1.6.10 libraries: - - org.bouncycastle: bcutil-jdk15on + - org.jetbrains.kotlin: kotlin-stdlib --- -name: com.squareup.okhttp3 logging-interceptor +name: Jetbrains kotlin-stdlib common license_category: binary -module: extensions/druid-kubernetes-extensions +module: extensions/kubernetes-extensions license_name: Apache License version 2.0 -version: 3.14.9 +version: 1.9.10 libraries: - - com.squareup.okhttp3: logging-interceptor + - org.jetbrains.kotlin: kotlin-stdlib-common --- - -name: com.github.vladimir-bukhtoyarov bucket4j-core +name: Jetbrains jdk7 jdk 8 license_category: binary -module: extensions/druid-kubernetes-extensions +module: extensions/kubernetes-extensions license_name: Apache License version 2.0 -version: 4.10.0 +version: 1.8.21 libraries: - - com.github.vladimir-bukhtoyarov: bucket4j-core + - org.jetbrains.kotlin: kotlin-stdlib + - org.jetbrains.kotlin: kotlin-stdlib-common + - org.jetbrains.kotlin: kotlin-stdlib-jdk7 + - org.jetbrains.kotlin: kotlin-stdlib-jdk8 --- @@ -4097,6 +4118,16 @@ libraries: --- +name: org.elasticsearch securesm +license_category: binary +version: 2.1.9 +module: druid-ranger-security +license_name: Creative Commons CC0 +libraries: + - org.hdrhistogram: HdrHistogram + +--- + name: Apache Lucene license_category: binary version: 8.4.0 diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml index f9c3146e3588..4d68252dcf49 100644 --- a/owasp-dependency-check-suppressions.xml +++ b/owasp-dependency-check-suppressions.xml @@ -440,9 +440,10 @@ <cve>CVE-2021-4277</cve> </suppress> +<!-- the remaining uses of vulnerable okio are in contrib-extensions --> <suppress> <notes><![CDATA[ - file name: okio-1.17.2.jar, okio-1.15.0.jar okio 2.8.0 + file name: okio-1.17.2.jar, okio-1.15.0.jar ]]></notes> <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl> <cve>CVE-2023-3635</cve> <!-- Suppressed since okio requests in Druid are internal, and not user-facing --> @@ -460,18 +461,6 @@ <cve>CVE-2023-5072</cve> </suppress> - <!-- - ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only - ~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file, - ~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's - ~ older ZK library is still compatible with. - --> - <suppress> - <notes><![CDATA[ - file name: zookeeper-3.8.3.jar - ]]></notes> - <cve>CVE-2023-44981</cve> - </suppress> <!-- ~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged, diff --git a/pom.xml b/pom.xml index f2144a630ee0..938c8d77d4b9 100644 --- a/pom.xml +++ b/pom.xml @@ -369,26 +369,7 @@ <artifactId>snakeyaml</artifactId> <version>1.33</version> </dependency> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-jdk15on</artifactId> - <version>1.70</version> - </dependency> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-ext-jdk15on</artifactId> - <version>1.70</version> - </dependency> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcpkix-jdk15on</artifactId> - <version>1.70</version> - </dependency> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcutil-jdk15on</artifactId> - <version>1.70</version> - </dependency> + <!-- transitive dependency of testng this would be resolved by updating testng to 7.8.0 --> @@ -1113,7 +1094,7 @@ <dependency> <groupId>com.github.docker-java</groupId> <artifactId>docker-java-bom</artifactId> - <version>3.2.13</version> + <version>3.3.4</version> <scope>import</scope> <type>pom</type> </dependency>