[ROCK-1318] Fix disocvery vulnerabilities (#183)

* Do not build vulnerable drivers * Bump quartz transitive dependency from vulnerable 2.1.7 to 2.3.2 * Bump crossdata-jdbc4 version 2.14.4-1830fff -> 2.16.2-2e12375
Stratio · Feb 4, 2020 · 1ca9893 · 1ca9893
1 parent b9777b7
commit 1ca9893
Show file tree

Hide file tree

Showing 20 changed files with 21 additions and 12 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -32,7 +32,7 @@ ENV MAVEN_VERSION="3.2.5" \
     M2_HOME=/usr/lib/mvn
 
 # To generate local docker, comment mvn dependency:get and mv. Download jar in ./bin/lib/
-# http://qa.stratio.com/repository/releases/com/stratio/jdbc/stratio-crossdata-jdbc4/2.14.4-1830fff/stratio-crossdata-jdbc4-2.14.4-1830fff.jar
+# http://qa.stratio.com/repository/releases/com/stratio/crossdata/driver/stratio-crossdata-jdbc4/2.16.2-2e12375/stratio-crossdata-jdbc4-2.16.2-2e12375.jar
 RUN apk add --update wget && \
     cd /tmp && \
     wget "http://ftp.unicamp.br/pub/apache/maven/maven-3/$MAVEN_VERSION/binaries/apache-maven-$MAVEN_VERSION-bin.tar.gz" && \
@@ -42,9 +42,9 @@ RUN apk add --update wget && \
     mvn package -f /app/source/local-query-execution-factory/pom.xml && \
     mv /app/source/local-query-execution-factory/target/local-query-execution-factory-0.2.jar /app/source/bin/lib/local-query-execution-factory-0.2.jar && \
     mvn install:install-file -Dfile=/app/source/bin/lib/local-query-execution-factory-0.2.jar -DgroupId=com.stratio.metabase -DartifactId=local-query-execution-factory -Dversion=0.2 -Dpackaging=jar && \
-    mvn dependency:get -DgroupId=com.stratio.jdbc -DartifactId=stratio-crossdata-jdbc4 -Dversion=2.14.4-1830fff -DremoteRepositories=http://sodio.stratio.com/repository/public/ -Dtransitive=false && \
-    mv /root/.m2/repository/com/stratio/jdbc/stratio-crossdata-jdbc4/2.14.4-1830fff/stratio-crossdata-jdbc4-2.14.4-1830fff.jar /app/source/bin/lib/stratio-crossdata-jdbc4-2.14.4-1830fff.jar && \
-    mvn install:install-file -Dfile=/app/source/bin/lib/stratio-crossdata-jdbc4-2.14.4-1830fff.jar -DgroupId=com.stratio.jdbc -DartifactId=stratio-crossdata-jdbc4 -Dversion=2.14.4-1830fff -Dpackaging=jar
+    mvn dependency:get -DgroupId=com.stratio.crossdata.driver -DartifactId=stratio-crossdata-jdbc4 -Dversion=2.16.2-2e12375 -DremoteRepositories=http://sodio.stratio.com/repository/public/ -Dtransitive=false && \
+    mv /root/.m2/repository/com/stratio/crossdata/driver/stratio-crossdata-jdbc4/2.16.2-2e12375/stratio-crossdata-jdbc4-2.16.2-2e12375.jar /app/source/bin/lib/stratio-crossdata-jdbc4-2.16.2-2e12375.jar && \
+    mvn install:install-file -Dfile=/app/source/bin/lib/stratio-crossdata-jdbc4-2.16.2-2e12375.jar -DgroupId=com.stratio.crossdata.driver -DartifactId=stratio-crossdata-jdbc4 -Dversion=2.16.2-2e12375 -Dpackaging=jar
 
