fix(hive): CVE-2023-34455

[razvan]

Description

Part of: https://github.com/stackabletech/vulnerabilities/issues/862

Tests

🟢 CI: https://testing.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/hive-operator-it-custom/5/
* the failed test worked locally

Trivy

CVE no longer found in image.
scan.json

[NickLarsenNZ]

LGTM

[razvan]

Merged main and moved changelog entries up to the Unreleased section.

[lfrancke]

Instead of relying on getting a newer dependency "by accident" we'd need to actually properly depend on the new version.

[razvan]

Instead of relying on getting a newer dependency "by accident" we'd need to actually properly depend on the new version.

A newer version is already configured in the parent pom.xml.

Here we exclude the vulnerable version that is coming with hadoop-common.

[lfrancke]

But if we have a newer version in the parent we don't need to exclude it here, do we?
I'm sorry for the late response :(

[razvan]

But if we have a newer version in the parent we don't need to exclude it here, do we?

It's been a while so I had to start from the beginning.

Currently, without this patch, the vulnerable snappy jar is indeed not part of the image (at list not as a stand-alone jar file). It is listed in the CycloneDX output, that's why the vulnerability is reported.

Proof:

$ docker run -ti --entrypoint bash --rm docker.stackable.tech/stackable/hive:4.0.0-stackable24.11.1
...
$ find /stackable/hadoop/ -name '*snappy*'
/stackable/hadoop/share/hadoop/common/lib/snappy-java-1.1.10.4.jar
/stackable/hadoop/share/hadoop/hdfs/lib/snappy-java-1.1.10.4.jar
$ find /stackable/hive-metastore/ -name '*snappy*'
$
$ grep snappy /stackable/hive-metastore/apache-hive-metastore-4.0.0.cdx.json
      "group" : "org.xerial.snappy",
      "name" : "snappy-java",
      "description" : "snappy-java: A fast compression/decompression library",
      "purl" : "pkg:maven/org.xerial.snappy/[email protected]?type=jar",
          "url" : "https://github.com/xerial/snappy-java"
          "url" : "https://github.com/xerial/snappy-java"
      "bom-ref" : "pkg:maven/org.xerial.snappy/[email protected]?type=jar"
        "pkg:maven/org.xerial.snappy/[email protected]?type=jar"
        "pkg:maven/org.xerial.snappy/[email protected]?type=jar",
      "ref" : "pkg:maven/org.xerial.snappy/[email protected]?type=jar",

This patch removes it from the CycloneDX file too. The confusion arises from the fact that the Cyclone report is generated from the original Hive pom.xml but we actually copy the Hadoop binaries that we build ourselves.

Now I think that a better approach would be to classify the vulnerability as a false positive in SecObserve and close this PR.

WDYT?

[lfrancke]

Okay. Understood. In that case I'm fine with either option. I just wanted to understand.

We can merge this PR (maybe with an extended comment on why we exclude it) or close it in SecObserve.

Please continue as you see fit.
@dervoeti FYI

[dervoeti]

Now I think that a better approach would be to classify the vulnerability as a false positive in SecObserve and close this PR.

Sounds good to me.

I also checked the image and did not find the affected Snappy version anywhere, I even checked whether it's included in any other "fat" JAR, which was not the case. The vulnerability should go away completely once we generate our own version of Hadoop and depend on that in Hive's pom.xml, which will hopefully happen soon-ish.

[razvan]

The CVE has been assesst as "false positive".