[ https://issues.apache.org/jira/browse/IGNITE-15241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542992#comment-17542992 ]
Alexey Kukushkin commented on IGNITE-15241: ------------------------------------------- The [H2's PR 2227|https://github.com/h2database/h2database/pull/2227] really makes it impossible to upgrade to a newer H2 version where all the vulnerabilities are addressed. I see the following options to address the problem: # None of the vulnerabilities is really applicable to H2 in Apache Ignite due to specifics of how Ignite uses H2. See the impact analysis in the description of this JIRA. This can be used as a justification for appropriate team (DevOps, security) in the organization to add the H2 modules used by Ignite to the list of exceptions of the security vulnerabilities scanner. # H2 module shading: rename the H2 module group or name and replace the default H2 with the new one. This could be done manually or using the [Apache Maven Shade Plugin|https://maven.apache.org/plugins/maven-shade-plugin/]. There is not guarantee that specific security vulnerabilities scanner will not detect such a trick but most likely it will not and the scan would be clean. # [Calcite-based SQL Engine|https://ignite.apache.org/docs/latest/SQL/sql-calcite] was added in Ignite 2.13. This is an alternative to H2 and H2 could be excluded if the Calcite-based engine is configured. The Calcite engine is in beta in release 2.13 and the community wants to announce it as production ready in release 2.14 or 2.15. However, there is no guarantee about that and the release dates are not known at the moment of writing this comment. However, some application development teams may consider trying the Calcite engine and it may prove to be stable enough for them, allowing to get rid of the H2 dependency. > Ignite H2 Security Vulnerabilities > ---------------------------------- > > Key: IGNITE-15241 > URL: https://issues.apache.org/jira/browse/IGNITE-15241 > Project: Ignite > Issue Type: Bug > Components: sql > Affects Versions: 2.13 > Reporter: Alexey Kukushkin > Assignee: Alexey Kukushkin > Priority: Major > Labels: cggg > Attachments: Ignite-H2-Vulnerabilities.png > > Original Estimate: 80h > Remaining Estimate: 80h > > Upgrade H2 dependency of the ignite-indexing module to the latest version > 1.4.200. > Apache Ignite SQL (module {{ignite-indexing}}) depends on H2 database version > 1.4.197. Black Duck SCA detects these [security > vulnerabilities|https://www.cvedetails.com/product/45580/H2database-H2.html?vendor_id=17893] > in H2: > !Ignite-H2-Vulnerabilities.png! > We did preliminary real impact analysis considering how Ignite uses H2: > * [CVE-2018-14335|https://www.cvedetails.com/cve/CVE-2018-14335/] > This vulnerability is not applicable to H2 in Ignite since Ignite does not > store data in H2 and thus there can be no H2 backups in Ignite. > * [CVE-2018-10054|https://www.cvedetails.com/cve/CVE-2018-10054/] > This vulnerability is not applicable to H2 in Ignite since Ignite does not > support the {{CREATE ALIAS}} statement > * [CVE-2021-23463|https://www.cvedetails.com/cve/CVE-2021-23463/] > This vulnerability is not applicable to H2 in Ignite since Ignite uses H2 > version 1.4.197 and the vulnerability is applicable to H2 version 1.4.198 and > up to 2.0.202. > * [CVE-2022-23221|https://www.cvedetails.com/cve/CVE-2022-23221/] > This vulnerability is not applicable to H2 in Ignite since Ignite runs H2 > in embedded mode. H2 cannot be externally exposed in embedded mode. The > vulnerability could be exploited on the local machine where Ignite is > running. However, this limits the severity a lot. > * [CVE-2021-42392|https://www.cvedetails.com/cve/CVE-2021-42392/] > This vulnerability is not applicable to H2 in Ignite since Ignite does not > use and does not expose the {{org.h2.util.JdbcUtils.getConnection}} method. > > We realize all those vulnerabilities are not applicable to H2 in Apache > Ignite. However, our security policies are very formal and require somehow > addressing the security vulnerabilities anyway. > We believe there are lots of other enterprises having the same issue. For > example, there is another issue IGNITE-14381 referencing the same problem. > The latest H2 1.4.200 has no vulnerabilities. -- This message was sent by Atlassian Jira (v8.20.7#820007)