 # lein:    backend dependencies and building
 ADD https://raw.github.com/technomancy/leiningen/stable/bin/lein /usr/local/bin/lein

diff --git a/bin/install_dependencies.sh b/bin/install_dependencies.sh
@@ -3,5 +3,5 @@ mvn package -f ./local-query-execution-factory/pom.xml
 cp ./local-query-execution-factory/target/local-query-execution-factory-0.2.jar ./bin/lib/local-query-execution-factory-0.2.jar
 mvn install:install-file -Dfile=./bin/lib/local-query-execution-factory-0.2.jar -DgroupId=com.stratio.metabase -DartifactId=local-query-execution-factory -Dversion=0.2 -Dpackaging=jar
 
-mvn dependency:copy -Dartifact=com.stratio.jdbc:stratio-crossdata-jdbc4:2.14.4-1830fff -DoutputDirectory=./bin/lib/
-mvn install:install-file -Dfile=./bin/lib/stratio-crossdata-jdbc4-2.14.4-1830fff.jar -DgroupId=com.stratio.jdbc -DartifactId=stratio-crossdata-jdbc4 -Dversion=2.14.4-1830fff -Dpackaging=jar
+mvn dependency:copy -Dartifact=com.stratio.crossdata.driver:stratio-crossdata-jdbc4:2.16.2-2e12375 -DoutputDirectory=./bin/lib/
+mvn install:install-file -Dfile=./bin/lib/stratio-crossdata-jdbc4-2.16.2-2e12375.jar -DgroupId=com.stratio.crossdata.driver -DartifactId=stratio-crossdata-jdbc4 -Dversion=2.16.2-2e12375 -Dpackaging=jar
diff --git a/modules/drivers/crossdata/project.clj b/modules/drivers/crossdata/project.clj
@@ -2,7 +2,7 @@
   :min-lein-version "2.5.0"
 
   :dependencies
-  [[com.stratio.jdbc/stratio-crossdata-jdbc4 "2.14.4-1830fff"
+  [[com.stratio.crossdata.driver/stratio-crossdata-jdbc4 "2.16.2-2e12375"
     :exclusions [com.fasterxml.jackson.core/jackson-core]]]
 
   :profiles

diff --git a/modules/drivers/sparksql/project.clj → modules/drivers_nobuild/sparksql/project.clj b/modules/drivers/sparksql/project.clj → modules/drivers_nobuild/sparksql/project.clj
diff --git a/...s/sparksql/resources/metabase-plugin.yaml → ...d/sparksql/resources/metabase-plugin.yaml b/...s/sparksql/resources/metabase-plugin.yaml → ...d/sparksql/resources/metabase-plugin.yaml
diff --git a/...c/metabase/driver/FixedHiveConnection.clj → ...c/metabase/driver/FixedHiveConnection.clj b/...c/metabase/driver/FixedHiveConnection.clj → ...c/metabase/driver/FixedHiveConnection.clj
diff --git a/...l/src/metabase/driver/FixedHiveDriver.clj → ...l/src/metabase/driver/FixedHiveDriver.clj b/...l/src/metabase/driver/FixedHiveDriver.clj → ...l/src/metabase/driver/FixedHiveDriver.clj
diff --git a/...parksql/src/metabase/driver/hive_like.clj → ...parksql/src/metabase/driver/hive_like.clj b/...parksql/src/metabase/driver/hive_like.clj → ...parksql/src/metabase/driver/hive_like.clj
diff --git a/...sparksql/src/metabase/driver/sparksql.clj → ...sparksql/src/metabase/driver/sparksql.clj b/...sparksql/src/metabase/driver/sparksql.clj → ...sparksql/src/metabase/driver/sparksql.clj
diff --git a/...l/test/metabase/driver/hive_like_test.clj → ...l/test/metabase/driver/hive_like_test.clj b/...l/test/metabase/driver/hive_like_test.clj → ...l/test/metabase/driver/hive_like_test.clj
diff --git a/...ql/test/metabase/driver/sparksql_test.clj → ...ql/test/metabase/driver/sparksql_test.clj b/...ql/test/metabase/driver/sparksql_test.clj → ...ql/test/metabase/driver/sparksql_test.clj
diff --git a/...ksql/test/metabase/test/data/sparksql.clj → ...ksql/test/metabase/test/data/sparksql.clj b/...ksql/test/metabase/test/data/sparksql.clj → ...ksql/test/metabase/test/data/sparksql.clj
diff --git a/modules/drivers/sqlite/project.clj → modules/drivers_nobuild/sqlite/project.clj b/modules/drivers/sqlite/project.clj → modules/drivers_nobuild/sqlite/project.clj
diff --git a/...ers/sqlite/resources/metabase-plugin.yaml → ...ild/sqlite/resources/metabase-plugin.yaml b/...ers/sqlite/resources/metabase-plugin.yaml → ...ild/sqlite/resources/metabase-plugin.yaml
diff --git a/...ers/sqlite/src/metabase/driver/sqlite.clj → ...ild/sqlite/src/metabase/driver/sqlite.clj b/...ers/sqlite/src/metabase/driver/sqlite.clj → ...ild/sqlite/src/metabase/driver/sqlite.clj
diff --git a/...lite/test/metabase/driver/sqlite_test.clj → ...lite/test/metabase/driver/sqlite_test.clj b/...lite/test/metabase/driver/sqlite_test.clj → ...lite/test/metabase/driver/sqlite_test.clj
diff --git a/...sqlite/test/metabase/test/data/sqlite.clj → ...sqlite/test/metabase/test/data/sqlite.clj b/...sqlite/test/metabase/test/data/sqlite.clj → ...sqlite/test/metabase/test/data/sqlite.clj
diff --git a/pom.xml b/pom.xml
@@ -500,9 +500,9 @@
       <version>0.4.5</version>
     </dependency>
     <dependency>
-      <groupId>com.stratio.jdbc</groupId>
+      <groupId>com.stratio.crossdata.driver</groupId>
       <artifactId>stratio-crossdata-jdbc4</artifactId>
-      <version>2.14.4-1830fff</version>
+      <version>2.16.2-2e12375</version>
       <exclusions>
         <exclusion>
           <artifactId>clojure</artifactId>

