From 3c7dec56ca274ea411e0aee780e42f84627c55a3 Mon Sep 17 00:00:00 2001
From: Jan Werner <105367074+janjwerner-confluent@users.noreply.github.com>
Date: Tue, 12 Dec 2023 17:27:57 -0500
Subject: [PATCH] update kubernetes java client to 19.0.0 and docker-java to
 3.3.4 (#15449)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update of direct dependencies:
* kubernetes java-client to 19.0.0
* docker-java-bom to 3.3.4

In order to update transitive dependencies:
* okio to 3.6.0
* bcjava to 1.76

To address CVES:
- CVE-2023-3635 in okio
- CVE-2023-33201 in bcjava

---------

Co-authored-by: Xavier Léauté <xvrl@apache.org>
---
 extensions-core/kubernetes-extensions/pom.xml |  39 +++--
 .../k8s/discovery/DefaultK8sApiClient.java    |   6 +-
 extensions-core/protobuf-extensions/pom.xml   |  14 ++
 licenses.yaml                                 | 163 +++++++++++-------
 owasp-dependency-check-suppressions.xml       |  15 +-
 pom.xml                                       |  23 +--
 6 files changed, 144 insertions(+), 116 deletions(-)

diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml
index 895fb9f219e5..304a5af0a7a9 100644
--- a/extensions-core/kubernetes-extensions/pom.xml
+++ b/extensions-core/kubernetes-extensions/pom.xml
@@ -35,9 +35,22 @@
   </parent>
 
   <properties>
-    <kubernetes.client.version>11.0.4</kubernetes.client.version>
+    <kubernetes.client.version>19.0.0</kubernetes.client.version>
   </properties>
 
+
+  <dependencyManagement>
+    <dependencies>
+      <!-- This is an indirect dependency of io.kubernetes.client-java
+      update to address vulnerability in transitive dependency okio used by okhttp -->
+      <dependency>
+          <groupId>com.squareup.okhttp3</groupId>
+          <artifactId>okhttp</artifactId>
+          <version>4.12.0</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
@@ -80,18 +93,6 @@
       <scope>test</scope>
     </dependency>
 
-    <!-- Version override to address CVE-2020-28052 -->
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-ext-jdk15on</artifactId>
-      <scope>runtime</scope>
-    </dependency>
-
     <!-- others -->
     <dependency>
       <groupId>com.google.code.findbugs</groupId>
@@ -137,6 +138,18 @@
   </dependencies>
 
   <build>
+    <pluginManagement>
+        <plugins>
+          <plugin>
+              <groupId>org.apache.maven.plugins</groupId>
+              <artifactId>maven-dependency-plugin</artifactId>
+              <configuration>
+              <!-- analyze incorrectly flags this dependency as missing when omitted, and unused when declared -->
+                <ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:19.0.0</ignoredDependencies>
+              </configuration>
+          </plugin>
+        </plugins>
+    </pluginManagement>
     <plugins>
       <plugin>
         <groupId>org.jacoco</groupId>
diff --git a/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java b/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
index e17f8360e506..ab2c3b20952c 100644
--- a/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
+++ b/extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java
@@ -65,7 +65,7 @@ public DefaultK8sApiClient(ApiClient realK8sClient, @Json ObjectMapper jsonMappe
   public void patchPod(String podName, String podNamespace, String jsonPatchStr)
   {
     try {
-      coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null);
+      coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null, null);
     }
     catch (ApiException ex) {
       throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].", podNamespace, podName, ex.getCode(), ex.getResponseBody());
@@ -80,7 +80,7 @@ public DiscoveryDruidNodeList listPods(
   )
   {
     try {
-      V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null);
+      V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null, null);
       Preconditions.checkState(podList != null, "WTH: NULL podList");
 
