Merge remote-tracking branch 'origin/main' into feature/superset-opa-integration

labrenbe · labrenbe · commit 01e89507839c · 2025-01-31T18:52:17.000+01:00
diff --git a/.scripts/upload_new_jmx_exporter_version.sh b/.scripts/upload_new_jmx_exporter_version.sh
@@ -23,29 +23,28 @@ fi
 
 # deletes the temp directory
 function cleanup {
-    rm -rf "$WORK_DIR"
+  rm -rf "$WORK_DIR"
 }
 
 # register the cleanup function to be called on the EXIT signal
 trap cleanup EXIT
 
 cd "$WORK_DIR" || exit
 
-src_file=jmx_prometheus-$VERSION-src.tar.gz
+JAR_FILE="jmx_prometheus_javaagent-$VERSION.jar"
+SUM_FILE="$JAR_FILE.sha256"
 
-# JMX Exporter does not currently publish signatures or SBOMs (as of 2023-07-24, latest version at this point 0.19.0)
 echo "Downloading JMX Exporter"
-# JMX Exporter provides no offficial source tarballs, download from Git
-git clone https://github.com/prometheus/jmx_exporter "jmx_prometheus-${VERSION}" "--branch=${VERSION}" --depth=1
+curl --fail -LOs "https://github.com/prometheus/jmx_exporter/releases/download/$VERSION/$JAR_FILE"
+curl --fail -LOs "https://github.com/prometheus/jmx_exporter/releases/download/$VERSION/$SUM_FILE"
 
-echo "Archiving JMX Exporter"
-git -C "jmx_prometheus-${VERSION}" archive "${VERSION}" --format=tar.gz --prefix="jmx_prometheus-${VERSION}-src/" > "${src_file}"
-sha256sum "${src_file}" | cut --delimiter=' ' --field=1 > "${src_file}.sha256"
+# Check that sha256 sum matches before uploading
+sha256sum --check --status "$SUM_FILE" && echo "SHA256 Sum matches"
 
 echo "Uploading to Nexus"
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}.sha256" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "$JAR_FILE" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "$SUM_FILE" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
 
-echo "Successfully uploaded new version of JMX Exporter ($VERSION) to Nexus"
+echo "Successfully uploaded new version of the JMX Exporter ($VERSION) Jar to Nexus"
 echo "https://repo.stackable.tech/service/rest/repository/browse/packages/jmx-exporter/"
-echo "https://github.com/prometheus/jmx_exporter/releases/tag/parent-$VERSION"
+echo "https://github.com/prometheus/jmx_exporter/releases/tag/$VERSION"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,7 +14,8 @@ All notable changes to this project will be documented in this file.
   util-linux-core contains a basic set of Linux utilities, including the
   command logger which allows to enter messages into the system log.
 - vector: Add version 0.43.1 ([#980]).
-- opa: Add version 1.0.0 ([#981])
+- opa: Add version 1.0.0 ([#981]).
+- statsd-exporter: Bump version to 0.28.0 ([#982]).
 
 ### Removed
 
@@ -24,6 +25,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]).
 - hadoop: Fix the JMX exporter configuration for metrics suffixed with
   `_total`, `_info` and `_created` ([#962]).
 
@@ -32,9 +34,11 @@ All notable changes to this project will be documented in this file.
 [#943]: https://github.com/stackabletech/docker-images/pull/943
 [#958]: https://github.com/stackabletech/docker-images/pull/958
 [#959]: https://github.com/stackabletech/docker-images/pull/959
+[#935]: https://github.com/stackabletech/docker-images/pull/935
 [#962]: https://github.com/stackabletech/docker-images/pull/962
 [#980]: https://github.com/stackabletech/docker-images/pull/980
 [#981]: https://github.com/stackabletech/docker-images/pull/981
+[#982]: https://github.com/stackabletech/docker-images/pull/982
 
 ## [24.11.1] - 2025-01-14
 
diff --git a/airflow/versions.py b/airflow/versions.py
@@ -3,23 +3,23 @@
         "product": "2.9.2",
         "python": "3.9",
         "git_sync": "v4.2.4",
-        "statsd_exporter": "0.27.1",
+        "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.43.1",
     },
     {
         "product": "2.9.3",
         "python": "3.9",
         "git_sync": "v4.2.4",
-        "statsd_exporter": "0.27.1",
+        "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.43.1",
     },
     {
         "product": "2.10.2",
         "python": "3.12",
         "git_sync": "v4.2.4",
-        "statsd_exporter": "0.27.1",
+        "statsd_exporter": "0.28.0",
         "tini": "0.19.0",
         "vector": "0.43.1",
     },
diff --git a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch
@@ -0,0 +1,36 @@
+Fix CVE-2023-34455
+see https://github.com/stackabletech/vulnerabilities/issues/558
+
+At the end of build process, Druid downloads dependencies directly from a remote
+Maven repository ignoring existing patches that have been applyed locally.
+These dependencies include all transitive dependencies too.
+The hadoop client depends on a vulnerable version of the snappy library which
+is then also downloaded even though a newer version is already on the system.
+
+This patch removes the vulnerable jars.
+
+diff --git a/distribution/pom.xml b/distribution/pom.xml
+index d5918710ef..2d5bfc6ab4 100644
+--- a/distribution/pom.xml
++++ b/distribution/pom.xml
+@@ -259,6 +259,20 @@
+                                     </arguments>
+                                 </configuration>
+                             </execution>
++                            <execution>
++                                <id>fix-cve-2023-34455-remove-snappy</id>
++                                <phase>package</phase>
++                                <goals>
++                                    <goal>exec</goal>
++                                </goals>
++                                <configuration>
++                                  <executable>/usr/bin/rm</executable>
++                                    <arguments>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                    </arguments>
++                                </configuration>
++                            </execution>
+                         </executions>
+                     </plugin>
+                     <plugin>
diff --git a/statsd_exporter/versions.py b/statsd_exporter/versions.py
@@ -1,6 +1,6 @@
 versions = [
     {
-        "product": "0.27.1",
+        "product": "0.28.0",
         "stackable-base": "1.0.0",
     }
 ]
diff --git a/superset/versions.py b/superset/versions.py
@@ -3,7 +3,7 @@
         "product": "4.0.2",
         "python": "3.9",
         "vector": "0.43.1",
-        "statsd_exporter": "0.27.1",
+        "statsd_exporter": "0.28.0",
         "authlib": "1.2.1",  # https://github.com/dpgaspar/Flask-AppBuilder/blob/release/4.4.1/requirements/extra.txt#L7
     },
 ]

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`versions = [`
`2`	`2`	`{`
`3`		`- "product": "0.27.1",`
	`3`	`+ "product": "0.28.0",`
`4`	`4`	`"stackable-base": "1.0.0",`
`5`	`5`	`}`
`6`	`6`	`]`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"product": "4.0.2",`
`4`	`4`	`"python": "3.9",`
`5`	`5`	`"vector": "0.43.1",`
`6`		`- "statsd_exporter": "0.27.1",`
	`6`	`+ "statsd_exporter": "0.28.0",`
`7`	`7`	`"authlib": "1.2.1", # https://github.com/dpgaspar/Flask-AppBuilder/blob/release/4.4.1/requirements/extra.txt#L7`
`8`	`8`	`},`
`9`	`9`	`]`