This is an automated email from the ASF dual-hosted git repository.
yqm pushed a commit to branch 35.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/35.0.0 by this push:
new 2985582be84 Resolve CVE (#18620)
2985582be84 is described below
commit 2985582be84a282d0c8392fe96cc6f2ea291eae4
Author: Cece Mei <[email protected]>
AuthorDate: Thu Oct 16 14:28:14 2025 -0700
Resolve CVE (#18620)
* cve
* license
* cve
* cve2
* dependency
---
.github/scripts/setup_generate_license.sh | 8 +++--
distribution/bin/check-licenses.py | 2 ++
extensions-contrib/druid-ranger-security/pom.xml | 31 +++++++++++++-------
licenses.yaml | 37 +++++++++++++++++++-----
owasp-dependency-check-suppressions.xml | 14 +++++++++
pom.xml | 12 ++++----
web-console/package-lock.json | 2 +-
web-console/package.json | 2 +-
8 files changed, 81 insertions(+), 27 deletions(-)
diff --git a/.github/scripts/setup_generate_license.sh
b/.github/scripts/setup_generate_license.sh
index 85a6a5aaa7a..e7095e1dfa2 100755
--- a/.github/scripts/setup_generate_license.sh
+++ b/.github/scripts/setup_generate_license.sh
@@ -17,10 +17,14 @@
set -e
-sudo apt-get update && sudo apt-get install python3 -y
+if [ "$(uname)" = "Linux" ]; then
+ # github action runs on ubuntu, we might need to install python3 and pip3
+ sudo apt-get update && sudo apt-get install python3 -y
+ sudo apt install python3-pip
+fi
+
# creating python virtual env
python3 -m venv ~/.python3venv
source ~/.python3venv/bin/activate
-sudo apt install python3-pip
pip3 install wheel # install wheel first explicitly
pip3 install --upgrade pyyaml
diff --git a/distribution/bin/check-licenses.py
b/distribution/bin/check-licenses.py
index 5795cd1f959..23d99a68f6e 100755
--- a/distribution/bin/check-licenses.py
+++ b/distribution/bin/check-licenses.py
@@ -443,6 +443,8 @@ def check_licenses(license_yaml, dependency_reports_root):
print_log_to_stderr("")
if len(mismatched_licenses) > 0 or len(missing_licenses) > 0:
+ print_log_to_stderr("Mismatched licenses:
{}".format(mismatched_licenses))
+ print_log_to_stderr("Missing licenses: {}".format(missing_licenses))
sys.exit(1)
diff --git a/extensions-contrib/druid-ranger-security/pom.xml
b/extensions-contrib/druid-ranger-security/pom.xml
index ef22dd25e24..dd5cddc0833 100644
--- a/extensions-contrib/druid-ranger-security/pom.xml
+++ b/extensions-contrib/druid-ranger-security/pom.xml
@@ -166,18 +166,9 @@
</dependency>
<dependency>
<groupId>org.apache.ranger</groupId>
- <artifactId>ranger-plugins-audit</artifactId>
+ <artifactId>ranger-audit-dest-es</artifactId>
<version>${apache.ranger.version}</version>
<exclusions>
- <exclusion>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-common</artifactId>
- </exclusion>
- <!-- removing the complete bundle sdk to be replaced with only
logs-sdk -->
- <exclusion>
- <groupId>com.amazonaws</groupId>
- <artifactId>aws-java-sdk-bundle</artifactId>
- </exclusion>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>*</artifactId>
@@ -193,6 +184,23 @@
</exclusions>
<scope>compile</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-audit-dest-hdfs</artifactId>
+ <version>${apache.ranger.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ </exclusion>
+ <!-- removing the complete bundle sdk to be replaced with only
logs-sdk -->
+ <exclusion>
+ <groupId>com.amazonaws</groupId>
+ <artifactId>aws-java-sdk-bundle</artifactId>
+ </exclusion>
+ </exclusions>
+ <scope>compile</scope>
+ </dependency>
<!-- This is a transitive dependency of ranger-plugins-audit
added here to replace bloated bundle sdk, remove this if /when
apache ranger replaces bundle-skd with logs-sdk -->
