Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitesource security issue failing due to no used nmslib deps #662

Closed
jmazanec15 opened this issue Dec 9, 2022 · 5 comments
Closed

Whitesource security issue failing due to no used nmslib deps #662

jmazanec15 opened this issue Dec 9, 2022 · 5 comments

Comments

@jmazanec15
Copy link
Member

jmazanec15 commented Dec 9, 2022
edited
Loading

Whitesource check in CI failing with dependency vulnerability issues from nmslib. https://github.com/opensearch-project/k-NN/pull/661/checks?check_run_id=10001548361. We do not use these dependencies. Will need to create a issue/PR upstream to fix.

#661
This was referenced Dec 13, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@jmazanec15
Copy link
Member Author

Tracking libs that need to get updated in nmslib:

  1. httpclient-4.4.1.jar - /jni/external/nmslib/query_server/java_client/pom.xml (WS-2017-3734 (Medium) detected in httpclient-4.4.1.jar - autoclosed #671, CVE-2020-13956 (Medium) detected in httpclient-4.4.1.jar - autoclosed #670 )
  2. jquery-3.2.1.js - /jni/external/nmslib/docs/_static/jquery-3.2.1.js (CVE-2019-11358 (Medium) detected in multiple libraries - autoclosed #669, CVE-2020-11022 (Medium) detected in multiple libraries - autoclosed #667, CVE-2020-11023 (Medium) detected in multiple libraries - autoclosed #664 )
  3. jquery-3.2.0.js - /jni/external/nmslib/docs/_static/jquery-3.2.0.js (CVE-2019-11358 (Medium) detected in multiple libraries - autoclosed #669 CVE-2020-11022 (Medium) detected in multiple libraries - autoclosed #667, CVE-2020-11023 (Medium) detected in multiple libraries - autoclosed #664 )
  4. jquery-3.2.1.min.js - /jni/external/nmslib/docs/api.html (CVE-2019-11358 (Medium) detected in multiple libraries - autoclosed #669, CVE-2020-11022 (Medium) detected in multiple libraries - autoclosed #667, CVE-2020-11023 (Medium) detected in multiple libraries - autoclosed #664 )
  5. libthrift-0.11.0.jar - /jni/external/nmslib/query_server/java_client/pom.xml ( CVE-2019-0205 (High) detected in libthrift-0.11.0.jar - autoclosed #668, CVE-2018-1320 (High) detected in libthrift-0.11.0.jar - autoclosed #665 )
  6. commons-codec-1.9.jar - /jni/external/nmslib/query_server/java_client/pom.xml ( WS-2019-0379 (Medium) detected in commons-codec-1.9.jar - autoclosed #666 )

Will create an issue over there to fix. For this plugin, we do not use any of these dependencies. They are just inherited b/c of the submodule dependency we take on nmlsib.

@jmazanec15
Copy link
Member Author

jmazanec15 commented Dec 13, 2022
edited
Loading

Fixes:
jquery - upgrade to 3.5.0
httpclient - upgrade to 4.5.13
libthrift - upgrade to 0.16.0 (see #670 )
commons-codec - upgrade to 1.13

@jmazanec15
Copy link
Member Author

httpclient - upgrade to 4.5.13

This will be taken care of by upgrading libthrift

@jmazanec15
Copy link
Member Author

commons-codec - upgrade to 1.13

This will be taken care of by upgrading libthrift

@jmazanec15 jmazanec15 mentioned this issue Dec 13, 2022
Merged
@naveentatikonda
Copy link
Member

Closing this issue as all the above mentioned libraries have been updated and white check is succeeding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmazanec15 @naveentatikonda