       Map<String, DiscoveryDruidNode> allNodes = new HashMap();
@@ -114,7 +114,7 @@ public WatchResult watchPods(String namespace, String labelSelector, String last
           Watch.createWatch(
               realK8sClient,
               coreV1Api.listNamespacedPodCall(namespace, null, true, null, null,
-                                              labelSelector, null, lastKnownResourceVersion, null, 0, true, null
+                                              labelSelector, null, lastKnownResourceVersion, null, null, 0, true, null
               ),
               new TypeReference<Watch.Response<V1Pod>>()
               {
diff --git a/extensions-core/protobuf-extensions/pom.xml b/extensions-core/protobuf-extensions/pom.xml
index ad0d4396ebd3..091b6b133efb 100644
--- a/extensions-core/protobuf-extensions/pom.xml
+++ b/extensions-core/protobuf-extensions/pom.xml
@@ -36,6 +36,7 @@
 
   <properties>
     <commons-io.version>2.11.0</commons-io.version>
+    <okio.version>3.6.0</okio.version>
   </properties>
 
   <repositories>
@@ -45,6 +46,19 @@
     </repository>
   </repositories>
 
+  <dependencyManagement>
+    <dependencies>
+      <!-- This is an indirect dependency of kafka-protobuf-provider
+      update to address vulnerability in transitive dependency okio  -->
+      <dependency>
+          <groupId>com.squareup.okio</groupId>
+          <artifactId>okio</artifactId>
+          <version>${okio.version}</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
diff --git a/licenses.yaml b/licenses.yaml
index 4a863e16f159..3eba322b089d 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -843,63 +843,58 @@ libraries:
 
 ---
 
-name: kubernetes official java client
+name: kubernetes fabric java client
 license_category: binary
-module: extensions/druid-kubernetes-extensions
+module: extensions-contrib/kubernetes-overlord-extensions
 license_name: Apache License version 2.0
-version: 11.0.4
+version: 6.7.2
 libraries:
-  - io.kubernetes: client-java
+  - io.fabric8: kubernetes-client
 
 ---
 
-name: kubernetes official java client api
+name: kubernetes official java client
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 11.0.4
+version: 19.0.0
 libraries:
+  - io.kubernetes: client-java
   - io.kubernetes: client-java-api
-
----
-
-name: kubernetes official java client extended
-license_category: binary
-module: extensions/druid-kubernetes-extensions
-license_name: Apache License version 2.0
-version: 11.0.4
-libraries:
   - io.kubernetes: client-java-extended
+  - io.kubernetes: client-java-api-fluent
+  - io.kubernetes: client-java-proto
 
 ---
 
-name: kubernetes fabric java client
+name: Swagger
+version: 1.6.2
 license_category: binary
-module: extensions-contrib/kubernetes-overlord-extensions
+module: extensions/druid-avro-extensions
 license_name: Apache License version 2.0
-version: 6.7.2
 libraries:
-  - io.fabric8: kubernetes-client
+  - io.swagger: swagger-core
+  - io.swagger: swagger-models
 
 ---
 
-name: io.prometheus simpleclient_common
+name: org.apache.commons commons-collections4
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 0.9.0
+version: 4.4
 libraries:
-  - io.prometheus: simpleclient_common
+  - org.apache.commons: commons-collections4
 
 ---
 
-name: org.apache.commons commons-collections4
+name: io.sundr builder-annotations
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 4.4
+version: 0.22.0
 libraries:
-  - org.apache.commons: commons-collections4
+  - io.sundr: builder-annotations
 
 ---
 
@@ -927,7 +922,7 @@ name: io.swagger swagger-annotations
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 1.6.2
+version: 1.6.11
 libraries:
   - io.swagger: swagger-annotations
 
@@ -937,22 +932,23 @@ name: io.swagger swagger-annotations
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 2.8.6
+version: 1.6.2
 libraries:
-  - com.google.code.gson: gson
+  - io.swagger: swagger-annotations
 
 ---
 
-name: io.prometheus simpleclient_httpserver
+name: io.swagger swagger-annotations
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 0.9.0
+version: 2.8.6
 libraries:
-  - io.prometheus: simpleclient_httpserver
+  - com.google.code.gson: gson
 
