This is an automated email from the ASF dual-hosted git repository. ccaominh pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push: new 176b715 Ignore CVEs from htrace and ambari transitive deps (#10353) 176b715 is described below commit 176b7156249fdcd2a148c9d825f1f828df44709a Author: Chi Cao Minh <chi.caom...@imply.io> AuthorDate: Fri Sep 4 15:22:26 2020 -0700 Ignore CVEs from htrace and ambari transitive deps (#10353) * Ignore CVEs from htrace and ambari transitive deps htrace CVEs are suppressed for now as addressing them requires updating the hadoop version. ambari CVEs are suppressed for now since ambari is updated to the latest version and is no longer actively maintained. * Fix compilation issue from ambari upgrade * Add missing test coverage --- extensions-contrib/ambari-metrics-emitter/pom.xml | 2 +- .../ambari/metrics/AmbariMetricsEmitter.java | 18 +++++++ .../ambari/metrics/AmbariMetricsEmitterTest.java | 4 ++ owasp-dependency-check-suppressions.xml | 60 ++++++++++++++++++++-- 4 files changed, 79 insertions(+), 5 deletions(-) diff --git a/extensions-contrib/ambari-metrics-emitter/pom.xml b/extensions-contrib/ambari-metrics-emitter/pom.xml index 27b4b67..7e48add 100644 --- a/extensions-contrib/ambari-metrics-emitter/pom.xml +++ b/extensions-contrib/ambari-metrics-emitter/pom.xml @@ -51,7 +51,7 @@ <dependency> <groupId>org.apache.ambari</groupId> <artifactId>ambari-metrics-common</artifactId> - <version>2.6.1.0.0</version> + <version>2.7.0.0.0</version> <exclusions> <exclusion> <groupId>org.codehaus.jackson</groupId> diff --git a/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java b/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java index 6b4bbd5..905b6cf 100644 --- a/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java +++ b/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java @@ -185,6 +185,24 @@ public class AmbariMetricsEmitter extends AbstractTimelineMetricsSink implements return config.getHostname(); } + @Override + protected boolean isHostInMemoryAggregationEnabled() + { + return false; + } + + @Override + protected int getHostInMemoryAggregationPort() + { + return 0; // since host in-memory aggregation is disabled, this return value is unimportant + } + + @Override + protected String getHostInMemoryAggregationProtocol() + { + return ""; // since host in-memory aggregation is disabled, this return value is unimportant + } + private class ConsumerRunnable implements Runnable { @Override diff --git a/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java b/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java index 9903554..9a01413 100644 --- a/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java +++ b/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java @@ -66,5 +66,9 @@ public class AmbariMetricsEmitterTest Assert.assertEquals("hostname", emitter.getHostname()); Assert.assertNull(emitter.getZookeeperQuorum()); Assert.assertEquals(Collections.singleton("hostname"), emitter.getConfiguredCollectorHosts()); + + Assert.assertFalse(emitter.isHostInMemoryAggregationEnabled()); + Assert.assertEquals(0, emitter.getHostInMemoryAggregationPort()); + Assert.assertEquals("", emitter.getHostInMemoryAggregationProtocol()); } } diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml index 304606e..998e5c6 100644 --- a/owasp-dependency-check-suppressions.xml +++ b/owasp-dependency-check-suppressions.xml @@ -147,7 +147,7 @@ <cve>CVE-2019-17195</cve> </suppress> <suppress> - <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage --> + <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> <notes><![CDATA[ file name: libthrift-0.6.1.jar ]]></notes> @@ -157,6 +157,28 @@ <cve>CVE-2019-0205</cve> </suppress> <suppress> + <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage --> + <notes><![CDATA[ + file name: snakeyaml-1.6.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl> + <cve>CVE-2017-18640</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-annotations:2.4.0) + ]]></notes> + <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@2.4.0$</packageUrl> + <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-annotations:2.4.0 since it is via htrace-core4 --> + </suppress> + <suppress> + <notes><![CDATA[ + file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0) + ]]></notes> + <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@2.4.0$</packageUrl> + <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-core:2.4.0 since it is via htrace-core4 --> + </suppress> + <suppress> <!-- ~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change ~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well. @@ -173,10 +195,10 @@ ~ TODO: Fix by updating parquet version in extensions-core/parquet-extensions. --> <notes><![CDATA[ - file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.9.10) + file name: parquet-jackson-1.11.0.jar (shaded: com.fasterxml.jackson.core:jackson-{core,databind}:2.9.10) ]]></notes> - <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.9.10$</packageUrl> - <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-databind:2.9.0 since it is via parquet transitive dependencies --> + <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-.*@2.9.10$</packageUrl> + <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-{core,databind}:2.9.0 since it is via parquet transitive dependencies --> </suppress> <suppress> <notes><![CDATA[ @@ -229,4 +251,34 @@ <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl> <cve>CVE-2019-17571</cve> </suppress> + <suppress> + <!-- + - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018. + --> + <notes><![CDATA[ + file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: io.netty:netty:3.10.5.Final) + ]]></notes> + <packageUrl regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl> + <cve>CVE-2019-16869</cve> + <cve>CVE-2019-20444</cve> + <cve>CVE-2019-20445</cve> + </suppress> + <suppress> + <!-- + - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0, released in July 2018. + --> + <notes><![CDATA[ + file name: ambari-metrics-common-2.7.0.0.0.jar (shaded: org.apache.hadoop:hadoop-annotations:2.6.0) + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl> + <cve>CVE-2015-1776</cve> + <cve>CVE-2016-3086</cve> + <cve>CVE-2016-5393</cve> + <cve>CVE-2016-6811</cve> + <cve>CVE-2017-3162</cve> + <cve>CVE-2018-11768</cve> + <cve>CVE-2018-1296</cve> + <cve>CVE-2018-8009</cve> + <cve>CVE-2018-8029</cve> + </suppress> </suppressions> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org For additional commands, e-mail: commits-h...@druid.apache.org