This is an automated email from the ASF dual-hosted git repository.
ccaominh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 176b715 Ignore CVEs from htrace and ambari transitive deps (#10353)
176b715 is described below
commit 176b7156249fdcd2a148c9d825f1f828df44709a
Author: Chi Cao Minh <chi.caom...@imply.io>
AuthorDate: Fri Sep 4 15:22:26 2020 -0700
Ignore CVEs from htrace and ambari transitive deps (#10353)
* Ignore CVEs from htrace and ambari transitive deps
htrace CVEs are suppressed for now as addressing them requires updating
the hadoop version.
ambari CVEs are suppressed for now since ambari is updated to the latest
version and is no longer actively maintained.
* Fix compilation issue from ambari upgrade
* Add missing test coverage
---
extensions-contrib/ambari-metrics-emitter/pom.xml | 2 +-
.../ambari/metrics/AmbariMetricsEmitter.java | 18 +++++++
.../ambari/metrics/AmbariMetricsEmitterTest.java | 4 ++
owasp-dependency-check-suppressions.xml | 60 ++++++++++++++++++++--
4 files changed, 79 insertions(+), 5 deletions(-)
diff --git a/extensions-contrib/ambari-metrics-emitter/pom.xml
b/extensions-contrib/ambari-metrics-emitter/pom.xml
index 27b4b67..7e48add 100644
--- a/extensions-contrib/ambari-metrics-emitter/pom.xml
+++ b/extensions-contrib/ambari-metrics-emitter/pom.xml
@@ -51,7 +51,7 @@
<dependency>
<groupId>org.apache.ambari</groupId>
<artifactId>ambari-metrics-common</artifactId>
- <version>2.6.1.0.0</version>
+ <version>2.7.0.0.0</version>
<exclusions>
<exclusion>
<groupId>org.codehaus.jackson</groupId>
diff --git
a/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
b/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
index 6b4bbd5..905b6cf 100644
---
a/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
+++
b/extensions-contrib/ambari-metrics-emitter/src/main/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitter.java
@@ -185,6 +185,24 @@ public class AmbariMetricsEmitter extends
AbstractTimelineMetricsSink implements
return config.getHostname();
}
+ @Override
+ protected boolean isHostInMemoryAggregationEnabled()
+ {
+ return false;
+ }
+
+ @Override
+ protected int getHostInMemoryAggregationPort()
+ {
+ return 0; // since host in-memory aggregation is disabled, this return
value is unimportant
+ }
+
+ @Override
+ protected String getHostInMemoryAggregationProtocol()
+ {
+ return ""; // since host in-memory aggregation is disabled, this return
value is unimportant
+ }
+
private class ConsumerRunnable implements Runnable
{
@Override
diff --git
a/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
b/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
index 9903554..9a01413 100644
---
a/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
+++
b/extensions-contrib/ambari-metrics-emitter/src/test/java/org/apache/druid/emitter/ambari/metrics/AmbariMetricsEmitterTest.java
@@ -66,5 +66,9 @@ public class AmbariMetricsEmitterTest
Assert.assertEquals("hostname", emitter.getHostname());
Assert.assertNull(emitter.getZookeeperQuorum());
Assert.assertEquals(Collections.singleton("hostname"),
emitter.getConfiguredCollectorHosts());
+
+ Assert.assertFalse(emitter.isHostInMemoryAggregationEnabled());
+ Assert.assertEquals(0, emitter.getHostInMemoryAggregationPort());
+ Assert.assertEquals("", emitter.getHostInMemoryAggregationProtocol());
}
}
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index 304606e..998e5c6 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -147,7 +147,7 @@
<cve>CVE-2019-17195</cve>
</suppress>
<suppress>
- <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of
com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage -->
+ <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of
com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
<notes><![CDATA[
file name: libthrift-0.6.1.jar
]]></notes>
@@ -157,6 +157,28 @@
<cve>CVE-2019-0205</cve>
</suppress>
<suppress>
+ <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of
com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
+ <notes><![CDATA[
+ file name: snakeyaml-1.6.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
+ <cve>CVE-2017-18640</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: htrace-core4-4.0.1-incubating.jar (shaded:
com.fasterxml.jackson.core:jackson-annotations:2.4.0)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@2.4.0$</packageUrl>
+ <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for
jackson-annotations:2.4.0 since it is via htrace-core4 -->
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: htrace-core4-4.0.1-incubating.jar (shaded:
com.fasterxml.jackson.core:jackson-core:2.4.0)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@2.4.0$</packageUrl>
+ <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for jackson-core:2.4.0
since it is via htrace-core4 -->
+ </suppress>
+ <suppress>
<!--
~ TODO: Fix by updating hadoop-common used by
extensions-core/parquet-extensions. Possibly need to change
~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well.
@@ -173,10 +195,10 @@
~ TODO: Fix by updating parquet version in
extensions-core/parquet-extensions.
-->
<notes><![CDATA[
- file name: parquet-jackson-1.11.0.jar (shaded:
com.fasterxml.jackson.core:jackson-databind:2.9.10)
+ file name: parquet-jackson-1.11.0.jar (shaded:
com.fasterxml.jackson.core:jackson-{core,databind}:2.9.10)
]]></notes>
- <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@2.9.10$</packageUrl>
- <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for
jackson-databind:2.9.0 since it is via parquet transitive dependencies -->
+ <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-.*@2.9.10$</packageUrl>
+ <cvssBelow>10</cvssBelow> <!-- suppress all CVEs for
jackson-{core,databind}:2.9.0 since it is via parquet transitive dependencies
-->
</suppress>
<suppress>
<notes><![CDATA[
@@ -229,4 +251,34 @@
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
+ <suppress>
+ <!--
+ - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0,
released in July 2018.
+ -->
+ <notes><![CDATA[
+ file name: ambari-metrics-common-2.7.0.0.0.jar (shaded:
io.netty:netty:3.10.5.Final)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/io\.netty/netty@3.10.5.Final$</packageUrl>
+ <cve>CVE-2019-16869</cve>
+ <cve>CVE-2019-20444</cve>
+ <cve>CVE-2019-20445</cve>
+ </suppress>
+ <suppress>
+ <!--
+ - TODO: The lastest version of ambari-metrics-common is 2.7.0.0.0,
released in July 2018.
+ -->
+ <notes><![CDATA[
+ file name: ambari-metrics-common-2.7.0.0.0.jar (shaded:
org.apache.hadoop:hadoop-annotations:2.6.0)
+ ]]></notes>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-annotations@.*$</packageUrl>
+ <cve>CVE-2015-1776</cve>
+ <cve>CVE-2016-3086</cve>
+ <cve>CVE-2016-5393</cve>
+ <cve>CVE-2016-6811</cve>
+ <cve>CVE-2017-3162</cve>
+ <cve>CVE-2018-11768</cve>
+ <cve>CVE-2018-1296</cve>
+ <cve>CVE-2018-8009</cve>
+ <cve>CVE-2018-8029</cve>
+ </suppress>
</suppressions>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org
For additional commands, e-mail: commits-h...@druid.apache.org