 ---
 
+
 name: org.bitbucket.b_c jose4j
 license_category: binary
 module: extensions/druid-kubernetes-extensions
@@ -971,35 +967,54 @@ version: 2.2.1
 libraries:
   - org.joda: joda-convert
 
+
 ---
 
 name: com.squareup.okhttp3 okhttp
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 3.14.9
+version: 4.12.0
 libraries:
   - com.squareup.okhttp3: okhttp
+  - com.squareup.okhttp3: logging-interceptor
 
 ---
 
-name: io.prometheus simpleclient
+name: com.squareup.okhttp3 okhttp logging-interceptor
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 0.9.0
+version: 4.11.0
 libraries:
-  - io.prometheus: simpleclient
+  - com.squareup.okhttp3: logging-interceptor
 
 ---
 
-name: io.kubernetes client-java-proto
+name: com.squareup.okio okio
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 11.0.4
+version: 3.6.0
 libraries:
-  - io.kubernetes: client-java-proto
+  - com.squareup.okio: okio
+  - com.squareup.okio: okio-jvm
+
+---
+
+name: io.prometheus simpleclient
+license_category: binary
+module: extensions/druid-kubernetes-extensions
+license_name: Apache License version 2.0
+version: 0.16.0
+libraries:
+  - io.prometheus: simpleclient
+  - io.prometheus: simpleclient_common
+  - io.prometheus: simpleclient_httpserver
+  - io.prometheus: simpleclient_tracer_common
+  - io.prometheus: simpleclient_tracer_otel
+  - io.prometheus: simpleclient_tracer_otel_agent
+
 
 ---
 
@@ -1017,70 +1032,76 @@ name: com.flipkart.zjsonpatch zjsonpatch
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 0.4.11
+version: 0.4.14
 libraries:
   - com.flipkart.zjsonpatch: zjsonpatch
 
 ---
 
-
-name: org.bouncycastle bcprov-jdk15on
+name: org.bouncycastle bcprov-jdk18on
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: MIT License
-version: "1.70"
+version: "1.76"
 libraries:
-  - org.bouncycastle: bcprov-jdk15on
-
+  - org.bouncycastle: bcprov-jdk18on
+  - org.bouncycastle: bcprov-ext-jdk18on
+  - org.bouncycastle: bcpkix-jdk18on
+  - org.bouncycastle: bcutil-jdk18on
 ---
 
-name: org.bouncycastle bcprov-ext-jdk15on
+
+name: com.github.vladimir-bukhtoyarov bucket4j-core
 license_category: binary
 module: extensions/druid-kubernetes-extensions
-license_name: MIT License
-version: "1.70"
+license_name: Apache License version 2.0
+version: 7.6.0
 libraries:
-  - org.bouncycastle: bcprov-ext-jdk15on
+  - com.github.vladimir-bukhtoyarov: bucket4j-core
 
 ---
 
-name: org.bouncycastle bcpkix-jdk15on
+name: Jetbrains Annotations
 license_category: binary
 module: extensions/druid-kubernetes-extensions
-license_name: MIT License
-version: "1.70"
+module: extensions/kubernetes-extensions
+license_name: Apache License version 2.0
+version: 13.0
 libraries:
-  - org.bouncycastle: bcpkix-jdk15on
+  - org.jetbrains: annotations
+
 
 ---
 
-name: org.bouncycastle bcutil-jdk15on
+name: Jetbrains kotlin-stdlib
 license_category: binary
-module: extensions/druid-kubernetes-extensions
-license_name: MIT License
-version: "1.70"
+module: extensions/kubernetes-extensions
+license_name: Apache License version 2.0
+version: 1.6.10
 libraries:
-  - org.bouncycastle: bcutil-jdk15on
+  - org.jetbrains.kotlin: kotlin-stdlib
 
