Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix low sonatype findings #17017

Merged
merged 15 commits into from
Sep 16, 2024
Merged

Fix low sonatype findings #17017

merged 15 commits into from
Sep 16, 2024

Conversation

nozjkoitop
Copy link
Contributor

Fixed vulnerabilities

  • CVE-2021-26291 : Apache Maven is vulnerable to Man-in-the-Middle (MitM) attacks. Various
    functions across several files, mentioned below, allow for custom repositories to use the
    insecure HTTP protocol. An attacker can exploit this as part of a Man-in-the-Middle (MitM)
    attack, taking over or impersonating a repository using the insecure HTTP protocol.
    Unsuspecting users may then have the compromised repository defined as a dependency in
    their Project Object Model (pom) file and download potentially malicious files from it.

Was fixed by removing outdated tesla-aether library containing vulnerable maven-settings (v3.1.1) package, pull-deps utility updated to use maven resolver instead.

  • sonatype-2020-0244 : The joni package is vulnerable to Man-in-the-Middle (MitM) attacks.
    This project downloads dependencies over HTTP due to an insecure repository configuration
    within the .pom file. Consequently, a MitM could intercept requests to the specified
    repository and replace the requested dependencies with malicious versions, which can execute
    arbitrary code from the application that was built with them.

Was fixed by upgrading joni package to recommended 2.1.34 version

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 9, 2024
View reviewed changes
services/src/test/java/org/apache/druid/cli/PullDependenciesTest.java
Comment on lines +431 to +433
RemoteRepository testRepository = new RemoteRepository.Builder("test", "default", "http://example.com")
.setProxy(proxy)
.build();

Check notice

Code scanning / CodeQL

Unread local variable Note test

Variable 'RemoteRepository testRepository' is never read.
@abhishekagarwal87
Copy link
Contributor

Nice. Have you compared the distribution tars before and after the change to verify that the dist is getting built as expected?

@abhishekagarwal87
Copy link
Contributor

Tested it myself and things look good. Downloading the extension works too just fine.

@abhishekagarwal87 abhishekagarwal87 merged commit 6aad9b0 into apache:master Sep 16, 2024
91 checks passed
pranavbhole pushed a commit to pranavbhole/druid that referenced this pull request Sep 17, 2024
@nozjkoitop @pranavbhole
Fix low sonatype findings (apache#17017)
ed91daa 
Fixed vulnerabilities
CVE-2021-26291 : Apache Maven is vulnerable to Man-in-the-Middle (MitM) attacks. Various
functions across several files, mentioned below, allow for custom repositories to use the
insecure HTTP protocol. An attacker can exploit this as part of a Man-in-the-Middle (MitM)
attack, taking over or impersonating a repository using the insecure HTTP protocol.
Unsuspecting users may then have the compromised repository defined as a dependency in
their Project Object Model (pom) file and download potentially malicious files from it.
Was fixed by removing outdated tesla-aether library containing vulnerable maven-settings (v3.1.1) package, pull-deps utility updated to use maven resolver instead.

sonatype-2020-0244 : The joni package is vulnerable to Man-in-the-Middle (MitM) attacks.
This project downloads dependencies over HTTP due to an insecure repository configuration
within the .pom file. Consequently, a MitM could intercept requests to the specified
repository and replace the requested dependencies with malicious versions, which can execute
arbitrary code from the application that was built with them.
Was fixed by upgrading joni package to recommended 2.1.34 version
@adarshsanjeev adarshsanjeev added this to the 32.0.0 milestone Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhishekagarwal87 abhishekagarwal87 abhishekagarwal87 approved these changes

Assignees
No one assigned
Labels
Area - Dependencies Area - Ingestion
Projects
None yet
Milestone
32.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@nozjkoitop @abhishekagarwal87 @adarshsanjeev