Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PPP-4582] Use of Vulnerable Component: Components/oauth_client_library_for_java #5676

Merged
merged 1 commit into from
Sep 17, 2024
Merged

[PPP-4582] Use of Vulnerable Component: Components/oauth_client_library_for_java #5676

merged 1 commit into from
Sep 17, 2024

Conversation

singletonc
Copy link
Contributor

@singletonc singletonc commented Aug 2, 2024
edited
Loading

@singletonc
[PPP-4582] Use of Vulnerable Component: Components/oauth_client_libra…
1cab268 
…ry_for_java

Remove unused plugins with vulnerabilities from assembly:
    - pentaho-googledrive-vfs
    - pdi-google-analytics-plugin
@hitachivantarasonarqube HitachiVantaraSonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@buildguy
Copy link
Collaborator

buildguy commented Aug 2, 2024

👍 Frogbot scanned this pull request and found that it did not add vulnerable dependencies.

Note:

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

@buildguy
Copy link
Collaborator

buildguy commented Aug 2, 2024

✅ Build finished in 13m 52s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
assemblies/pentaho-solutions

❗ No tests found!

ℹ️ This is an automatic message

@singletonc singletonc mentioned this pull request Aug 5, 2024
Closed
@singletonc singletonc mentioned this pull request Sep 10, 2024
Closed
singletonc pushed a commit to singletonc/pentaho-hadoop-shims that referenced this pull request Sep 10, 2024
@angel-ramoscardona @singletonc
[PPP-4582] Use of Vulnerable Component: Components/oauth_client_libra…
972346f 
…ry_for_java

PR Set for https://hv-eng.atlassian.net/browse/PPP-4582:
- pentaho/pdi-plugins-ee#1290
- pentaho/pentaho-platform#5676
-

Updated the gcs-connector versions to 3.0.2 where possible; it doesn't include gooogle-oauth-client at all.
- I had to add gcsio for apache driver so that it can be used in GcsConf for import com.google.cloud.hadoop.gcsio.GoogleCloudStorageFileSystem;

Dataproc1421 is stuck on Hadoop 2, so, we have to go with hadoop2-2.2.24 version, which has vulnerabilities pertaining to Hadoop 2.

All remaining instances of google oauth (including that from gcs-connector:jar:hadoop2-2.2.24 → google-oauth-client:jar:1.34.1) are now on 1.33.3+, whose indirect vulnerabilities pertain to guava, which is managed in its own dependency block.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

I didn't see guava being pulled in on oauth anywhere, but I have excluded it in related, gateway-cloud-bindings dependencies to be sure that oauth doesn't pull it in and it is only ever intentionally added by us elsewhere.
@singletonc singletonc mentioned this pull request Sep 10, 2024
Merged
@singletonc singletonc marked this pull request as ready for review September 12, 2024 22:43
@singletonc singletonc requested a review from a team as a code owner September 12, 2024 22:43
@rmansoor rmansoor merged commit 3fac5a9 into pentaho:master Sep 17, 2024
2 checks passed
singletonc pushed a commit to singletonc/pentaho-hadoop-shims that referenced this pull request Oct 8, 2024
@angel-ramoscardona @singletonc
[PPP-4582] Use of Vulnerable Component: Components/oauth_client_libra…
8414fc6 
…ry_for_java

PR Set for https://hv-eng.atlassian.net/browse/PPP-4582:
- pentaho/pdi-plugins-ee#1290
- pentaho/pentaho-platform#5676
-

Updated the gcs-connector versions to 3.0.2 where possible; it doesn't include gooogle-oauth-client at all.
- I had to add gcsio for apache driver so that it can be used in GcsConf for import com.google.cloud.hadoop.gcsio.GoogleCloudStorageFileSystem;

Dataproc1421 is stuck on Hadoop 2, so, we have to go with hadoop2-2.2.24 version, which has vulnerabilities pertaining to Hadoop 2.

All remaining instances of google oauth (including that from gcs-connector:jar:hadoop2-2.2.24 → google-oauth-client:jar:1.34.1) are now on 1.33.3+, whose indirect vulnerabilities pertain to guava, which is managed in its own dependency block.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

I didn't see guava being pulled in on oauth anywhere, but I have excluded it in related, gateway-cloud-bindings dependencies to be sure that oauth doesn't pull it in and it is only ever intentionally added by us elsewhere.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmansoor rmansoor rmansoor approved these changes

@NJtwentyone NJtwentyone NJtwentyone approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@singletonc @buildguy @rmansoor @NJtwentyone