Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Destinations - vulnerability patching for libraries #44620

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
2 changes: 1 addition & 1 deletion airbyte-cdk/bulk/core/base/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ dependencies {
implementation 'org.bouncycastle:bctls-jdk18on:1.77'

runtimeOnly 'com.google.guava:guava:33.2.0-jre'
runtimeOnly 'org.apache.commons:commons-compress:1.26.1'
runtimeOnly 'org.apache.commons:commons-compress:1.27.0'

testFixturesApi 'org.jetbrains.kotlin:kotlin-test-junit'
testFixturesApi 'org.jetbrains.kotlin:kotlin-reflect'
Expand Down
8 changes: 4 additions & 4 deletions airbyte-cdk/java/airbyte-cdk/core/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,12 @@ dependencies {
implementation 'net.i2p.crypto:eddsa:0.3.0'
implementation 'org.apache.httpcomponents:httpcore:4.4.16'
implementation 'org.apache.logging.log4j:log4j-layout-template-json:2.17.2'
implementation 'org.apache.sshd:sshd-mina:2.11.0'
implementation 'org.apache.sshd:sshd-mina:2.13.0'
// bouncycastle is pinned to version-match the transitive dependency from kubernetes client-java
// because a version conflict causes "parameter object not a ECParameterSpec" on ssh tunnel initiation
implementation 'org.bouncycastle:bcpkix-jdk15on:1.66'
implementation 'org.bouncycastle:bcprov-jdk15on:1.66'
implementation 'org.bouncycastle:bctls-jdk15on:1.66'
implementation 'org.bouncycastle:bcpkix-jdk15on:1.68'
implementation 'org.bouncycastle:bcprov-jdk15on:1.68'
implementation 'org.bouncycastle:bctls-jdk15on:1.68'

testFixturesApi 'org.testcontainers:testcontainers:1.19.0'
testFixturesApi 'org.testcontainers:jdbc:1.19.0'
Expand Down
2 changes: 1 addition & 1 deletion airbyte-cdk/java/airbyte-cdk/dependencies/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ dependencies {
api 'commons-io:commons-io:2.15.1'
api ('io.airbyte.airbyte-protocol:protocol-models:0.11.0') { exclude group: 'com.google.api-client', module: 'google-api-client' }
api 'javax.annotation:javax.annotation-api:1.3.2'
api 'org.apache.commons:commons-compress:1.25.0'
api 'org.apache.commons:commons-compress:1.27.0'
api 'org.apache.commons:commons-lang3:3.14.0'
api 'org.apache.logging.log4j:log4j-api:2.21.1'
api 'org.apache.logging.log4j:log4j-core:2.21.1'
Expand Down
4 changes: 2 additions & 2 deletions airbyte-cdk/java/airbyte-cdk/s3-destinations/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ dependencies {
api 'org.apache.commons:commons-csv:1.10.0'
api 'org.apache.commons:commons-text:1.11.0'
api ('org.apache.hadoop:hadoop-aws:3.3.6') { exclude group: 'com.amazonaws', module: 'aws-java-sdk-bundle' }
api ('org.apache.hadoop:hadoop-common:3.3.6') {
api ('org.apache.hadoop:hadoop-common:3.4.0') {
exclude group: 'org.apache.zookeeper'
exclude group: 'org.apache.hadoop', module: 'hadoop-yarn-common'
}
api ('org.apache.hadoop:hadoop-mapreduce-client-core:3.3.6') {
api ('org.apache.hadoop:hadoop-mapreduce-client-core:3.4.0') {
exclude group: 'org.apache.zookeeper'
exclude group: 'org.apache.hadoop', module: 'hadoop-yarn-common'
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ application {

dependencies {

implementation 'com.amazonaws:aws-java-sdk-s3:1.11.978'
implementation 'com.amazonaws:aws-java-sdk-s3:1.12.261'
// TODO: Verify no aws sdk code is pulled by this dependency causing classpath conflicts
// https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-jdbc10-driver-differences.html
implementation 'com.amazon.redshift:redshift-jdbc42:2.1.0.26'
Expand Down
6 changes: 3 additions & 3 deletions airbyte-integrations/connectors/destination-s3/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,12 @@ application {
dependencies {

// csv
implementation 'com.amazonaws:aws-java-sdk-s3:1.11.978'
implementation 'com.amazonaws:aws-java-sdk-s3:1.12.261'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how did you get 12.261? That was released over 2 years ago according to https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-s3
Last version is 12.770

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the version to 12.770

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's other places where we're still using 261, I think

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the version to 12.770 for the redshift destination also

implementation 'org.apache.commons:commons-csv:1.4'
implementation 'com.github.alexmojaki:s3-stream-upload:2.2.2'

// parquet
implementation ('org.apache.hadoop:hadoop-common:3.3.3') {
implementation ('org.apache.hadoop:hadoop-common:3.3.4') {
exclude group: 'org.slf4j', module: 'slf4j-log4j12'
exclude group: 'org.slf4j', module: 'slf4j-reload4j'
exclude group: 'org.apache.zookeeper'
Expand All @@ -47,6 +47,6 @@ dependencies {
implementation ('com.github.airbytehq:json-avro-converter:1.1.3') { exclude group: 'ch.qos.logback', module: 'logback-classic'}
implementation group: 'com.hadoop.gplcompression', name: 'hadoop-lzo', version: '0.4.20'
testImplementation 'org.apache.commons:commons-lang3:3.11'
testImplementation 'org.xerial.snappy:snappy-java:1.1.8.4'
testImplementation 'org.xerial.snappy:snappy-java:1.1.10.4'
testImplementation "org.mockito:mockito-inline:4.1.0"
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ application {
}

dependencies {
implementation 'org.postgresql:postgresql:42.6.0'
implementation 'org.postgresql:postgresql:42.7.2'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the vulnerability list source-cockroachdb too ? It should filter on certified destinations i thought

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have removed the change for source-cockroachdb


testImplementation 'org.testcontainers:cockroachdb:1.19.4'
}
2 changes: 1 addition & 1 deletion buildSrc/src/main/groovy/airbyte-java-connector.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ class AirbyteJavaConnectorExtension {

implementation "com.google.guava:guava:31.1-jre"
implementation "commons-io:commons-io:2.7"
implementation "org.apache.commons:commons-compress:1.20"
implementation "org.apache.commons:commons-compress:1.27.0"
implementation "org.apache.commons:commons-lang3:3.11"
implementation "org.slf4j:slf4j-api:2.0.9"

Expand Down
2 changes: 1 addition & 1 deletion deps.toml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ mockito-version = "5.11.0"

[libraries]
airbyte-protocol = { module = "io.airbyte.airbyte-protocol:protocol-models", version.ref = "airbyte-protocol" }
apache-commons = { module = "org.apache.commons:commons-compress", version = "1.20" }
apache-commons = { module = "org.apache.commons:commons-compress", version = "1.27.0" }
apache-commons-lang = { module = "org.apache.commons:commons-lang3", version = "3.11" }
appender-log4j2 = { module = "com.therealvan:appender-log4j2", version = "3.6.0" }
assertj-core = { module = "org.assertj:assertj-core", version = "3.21.0" }
Expand Down
Loading