Skip to content

Commit

Permalink
Update google client apis to latest version (#14414)
Browse files Browse the repository at this point in the history 
Currently Druid is using google apis client 1.26.0 version and google-oauth-client-1.26.0.jar in particular is bringing following CVEs CVE-2020-7692, CVE-2021-22573. Despite the CVEs being false positives, they're causing red security scans on Druid distribution. Hence updating the version to latest version with these CVE fixes.
  • Loading branch information
@tejaswini-imply
tejaswini-imply authored Sep 11, 2023
1 parent 2b7f2c5 commit dec6a0a
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 20 deletions.
4 changes: 2 additions & 2 deletions integration-tests-ex/cases/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,13 +188,13 @@
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client</artifactId>
<version>${com.google.apis.client.version}</version>
<version>${com.google.http.client.apis.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client-jackson2</artifactId>
<version>${com.google.apis.client.version}</version>
<version>${com.google.http.client.apis.version}</version>
<scope>provided</scope>
</dependency>
<!-- Tests can choose either the MySQL or MariaDB driver. -->
Expand Down
10 changes: 5 additions & 5 deletions licenses.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4422,7 +4422,7 @@ name: Google Cloud Storage JSON API
license_category: binary
module: extensions/druid-google-extensions
license_name: Apache License version 2.0
version: v1-rev20190523-1.26.0
version: v1-rev20230301-2.0.0
libraries:
- com.google.apis: google-api-services-storage

Expand All @@ -4432,7 +4432,7 @@ name: Google Compute Engine API
license_category: binary
module: extensions/gce-extensions
license_name: Apache License version 2.0
version: v1-rev20190523-1.26.0
version: v1-rev20230606-2.0.0
libraries:
- com.google.apis: google-api-services-compute

Expand All @@ -4442,7 +4442,7 @@ name: Google APIs Client Library For Java
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 1.32.1
version: 2.2.0
libraries:
- com.google.api-client: google-api-client

Expand All @@ -4452,7 +4452,7 @@ name: Google HTTP Client Library For Java
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 1.35.2
version: 1.42.3
libraries:
- com.google.http-client: google-http-client
- com.google.http-client: google-http-client-jackson2
Expand All @@ -4463,7 +4463,7 @@ name: Google OAuth Client Library For Java
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 1.22.0
version: 1.34.1
libraries:
- com.google.oauth-client: google-oauth-client

Expand Down
8 changes: 0 additions & 8 deletions owasp-dependency-check-suppressions.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -291,14 +291,6 @@
<packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
<vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Druid is not a native app, so the vulnerability flagged is a false positive.
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.google\.oauth-client/google\-oauth\-client@.*$</packageUrl>
<cve>CVE-2020-7692</cve>
<cve>CVE-2021-22573</cve>
</suppress>
<suppress>
<!--
~ TODO: Fix when Apache Ranger 2.1 is released
Expand Down
11 changes: 6 additions & 5 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,9 +120,10 @@
<!-- When upgrading ZK, edit docs and integration tests as well (integration-tests/docker-base/setup.sh) -->
<zookeeper.version>3.5.10</zookeeper.version>
<checkerframework.version>2.5.7</checkerframework.version>
<com.google.apis.client.version>1.26.0</com.google.apis.client.version>
<com.google.apis.compute.version>v1-rev20190607-${com.google.apis.client.version}</com.google.apis.compute.version>
<com.google.apis.storage.version>v1-rev20190523-${com.google.apis.client.version}</com.google.apis.storage.version>
<com.google.apis.client.version>2.2.0</com.google.apis.client.version>
<com.google.http.client.apis.version>1.42.3</com.google.http.client.apis.version>
<com.google.apis.compute.version>v1-rev20230606-2.0.0</com.google.apis.compute.version>
<com.google.apis.storage.version>v1-rev20230301-2.0.0</com.google.apis.storage.version>
<jdk.strong.encapsulation.argLine><!-- empty placeholder --></jdk.strong.encapsulation.argLine>
<repoOrgId>maven.org</repoOrgId>
<repoOrgName>Maven Central Repository</repoOrgName>
Expand Down Expand Up @@ -1170,12 +1171,12 @@
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client</artifactId>
<version>${com.google.apis.client.version}</version>
<version>${com.google.http.client.apis.version}</version>
</dependency>
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client-jackson2</artifactId>
<version>${com.google.apis.client.version}</version>
<version>${com.google.http.client.apis.version}</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
Expand Down

0 comments on commit dec6a0a

Please sign in to comment.