 ---
 
-name: com.squareup.okhttp3 logging-interceptor
+name: Jetbrains kotlin-stdlib common
 license_category: binary
-module: extensions/druid-kubernetes-extensions
+module: extensions/kubernetes-extensions
 license_name: Apache License version 2.0
-version: 3.14.9
+version: 1.9.10
 libraries:
-  - com.squareup.okhttp3: logging-interceptor
+  - org.jetbrains.kotlin: kotlin-stdlib-common
 
 ---
-
-name: com.github.vladimir-bukhtoyarov bucket4j-core
+name: Jetbrains  jdk7 jdk 8
 license_category: binary
-module: extensions/druid-kubernetes-extensions
+module: extensions/kubernetes-extensions
 license_name: Apache License version 2.0
-version: 4.10.0
+version: 1.8.21
 libraries:
-  - com.github.vladimir-bukhtoyarov: bucket4j-core
+  - org.jetbrains.kotlin: kotlin-stdlib
+  - org.jetbrains.kotlin: kotlin-stdlib-common
+  - org.jetbrains.kotlin: kotlin-stdlib-jdk7
+  - org.jetbrains.kotlin: kotlin-stdlib-jdk8
 
 ---
 
@@ -4097,6 +4118,16 @@ libraries:
 
 ---
 
+name: org.elasticsearch securesm
+license_category: binary
+version: 2.1.9
+module: druid-ranger-security
+license_name: Creative Commons CC0
+libraries:
+  - org.hdrhistogram: HdrHistogram
+
+---
+
 name: Apache Lucene
 license_category: binary
 version: 8.4.0
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index f9c3146e3588..4d68252dcf49 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -440,9 +440,10 @@
     <cve>CVE-2021-4277</cve>
   </suppress>
 
+<!-- the remaining uses of vulnerable okio are in contrib-extensions -->
   <suppress>
     <notes><![CDATA[
-      file name: okio-1.17.2.jar, okio-1.15.0.jar okio 2.8.0
+      file name: okio-1.17.2.jar, okio-1.15.0.jar
     ]]></notes>
     <packageUrl regex="true">^pkg:maven/com\.squareup\.okio/okio@..*$</packageUrl>
     <cve>CVE-2023-3635</cve>  <!-- Suppressed since okio requests in Druid are internal, and not user-facing -->
@@ -460,18 +461,6 @@
     <cve>CVE-2023-5072</cve>
   </suppress>
 
-  <!--
-    ~ CVE-2023-44981 seems to affect Zookeeper servers. While we ship with a previous version of the Zookeeper, Druid only
-    ~ only uses the client classes of the Zookeeper. We do use the older version in the quickstart & example docker file,
-    ~ however in production it is recomended to use your own Zookeeper server with the CVE patched up, which the Druid's
-    ~ older ZK library is still compatible with.
-    -->
-  <suppress>
-    <notes><![CDATA[
-      file name: zookeeper-3.8.3.jar
-    ]]></notes>
-    <cve>CVE-2023-44981</cve>
-  </suppress>
 
   <!--
    ~ Hostname verification is disabled by default in Netty 4.x, therefore the version that Druid is using gets flagged,
diff --git a/pom.xml b/pom.xml
index f2144a630ee0..938c8d77d4b9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -369,26 +369,7 @@
                 <artifactId>snakeyaml</artifactId>
                 <version>1.33</version>
             </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcprov-jdk15on</artifactId>
-                <version>1.70</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcprov-ext-jdk15on</artifactId>
-                <version>1.70</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcpkix-jdk15on</artifactId>
-                <version>1.70</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bouncycastle</groupId>
-                <artifactId>bcutil-jdk15on</artifactId>
-                <version>1.70</version>
-            </dependency>
+
             <!-- transitive dependency of testng
             this would be resolved by updating
             testng to 7.8.0 -->
@@ -1113,7 +1094,7 @@
             <dependency>
                 <groupId>com.github.docker-java</groupId>
                 <artifactId>docker-java-bom</artifactId>
-                <version>3.2.13</version>
+                <version>3.3.4</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>