fix(CVE): upgrade spring & refactor to fix CVEs from GCP Marketplace (#…

…74) * fix(CVE): upgrade spring & refactor to fix CVEs from GCP Marketplace * fix(CVE): upgrade musl version
armory-io · Jul 7, 2023 · 28d08e6 · 28d08e6 · github-actions · Jul 7, 2023
1 parent a6ac1d4
commit 28d08e6
Show file tree

Hide file tree

Showing 18 changed files with 42 additions and 23 deletions.
diff --git a/Dockerfile.slim b/Dockerfile.slim
@@ -25,7 +25,7 @@ RUN apk add --update --upgrade \
 RUN apk update \
     && apk upgrade \
     && rm -rf /var/cache/apk/* \
-    && apk add musl=1.2.3-r4 \
+    && apk add musl=1.2.3-r5 \
     && apk add krb5-libs=1.20.1-r0
 
 # Google cloud SDK with anthos removed for CVE and because we don't need it

diff --git a/build.gradle b/build.gradle
@@ -54,6 +54,9 @@ subprojects {
     annotationProcessor "org.projectlombok:lombok"
     testAnnotationProcessor platform("io.spinnaker.kork:kork-bom:$korkVersion")
     testAnnotationProcessor "org.projectlombok:lombok"
+
+    api(platform("org.springframework.boot:spring-boot-dependencies:2.7.11"))
+    api(platform("org.springframework.cloud:spring-cloud-dependencies:2021.0.3"))
   }
 
   publishing {
@@ -102,15 +105,15 @@ subprojects {
         force group: 'org.apache.commons', name: 'commons-compress', version: '1.+' // Remove CVE-2019-12402, upgrade commons-compress dependency
         force group: 'org.apache.commons', name: 'commons-lang3', version: '3.9'
         force group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '9.0.41' // Remove CVE-2020-13934, CVE-2020-9484
-        force group: 'org.codehaus.groovy', name: 'groovy-all', version: '2.5.10' // Avoid duplicate groovy versions 2.5.7 and 2.5.10
         force group: 'org.codehaus.plexus', name: 'plexus-utils', version: '3.3.+' // Remove CVEs SONATYPE-2015-0173 and SONATYPE-2016-0398, upgrade plexus-utils dependency
         force group: 'org.hibernate.validator', name: 'hibernate-validator', version: '6.1.+' // Remove CVE-2019-10219, upgrade hibernate-validator depende      force group: 'org.testng', name: 'testng', version: '7.1.+' // Remove CVE SONATYPE-2019-0115, upgrade testng dependency
         force group: 'org.javassist', name: 'javassist', version: '3.19.0-GA'
         force group: 'org.jboss.logging', name: 'jboss-logging', version: '3.4.+' // Remove CVE-2017-2595, upgrade jboss-logging
-        force group: 'org.springframework.security', name: 'spring-security-core', version: '5.2.6.RELEASE' // Remove CVE-2020-5407
         force group: 'org.springframework.security', name: 'spring-security-crypto', version: '5.2.4.RELEASE' // Remove CVE-2020-5408
         force group: 'org.testng', name: 'testng', version: '7.1.+' // Remove CVE SONATYPE-2019-0115, upgrade testng dependency
-        force group: 'org.yaml', name: 'snakeyaml', version: '1.26' // Remove CVE-2017-18640
+        force group: 'org.yaml', name: 'snakeyaml', version: '2.0' // CVE-2022-1471
+        force group: 'org.apache.ivy', name: 'ivy', version: '2.5.1' // CVE-2022-37865
+        force group: 'org.spockframework', name:'spock-core', version:'2.0-groovy-3.0'
 
       }
     }

diff --git a/gradle.properties b/gradle.properties
@@ -2,7 +2,7 @@ artifactory_user=
 artifactory_password=
 clouddriverVersion=5.78.2
 fiatVersion=1.27.1
-korkVersion=7.158.0
+korkVersion=7.169.1
 front50Version=2.24.0
 org.gradle.parallel=true
 spinnakerGradleVersion=8.25.0

diff --git a/halyard-cli/src/main/java/com/netflix/spinnaker/halyard/cli/ui/v1/AnsiFormatUtils.java b/halyard-cli/src/main/java/com/netflix/spinnaker/halyard/cli/ui/v1/AnsiFormatUtils.java
@@ -23,6 +23,7 @@
 import java.util.List;
 import java.util.Map;
 import org.yaml.snakeyaml.DumperOptions;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 import org.yaml.snakeyaml.representer.Representer;
@@ -55,7 +56,8 @@ private static Yaml getYamlParser() {
     options.setDefaultFlowStyle(DumperOptions.FlowStyle.BLOCK);
     options.setDefaultScalarStyle(DumperOptions.ScalarStyle.PLAIN);
 
