Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix spring jar medium security vulnerabilities #24307

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix spring jar medium security vulnerabilities #24307

wants to merge 1 commit into from

Conversation

ShahimSharafudeen
Copy link

@ShahimSharafudeen ShahimSharafudeen commented Dec 30, 2024
edited
Loading

Description

Fixing OSS CVEs for medium transitive vulnerabilities in the benchto-driver jar originating from Spring JARs

Motivation and Context

CVEs
CVE-2022-22950
WS-2016-7112
CVE-2022-22968
CVE-2024-38808
CVE-2023-20861
CVE-2023-20863
CVE-2024-38820

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.


== RELEASE NOTES ==
Security Changes
* Fix `CVE-2022-22950 <https://www.mend.io/vulnerability-database/CVE-2022-22950>`_. :pr:`24307`
* Fix `WS-2016-7112 <https://www.mend.io/vulnerability-database/WS-2016-7112>`_. :pr:`24307`
* Fix `CVE-2022-22968 <https://www.mend.io/vulnerability-database/CVE-2022-22968>`_. :pr:`24307`
* Fix `CVE-2024-38808 <https://www.mend.io/vulnerability-database/CVE-2024-38808>`_. :pr:`24307`
* Fix `CVE-2023-20861 <https://www.mend.io/vulnerability-database/CVE-2023-20861>`_. :pr:`24307`
* Fix `CVE-2023-20863 <https://www.mend.io/vulnerability-database/CVE-2023-20863>`_. :pr:`24307`
* Fix `CVE-2024-38820 <https://www.mend.io/vulnerability-database/CVE-2024-38820>`_. :pr:`24307`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Dec 30, 2024
@prestodb-ci prestodb-ci requested review from a team, anandamideShakyan and sh-shamsan and removed request for a team December 30, 2024 11:27
@ShahimSharafudeen ShahimSharafudeen marked this pull request as ready for review December 30, 2024 17:14
@ShahimSharafudeen ShahimSharafudeen requested a review from a team as a code owner December 30, 2024 17:14
imjalpreet
imjalpreet reviewed Jan 2, 2025
View reviewed changes
presto-benchto-benchmarks/pom.xml
@@ -51,6 +51,10 @@
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
</exclusion>
<exclusion>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion, we should avoid excluding dependencies. Instead, we can enforce using a CVE-free version of this dependency through Dependency Management.

It is possible this dependency might be required when running benchto which is not detected in our CI pipeline.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@steveburnett
Copy link
Contributor

Thanks for the release note! Could you add a short phrase explaining what work you did here to address these CVEs? Maybe something like (I borrowed your commit message for this example, please rephrase as you think correct):

* Fix spring jar medium security vulnerabilities in response to (CVE_1 link). :pr:`24307`
* Fix spring jar medium security vulnerabilities in response to (CVE_2 link). :pr:`24307`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjalpreet imjalpreet imjalpreet left review comments

@ZacBlanco ZacBlanco ZacBlanco left review comments

@anandamideShakyan anandamideShakyan anandamideShakyan approved these changes

@sh-shamsan sh-shamsan Awaiting requested review from sh-shamsan sh-shamsan was automatically assigned from prestodb/ibm-reviewers

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ShahimSharafudeen @steveburnett @ZacBlanco @imjalpreet @anandamideShakyan @prestodb-ci