@@ -259,7 +267,8 @@
<configuration>
<usedDependencies>
<!-- These are needed for scope: compile -->
-
<dependency>org.apache.ranger:ranger-plugins-audit</dependency>
+
<dependency>org.apache.ranger:ranger-audit-dest-es</dependency>
+
<dependency>org.apache.ranger:ranger-audit-dest-hdfs</dependency>
</usedDependencies>
<!-- this is due to replacement of aws-bundle-sdk with
aws-logs-sdk -->
<ignoredDependencies>
diff --git a/licenses.yaml b/licenses.yaml
index 8b25dfb2f9d..4e5d201edb7 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1016,6 +1016,15 @@ version: 2.2.1
libraries:
- org.joda: joda-convert
+---
+
+name: org.jooq joou-java-6
+license_category: binary
+module: java-core
+license_name: Apache License version 2.0
+version: 0.9.4
+libraries:
+ - org.jooq: joou-java-6
---
@@ -1303,12 +1312,16 @@ name: Netty
license_category: binary
module: java-core
license_name: Apache License version 2.0
-version: 4.1.122.Final
+version: 4.2.6.Final
libraries:
- io.netty: netty-buffer
- io.netty: netty-codec
+ - io.netty: netty-codec-base
+ - io.netty: netty-codec-compression
- io.netty: netty-codec-dns
- io.netty: netty-codec-http
+ - io.netty: netty-codec-marshalling
+ - io.netty: netty-codec-protobuf
- io.netty: netty-codec-socks
- io.netty: netty-common
- io.netty: netty-handler
@@ -1688,7 +1701,7 @@ name: Apache Calcite Avatica
license_category: binary
module: java-core
license_name: Apache License version 2.0
-version: 1.26.0
+version: 1.27.0
libraries:
- org.apache.calcite.avatica: avatica-core
- org.apache.calcite.avatica: avatica-metrics
@@ -3603,7 +3616,7 @@ name: ICU4J
license_category: binary
module: java-core
license_name: Unicode/ICU License
-version: 73.2
+version: 77.1
copyright: International Business Machines Corporation and others
license_file_path: licenses/bin/icu4j.ICU
libraries:
@@ -4449,7 +4462,7 @@ name: Netty
license_category: binary
module: extensions/druid-azure-extensions
license_name: Apache License version 2.0
-version: 2.0.72.Final
+version: 2.0.73.Final
libraries:
- io.netty: netty-tcnative-boringssl-static
- io.netty: netty-tcnative-classes
@@ -4680,9 +4693,19 @@ notice: |
---
-name: org.apache.ranger ranger-plugins-audit
+name: org.apache.ranger ranger-plugins-audit-dest-es
license_category: binary
-version: 2.4.0
+version: 2.7.0
+module: druid-ranger-security
+license_name: Apache License version 2.0
+libraries:
+ - org.apache.ranger: ranger-plugins-audit
+
+---
+
+name: org.apache.ranger ranger-plugins-audit-dest-hdfs
+license_category: binary
+version: 2.7.0
module: druid-ranger-security
license_name: Apache License version 2.0
libraries:
@@ -4692,7 +4715,7 @@ libraries:
name: org.apache.ranger ranger-plugins-common
license_category: binary
-version: 2.4.0
+version: 2.7.0
module: druid-ranger-security
license_name: Apache License version 2.0
libraries:
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index cee6e4d276c..133f4cd90df 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -259,6 +259,17 @@
<cve>CVE-2022-24823</cve> <!-- We don't decode user HTTP requests nor
forward them to remote systems, we also don't support for java 6 or lower -
https://github.com/advisories/GHSA-269q-hmxg-m83q -->
<cve>CVE-2022-41881</cve>
<cve>CVE-2023-34462</cve> <!-- Suppressed since netty requests in Druid
are internal, and not user-facing -->
+ <cve>CVE-2025-55163</cve> <!-- Netty 3.x not affected; HTTP/2 issues only
in 4.x -->
+ <cve>CVE-2025-58056</cve>
+ <cve>CVE-2025-58057</cve> <!-- Netty 3.x not affected; compression issue
only in 4.x -->
+ </suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: icu4j-77.1.jar