-    return new Yaml(new SafeConstructor(), new Representer(), options);
+    return new Yaml(
+        new SafeConstructor(new LoaderOptions()), new Representer(new DumperOptions()), options);
   }
 
   private static ObjectMapper getObjectMapper() {

diff --git a/...d-config/src/main/java/com/netflix/spinnaker/halyard/config/config/v1/ResourceConfig.java b/...d-config/src/main/java/com/netflix/spinnaker/halyard/config/config/v1/ResourceConfig.java
@@ -28,6 +28,7 @@
 import org.springframework.scheduling.concurrent.ConcurrentTaskScheduler;
 import org.springframework.stereotype.Component;
 import org.yaml.snakeyaml.DumperOptions;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 import org.yaml.snakeyaml.representer.Representer;
@@ -102,7 +103,8 @@ Yaml yamlParser() {
     DumperOptions options = new DumperOptions();
     options.setDefaultFlowStyle(DumperOptions.FlowStyle.BLOCK);
     options.setDefaultScalarStyle(DumperOptions.ScalarStyle.PLAIN);
-    return new Yaml(new SafeConstructor(), new Representer(), options);
+    return new Yaml(
+        new SafeConstructor(new LoaderOptions()), new Representer(new DumperOptions()), options);
   }
 
   private String normalizePath(String path) {

diff --git a/.../main/java/com/netflix/spinnaker/halyard/config/services/v1/PersistentStorageService.java b/.../main/java/com/netflix/spinnaker/halyard/config/services/v1/PersistentStorageService.java
@@ -32,13 +32,14 @@
 import com.netflix.spinnaker.halyard.core.problem.v1.ProblemSet;
 import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @Component
 public class PersistentStorageService {
   @Autowired private LookupService lookupService;
 
-  @Autowired private DeploymentService deploymentService;
+  @Lazy @Autowired private DeploymentService deploymentService;
 
   @Autowired private ValidateService validateService;
 

diff --git a/...java/com/netflix/spinnaker/halyard/config/validate/v1/DeploymentEnvironmentValidator.java b/...java/com/netflix/spinnaker/halyard/config/validate/v1/DeploymentEnvironmentValidator.java
@@ -32,12 +32,13 @@
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @Component
 @Slf4j
 public class DeploymentEnvironmentValidator extends Validator<DeploymentEnvironment> {
-  @Autowired AccountService accountService;
+  @Lazy @Autowired AccountService accountService;
 
   @Autowired KubernetesAccountValidator kubernetesAccountValidator;
 

diff --git a/...java/com/netflix/spinnaker/halyard/config/validate/v1/persistentStorage/GCSValidator.java b/...java/com/netflix/spinnaker/halyard/config/validate/v1/persistentStorage/GCSValidator.java
@@ -33,12 +33,13 @@
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.stereotype.Component;
 
 @Component
 public class GCSValidator extends Validator<GcsPersistentStore> {
-  @Autowired private AccountService accountService;
+  @Lazy @Autowired private AccountService accountService;
 
   @Autowired private Registry registry;
 

diff --git a/...a/com/netflix/spinnaker/halyard/config/validate/v1/providers/aws/AwsAccountValidator.java b/...a/com/netflix/spinnaker/halyard/config/validate/v1/providers/aws/AwsAccountValidator.java
@@ -27,12 +27,13 @@
 import com.netflix.spinnaker.halyard.config.services.v1.ProviderService;
 import com.netflix.spinnaker.halyard.core.problem.v1.Problem.Severity;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @Component
 public class AwsAccountValidator extends Validator<AwsAccount> {
 
-  @Autowired ProviderService providerService;
+  @Lazy @Autowired ProviderService providerService;
 
   @Override
   public void validate(ConfigProblemSetBuilder p, AwsAccount awsAccount) {

diff --git a/...a/com/netflix/spinnaker/halyard/config/validate/v1/providers/ecs/EcsAccountValidator.java b/...a/com/netflix/spinnaker/halyard/config/validate/v1/providers/ecs/EcsAccountValidator.java
@@ -11,13 +11,14 @@
 import java.util.List;
 import java.util.Optional;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @Component
 public class EcsAccountValidator extends Validator<EcsAccount> {
-  @Autowired ProviderService providerService;
+  @Lazy @Autowired ProviderService providerService;
 
-  @Autowired AccountService accountService;
+  @Lazy @Autowired AccountService accountService;
 
