chore: Merge branch 'main' into feat/airflow-opa

siegfriedweber · siegfriedweber · commit 61d0304fa305 · 2025-01-29T16:43:25.000+01:00
diff --git a/.scripts/upload_new_jmx_exporter_version.sh b/.scripts/upload_new_jmx_exporter_version.sh
@@ -23,28 +23,20 @@ fi
 
 # deletes the temp directory
 function cleanup {
-    rm -rf "$WORK_DIR"
+  rm -rf "$WORK_DIR"
 }
 
 # register the cleanup function to be called on the EXIT signal
 trap cleanup EXIT
 
 cd "$WORK_DIR" || exit
 
-src_file=jmx_prometheus-$VERSION-src.tar.gz
-
 # JMX Exporter does not currently publish signatures or SBOMs (as of 2023-07-24, latest version at this point 0.19.0)
 echo "Downloading JMX Exporter"
-# JMX Exporter provides no offficial source tarballs, download from Git
-git clone https://github.com/prometheus/jmx_exporter "jmx_prometheus-${VERSION}" "--branch=${VERSION}" --depth=1
-
-echo "Archiving JMX Exporter"
-git -C "jmx_prometheus-${VERSION}" archive "${VERSION}" --format=tar.gz --prefix="jmx_prometheus-${VERSION}-src/" > "${src_file}"
-sha256sum "${src_file}" | cut --delimiter=' ' --field=1 > "${src_file}.sha256"
+curl --fail -LOs "https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/$VERSION/jmx_prometheus_javaagent-$VERSION.jar"
 
 echo "Uploading to Nexus"
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
-curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "${src_file}.sha256" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
+curl --fail -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "jmx_prometheus_javaagent-$VERSION.jar" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'
 
 echo "Successfully uploaded new version of JMX Exporter ($VERSION) to Nexus"
 echo "https://repo.stackable.tech/service/rest/repository/browse/packages/jmx-exporter/"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
+- druid: Fix CVE-2023-34455 in Druid `30.0.0` by deleting a dependency ([#935]).
 - hadoop: Fix the JMX exporter configuration for metrics suffixed with
   `_total`, `_info` and `_created` ([#962]).
 
@@ -32,6 +33,7 @@ All notable changes to this project will be documented in this file.
 [#943]: https://github.com/stackabletech/docker-images/pull/943
 [#958]: https://github.com/stackabletech/docker-images/pull/958
 [#959]: https://github.com/stackabletech/docker-images/pull/959
+[#935]: https://github.com/stackabletech/docker-images/pull/935
 [#962]: https://github.com/stackabletech/docker-images/pull/962
 [#978]: https://github.com/stackabletech/docker-images/pull/978
 [#980]: https://github.com/stackabletech/docker-images/pull/980
diff --git a/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch b/druid/stackable/patches/30.0.0/10-cve-2023-34455-rm-snappy.patch
@@ -0,0 +1,36 @@
+Fix CVE-2023-34455
+see https://github.com/stackabletech/vulnerabilities/issues/558
+
+At the end of build process, Druid downloads dependencies directly from a remote
+Maven repository ignoring existing patches that have been applyed locally.
+These dependencies include all transitive dependencies too.
+The hadoop client depends on a vulnerable version of the snappy library which
+is then also downloaded even though a newer version is already on the system.
+
+This patch removes the vulnerable jars.
+
+diff --git a/distribution/pom.xml b/distribution/pom.xml
+index d5918710ef..2d5bfc6ab4 100644
+--- a/distribution/pom.xml
++++ b/distribution/pom.xml
+@@ -259,6 +259,20 @@
+                                     </arguments>
+                                 </configuration>
+                             </execution>
++                            <execution>
++                                <id>fix-cve-2023-34455-remove-snappy</id>
++                                <phase>package</phase>
++                                <goals>
++                                    <goal>exec</goal>
++                                </goals>
++                                <configuration>
++                                  <executable>/usr/bin/rm</executable>
++                                    <arguments>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-api/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                      <argument>${project.build.directory}/hadoop-dependencies/hadoop-client-runtime/3.3.6/snappy-java-1.1.8.2.jar</argument>
++                                    </arguments>
++                                </configuration>
++                            </execution>
+                         </executions>
+                     </plugin>
+                     <plugin>
