Suppress Calcite CVE #13119
Merged
Suppress Calcite CVE #13119
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kfaraz
reviewed
Sep 21, 2022
| <suppress> | ||
| <!-- avatica-server-1.17.0.jar --> | ||
| <notes><
There was a problem hiding this comment.
The vulnerability is in calcite-core. Does it need to be suppressed for avatica-server too?
There was a problem hiding this comment.
I believe calcite is used by avatica server too, wouldn't it need to be suppressed separately?
There was a problem hiding this comment.
I don't think so. Could you try running the security check without the extra suppression?
There was a problem hiding this comment.
the failure is being reported for avatica-server as well.
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration.
[ERROR] ----------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.0.4:aggregate (default-cli) on project druid:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] avatica-server-1.17.0.jar: CVE-2022-39135(9.8)
[ERROR] calcite-core-1.21.0.jar: CVE-2022-39135(9.8)
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
kfaraz
reviewed
Sep 21, 2022
abhishekagarwal87
approved these changes
Sep 23, 2022
liam-verta
pushed a commit
to VertaAI/druid
that referenced
this pull request
Sep 27, 2022
* Suppress Calcite CVE * Update comment
liam-verta
pushed a commit
to VertaAI/druid
that referenced
this pull request
Sep 28, 2022
* Suppress Calcite CVE * Update comment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The vulnerability is in a builtin function in Calcite, EXTRACT_VALUE, which is not exposed in the Druid console, so druid should be unaffected.
This PR has: