Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for CVE-2976 + add CVE checker #624

Merged
merged 2 commits into from
Sep 15, 2023
Merged

Conversation

okhasawn
Copy link
Contributor

Description

This PR will fix the remaining base branch CVE which requires an update to checkstyle's version, and also add a plugin that can be ran using this command:
./gradlew java-client:dependencyCheckAnalyze
This plugin checks all dependencies in Gradle and will let you know of any CVE's that exist.

An example run before the fix:

Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project java-client
Found 3 vulnerabilities in project java-client


One or more dependencies were identified with known vulnerabilities in java-client:

guava-31.0.1-jre.jar (pkg:maven/com.google.guava/[email protected], cpe:2.3:a:google:guava:31.0.1:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2020-8908
jackson-databind-2.15.2.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.15.2:*:*:*:*:*:*:*) : CVE-2023-35116

After the fix:

Checking for updates and analyzing dependencies for vulnerabilities
Generating report for project java-client
Found 1 vulnerabilities in project java-client


One or more dependencies were identified with known vulnerabilities in java-client:

jackson-databind-2.15.2.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.15.2:*:*:*:*:*:*:*) : CVE-2023-35116

Issues Resolved

CVE-2976

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

dblock
dblock previously approved these changes Sep 15, 2023
Copy link
Member

@dblock dblock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add this to CHANGELOG, e.g. "Fix: CVE-..."

Signed-off-by: Omar Khasawneh <[email protected]>
@okhasawn
Copy link
Contributor Author

Let's add this to CHANGELOG, e.g. "Fix: CVE-..."

Thanks dblock, I just updated changelog.

Copy link
Collaborator

@VachaShah VachaShah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @okhasawn!

@reta reta merged commit d09bb4e into opensearch-project:main Sep 15, 2023
@reta reta added the backport 2.x Backport to 2.x branch label Sep 15, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-624-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d09bb4eea03b4dd71232c84df8e7ffaa448b8faf
# Push it to GitHub
git push --set-upstream origin backport/backport-624-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-624-to-2.x.

reta pushed a commit to reta/opensearch-java that referenced this pull request Sep 15, 2023
* Fix for CVE-2976 + add CVE checker

Signed-off-by: Omar Khasawneh <[email protected]>

* Updated Changelog

Signed-off-by: Omar Khasawneh <[email protected]>

---------

Signed-off-by: Omar Khasawneh <[email protected]>
(cherry picked from commit d09bb4e)
VachaShah pushed a commit that referenced this pull request Sep 15, 2023
* Fix for CVE-2976 + add CVE checker

Signed-off-by: Omar Khasawneh <[email protected]>

* Updated Changelog

Signed-off-by: Omar Khasawneh <[email protected]>

---------

Signed-off-by: Omar Khasawneh <[email protected]>
(cherry picked from commit d09bb4e)

Co-authored-by: Omar Khasawneh <[email protected]>
@BrendonFaleiro BrendonFaleiro mentioned this pull request Jun 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x Backport to 2.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants