Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

snakeyaml cve fix #24099

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

snakeyaml cve fix #24099

wants to merge 1 commit into from
+128 −132

Conversation

nishithakbhaskaran
Copy link

@nishithakbhaskaran nishithakbhaskaran commented Nov 20, 2024
edited
Loading

Description

  • Upgrade snakeyaml version to 2.0

  • Presto Cassandra Tests were failing because the cassandra-server version 2.1.16-1 using sankeyaml 1.x as tranistiive dependency and if we update the version it will cause some methodNotFound Error. Inorder to overcome this we removed the cassandra-server from presto and cherrypicked the dockerised cassandra in tests as done in Use dockerized Cassandra in tests trinodb/trino#2377 . This approach will resolve the issue.

Motivation and Context

  • snakeyaml 1.x version which is coming as a transitive dependency introduces below High and Medium CVEs in Mend Scan.

CVE-2022-1471
CVE-2022-25857
CVE-2017-18640
CVE-2022-38752
CVE-2022-38751
CVE-2022-38750
CVE-2022-38749
CVE-2022-41854

  • Presto Cassandra Tests were failing because the cassandra-server version 2.1.16-1 using sankeyaml 1.x as tranistiive dependency and if we update the version it will cause some methodNotFound Error. Inorder to overcome this we removed the cassandra-server from presto and cherrypicked the dockerised cassandra in tests as done in Use dockerized Cassandra in tests trinodb/trino#2377 . This approach will resolve the issue.

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Fixes
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-1471 <https://nvd.nist.gov/vuln/detail/CVE-2022-1471>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-25857 <https://nvd.nist.gov/vuln/detail/cve-2022-25857>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2017-18640 <https://nvd.nist.gov/vuln/detail/cve-2017-18640>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38752 <https://nvd.nist.gov/vuln/detail/CVE-2022-38752>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38751 <https://nvd.nist.gov/vuln/detail/CVE-2022-38751>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38750 <https://nvd.nist.gov/vuln/detail/CVE-2022-38750>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38749 <https://nvd.nist.gov/vuln/detail/CVE-2022-38749>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-41854 <https://nvd.nist.gov/vuln/detail/CVE-2022-41854>`_. :pr:`24099`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Nov 20, 2024
@prestodb-ci prestodb-ci requested a review from a team November 20, 2024 09:04
@nishithakbhaskaran nishithakbhaskaran marked this pull request as ready for review November 22, 2024 14:40
@nishithakbhaskaran nishithakbhaskaran requested a review from a team as a code owner November 22, 2024 14:40
@ethanyzhang ethanyzhang requested review from a team, psnv03 and pramodsatya and removed request for a team November 25, 2024 07:04
@nishithakbhaskaran nishithakbhaskaran marked this pull request as draft November 25, 2024 07:05
@nishithakbhaskaran nishithakbhaskaran marked this pull request as ready for review November 25, 2024 09:29
@nishithakbhaskaran
Copy link
Author

Presto Cassandra Tests were failing because the cassandra-server version 2.1.16-1 using sankeyaml 1.x as tranistiive dependency and if we update the version it will cause some methodNotFound Error. Inorder to overcome this we removed the cassandra-server from presto and cherrypicked the dockerised cassandra in tests as done in Trino . This approach will resolve the issue.

yingsu00
yingsu00 reviewed Nov 26, 2024
View reviewed changes
presto-cassandra/src/test/java/com/facebook/presto/cassandra/CassandraQueryRunner.java Show resolved Hide resolved
presto-cassandra/src/test/java/com/facebook/presto/cassandra/TestCassandraConnector.java Outdated
@@ -94,6 +93,8 @@ public class TestCassandraConnector
ImmutableSet.of(),
Optional.empty(),
ImmutableMap.of());

private CassandraServer server;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move this private member to the private section below.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

presto-cassandra/src/test/resources/cu-cassandra.yaml
@@ -94,10 +94,10 @@ partitioner: org.apache.cassandra.dht.Murmur3Partitioner

# directories where Cassandra should store data on disk.
data_file_directories:
- ${data_directory}/data
- /var/lib/cassandra/data
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What would happen if /var/lib/cassandra does not exist?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the path in Cassandra container and when we start the Cassandra by default will write its data files there.

presto-cassandra/src/test/java/com/facebook/presto/cassandra/CassandraServer.java
@@ -123,27 +114,19 @@ private static String prepareCassandraYaml()
return yamlLocation.toAbsolutePath().toString();
}

public static synchronized CassandraSession getSession()
public CassandraSession getSession()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For line 109:

Since you removed data_directory from cu-cassandra.yaml, this is no longer needed. However we need to make sure the path you specified always exist and won't cause error on different platforms.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I have removed the line. Also the path is inside cassandra docker container and it will be independent of the platforms, so I believe this won't cause issues. I have updated the cherrypick id in the description of the PR.

presto-cassandra/pom.xml
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this bring used?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This dependencyManagement section is to fix the Require upper bound dependencies error for slf4j while building the cassandra module.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain a little bit about why the error happens if this one was not added? Is org.testcontainers dependent on slf4j or something else?

Copy link
Author

@nishithakbhaskaran nishithakbhaskaran Nov 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes @yingsu00 .

slf4j comes as a transitive dependency in org.testcontainers. If we do not add this dependencymanagement tag
the following error will come.

Rule 0: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps.
.....
.....

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M2:enforce (default) on project presto-cassandra: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed.

Inorder to fix this I have added the slf4j version as dependencyManagement tag.

yingsu00
yingsu00 reviewed Nov 28, 2024
View reviewed changes
Copy link
Contributor

@yingsu00 yingsu00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the commit message, there should be an empty line after the commit tile.

@nishithakbhaskaran
Copy link
Author

In the commit message, there should be an empty line after the commit tile.

@yingsu00 Updated the commit message.Please verify

@nishithakbhaskaran @ebyhr
Fix snakeyaml CVEs
fcfb964 
snakeyaml 1.x version causing mend scan CVEs.

Cherry-pick of trinodb/trino#2377

Co-authored-by: Yuya Ebihara <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yingsu00 yingsu00 yingsu00 left review comments

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@psnv03 psnv03 Awaiting requested review from psnv03 psnv03 was automatically assigned from prestodb/ibm-reviewers

@pramodsatya pramodsatya Awaiting requested review from pramodsatya pramodsatya was automatically assigned from prestodb/ibm-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nishithakbhaskaran @yingsu00 @prestodb-ci