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.ibm\.icu/[email protected]$</packageUrl>
+ <cve>CVE-2025-5222</cve> <!-- False positive:
https://github.com/dependency-check/DependencyCheck/issues/7860 -->
</suppress>
<suppress>
@@ -423,6 +434,9 @@
<cve>CVE-2023-39410</cve> <!-- This seems to be a legitimate
vulnerability. But there is no fix as of yet in Hadoop repo -->
<cve>CVE-2023-44487</cve> <!-- Occurs in the version of Hadoop used by
Jetty, but it hasn't been fixed by Hadoop yet-->
<cve>CVE-2023-36478</cve> <!-- Occurs in the version of Hadoop used by
Jetty, but it hasn't been fixed by Hadoop yet-->
+ <cve>CVE-2025-48734</cve> <!-- Since Druid 35, Hadoop is no longer
supported. -->
+ <cve>CVE-2023-52428</cve> <!-- Since Druid 35, Hadoop is no longer
supported. -->
+ <cve>CVE-2024-13009</cve> <!-- Since Druid 35, Hadoop is no longer
supported. -->
</suppress>
<suppress>
diff --git a/pom.xml b/pom.xml
index 5bb165cd047..d552a80b553 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,10 +78,10 @@
<apache.kafka.version>3.9.1</apache.kafka.version>
<!-- when updating apache ranger, verify the usage of aws-bundle-sdk
vs aws-logs-sdk
and update as needed in extensions-core/druid-ranger-security/pm.xml
-->
- <apache.ranger.version>2.4.0</apache.ranger.version>
+ <apache.ranger.version>2.7.0</apache.ranger.version>
<gson.version>2.12.0</gson.version>
<scala.library.version>2.13.14</scala.library.version>
- <avatica.version>1.26.0</avatica.version>
+ <avatica.version>1.27.0</avatica.version>
<avro.version>1.11.4</avro.version>
<!--
The base calcite parser was copied into the project; when updating
Calcite run dev/upgrade-calcite-parser to adopt upstream changes
@@ -107,7 +107,7 @@
<mysql.version>8.2.0</mysql.version>
<mariadb.version>2.7.3</mariadb.version>
<netty3.version>3.10.6.Final</netty3.version>
- <netty4.version>4.1.122.Final</netty4.version>
+ <netty4.version>4.2.6.Final</netty4.version>
<postgresql.version>42.7.2</postgresql.version>
<protobuf.version>3.25.8</protobuf.version>
<resilience4j.version>1.3.1</resilience4j.version>
@@ -595,7 +595,7 @@
<dependency>
<groupId>com.ibm.icu</groupId>
<artifactId>icu4j</artifactId>
- <version>73.2</version>
+ <version>77.1</version>
</dependency>
<dependency>
<groupId>org.mozilla</groupId>
@@ -1846,8 +1846,10 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
- <version>7.4.4</version>
+ <version>12.1.0</version>
<configuration>
+ <nvdApiKey>${nvdApiKey}</nvdApiKey>
+ <ossIndexServerId>ossindex-credentials</ossIndexServerId>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>true</skipProvidedScope>
<skipSystemScope>true</skipSystemScope> <!-- avoid error
when processing jdk.tools:jdk.tools:jar:1.8:system -->
diff --git a/web-console/package-lock.json b/web-console/package-lock.json
index 791f30851b8..ce94d19618d 100644
--- a/web-console/package-lock.json
+++ b/web-console/package-lock.json
@@ -18,7 +18,7 @@
"@fontsource/open-sans": "^5.0.30",
"@internationalized/date": "^3.5.6",
"ace-builds": "~1.5.3",
- "axios": "^1.7.7",
+ "axios": "^1.12.0",
"chronoshift": "^1.2.1",
"classnames": "^2.2.6",
"copy-to-clipboard": "^3.3.3",
diff --git a/web-console/package.json b/web-console/package.json
index 97008f824ae..c0065257ec3 100644
--- a/web-console/package.json
+++ b/web-console/package.json
@@ -60,7 +60,7 @@
"@fontsource/open-sans": "^5.0.30",
"@internationalized/date": "^3.5.6",
"ace-builds": "~1.5.3",
- "axios": "^1.7.7",
+ "axios": "^1.12.0",
"chronoshift": "^1.2.1",
"classnames": "^2.2.6",
"copy-to-clipboard": "^3.3.3",
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