diff --git a/project.clj b/project.clj
@@ -60,7 +60,11 @@
                  slingshot]]
    [clj-time "0.15.1"]                                                ; library for dealing with date/time
    [clojurewerkz/quartzite "2.1.0"                                    ; scheduling library
-    :exclusions [c3p0]]
+    :exclusions [c3p0
+                 ;; < STRATIO - upgrade quartz for fix vulnerabilities
+                 org.quartz-scheduler/quartz]]
+   [org.quartz-scheduler/quartz "2.3.2"]
+   ;; STRATIO >
    [colorize "0.1.1" :exclusions [org.clojure/clojure]]               ; string output with ANSI color codes (for logging)
    [com.cemerick/friend "0.2.3"                                       ; auth library
     :exclusions [commons-codec
@@ -114,7 +118,7 @@
    [org.tcrawley/dynapath "1.0.0"]                                    ; Dynamically add Jars (e.g. Oracle or Vertica) to classpath
    [org.yaml/snakeyaml "1.23"]                                        ; YAML parser (required by liquibase)
    [potemkin "0.4.5"]                                                 ; utility macros & fns
-   [com.stratio.jdbc/stratio-crossdata-jdbc4       "2.14.4-1830fff"
+   [com.stratio.crossdata.driver/stratio-crossdata-jdbc4       "2.16.2-2e12375"
                   :exclusions [org.clojure/clojure
                                org.bouncycastle/bcpkix-jdk15on
                                org.bouncycastle/bcprov-jdk15on

diff --git a/src/metabase/task.clj b/src/metabase/task.clj
@@ -94,7 +94,12 @@
     ;; get a connection from our application DB connection pool. Quartz will close it (i.e., return it to the pool)
     ;; when it's done
     (jdbc/get-connection (db/connection)))
-  (shutdown [_]))
+  (shutdown [_])
+  ;; <STRATIO - bumping quartz to fix vulnerabilities forces us to implement this method
+  ;; of the ConnectionProvider interface (in old quartz version it was not called)
+  (initialize [_])
+  ;; STRATIO >
+  )
 
 (when-not *compile-files*
   (System/setProperty "org.quartz.dataSource.db.connectionProvider.class" (.getName ConnectionProvider)))