Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update of dependencies to comply with Whitesource security scan #333

Closed
PiotrWu opened this issue May 23, 2022 · 6 comments · Fixed by #334
Closed

Update of dependencies to comply with Whitesource security scan #333

PiotrWu opened this issue May 23, 2022 · 6 comments · Fixed by #334

Comments

@PiotrWu
Copy link

PiotrWu commented May 23, 2022
edited
Loading

At our company we're using Whitesource software for detection of the security issues. Unfortunately the newest version (2.11.1) of aws-xray-recorder-sdk-core doesn't comply with our policy. Some libraries have serious vulnerabilities and some are just old (joda-time is 7 years old). Below is the list of libraries that were rejected in a security scan.
Most if not all of these problematic dependencies come from aws-java-sdk-core library which should also be updated.

image

aws-xray-recorder-sdk-core-2.11.1.jar 
└---aws-java-sdk-xray-1.11.903.jar 
       └---aws-java-sdk-core-1.11.903.jar 
                └---ion-java-1.0.2.jar - **_reject old libraries_**
                └---jackson-databind-2.6.7.4.jar - **_reject high vulnerable libraries_**
                        └---jackson-annotations-2.6.0.jar - **_reject old libraries_**
                        └---jackson-core-2.6.7.jar - **_reject old libraries_**
                └---jackson-dataformat-cbor-2.6.7.jar - **_reject high vulnerable libraries_**
                └---joda-time-2.8.1.jar - **_reject old libraries_**

Please consider this request as without these changes it becomes impossible to use xray.
@wangzlei
Copy link
Contributor

Thanks for raising this question, we are working on upgrade the aws-java-sdk-core to the latest version 1.12.

@NathanielRN NathanielRN mentioned this issue May 25, 2022
Merged
@SebastianCelejewski
Copy link

As far as I can see in https://github.com/aws/aws-sdk-java/blob/master/pom.xml AWS Java SDK 1.12.228 still uses Joda Time 2.8.1 which is not accepted by WhiteSource (library version released on 15 Jun 2015).

@NathanielRN
Copy link
Contributor

@SebastianCelejewski Unfortunately it looks like the AWS Java SDK team doesn't have any plans to remove Joda Time like they did for Jackson. They need to maintain backwards compatibility with Java 6 and that's why they can't remove it. See aws/aws-sdk-java#1580.

As always, ADOT (AWS Distro for OTel) Java has full GA support by the X-Ray team, so it is a great alternative to the X-Ray Java SDK with a superset of features.

@PiotrWu
Copy link
Author

PiotrWu commented Jun 1, 2022

@NathanielRN joda-time by itself is fine, it's just this obsolete version what is the problem. If they could update it to some more recent version it would be fine. I see that the last version is 2.10.14 from March 2022. It's still version 2 so probably there aren't any breaking changes.

@NathanielRN
Copy link
Contributor

@PiotrWu Do you think we can continue the conversation on that GitHub issue there in that case? Since without a newer AWS Java SDK, we can’t unblock the issue here on X-Ray side, unless we used V2 somehow but that would be a bigger feature request for the X-Ray SDK here.

@PiotrWu
Copy link
Author

PiotrWu commented Jun 1, 2022

@NathanielRN sure.

@PiotrWu PiotrWu mentioned this issue Jun 6, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade AWS Java SDK to 1.12.228 NathanielRN/aws-xray-sdk-java
4 participants
@SebastianCelejewski @NathanielRN @PiotrWu @wangzlei