   @Autowired ConfigService configService;
 

diff --git a/halyard-core/src/main/java/com/netflix/spinnaker/halyard/core/GlobalApplicationOptions.java b/halyard-core/src/main/java/com/netflix/spinnaker/halyard/core/GlobalApplicationOptions.java
@@ -26,6 +26,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 
@@ -52,7 +53,7 @@ public boolean isUseRemoteDaemon() {
 
   public static GlobalApplicationOptions getInstance() {
     if (GlobalApplicationOptions.options == null) {
-      Yaml yamlParser = new Yaml(new SafeConstructor());
+      Yaml yamlParser = new Yaml(new SafeConstructor(new LoaderOptions()));
       ObjectMapper objectMapper = new ObjectMapper();
 
       objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);

diff --git a/...ore/src/main/java/com/netflix/spinnaker/halyard/core/registry/v1/GoogleProfileReader.java b/...ore/src/main/java/com/netflix/spinnaker/halyard/core/registry/v1/GoogleProfileReader.java
@@ -35,6 +35,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 import org.yaml.snakeyaml.Yaml;
 
@@ -44,9 +45,9 @@
 public class GoogleProfileReader implements ProfileReader {
   @Autowired String spinconfigBucket;
 
-  @Autowired Storage applicationDefaultGoogleStorage;
+  @Lazy @Autowired Storage applicationDefaultGoogleStorage;
 
-  @Autowired Storage unauthenticatedGoogleStorage;
+  @Lazy @Autowired Storage unauthenticatedGoogleStorage;
 
   @Autowired ObjectMapper relaxedObjectMapper;
 

diff --git a/...d-core/src/test/groovy/com/netflix/spinnaker/halyard/core/registry/v1/VersionsSpec.groovy b/...d-core/src/test/groovy/com/netflix/spinnaker/halyard/core/registry/v1/VersionsSpec.groovy
@@ -116,7 +116,7 @@ class VersionsSpec extends Specification {
 
     def "orderBySemVer throws an exception for invalid versions"() {
         when:
-        dev versions = ["1.0.0", badVersion]
+        def versions = ["1.0.0", badVersion]
         Collections.sort(versions, Versions.orderBySemVer())
 
         then:

diff --git a/...tflix/spinnaker/halyard/deploy/spinnaker/v1/service/SpinnakerMonitoringDaemonService.java b/...tflix/spinnaker/halyard/deploy/spinnaker/v1/service/SpinnakerMonitoringDaemonService.java
@@ -31,6 +31,7 @@
 import lombok.Data;
 import lombok.EqualsAndHashCode;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @EqualsAndHashCode(callSuper = true)
@@ -47,7 +48,7 @@ public abstract class SpinnakerMonitoringDaemonService
 
   @Autowired MetricRegistryProfileFactoryBuilder metricRegistryProfileFactoryBuilder;
 
-  @Autowired List<SpinnakerService> services;
+  @Lazy @Autowired List<SpinnakerService> services;
 
   @Override
   public SpinnakerArtifact getArtifact() {

diff --git a/...ker/halyard/deploy/spinnaker/v1/service/distributed/google/GoogleConsulServerService.java b/...ker/halyard/deploy/spinnaker/v1/service/distributed/google/GoogleConsulServerService.java
@@ -30,14 +30,15 @@
 import lombok.EqualsAndHashCode;
 import lombok.experimental.Delegate;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @EqualsAndHashCode(callSuper = true)
 @Component
 @Data
 public class GoogleConsulServerService extends ConsulServerService
     implements GoogleDistributedService<ConsulApi> {
-  @Delegate @Autowired GoogleDistributedServiceDelegate googleDistributedServiceDelegate;
+  @Lazy @Delegate @Autowired GoogleDistributedServiceDelegate googleDistributedServiceDelegate;
 
   @Override
   public String getDefaultInstanceType() {

diff --git a/...aker/halyard/deploy/spinnaker/v1/service/distributed/google/GoogleVaultServerService.java b/...aker/halyard/deploy/spinnaker/v1/service/distributed/google/GoogleVaultServerService.java
@@ -29,14 +29,15 @@
 import lombok.EqualsAndHashCode;
 import lombok.experimental.Delegate;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @EqualsAndHashCode(callSuper = true)
 @Component
 @Data
 public class GoogleVaultServerService extends VaultServerService
     implements GoogleDistributedService<VaultServerService.Vault> {
-  @Delegate @Autowired GoogleDistributedServiceDelegate googleDistributedServiceDelegate;
+  @Lazy @Delegate @Autowired GoogleDistributedServiceDelegate googleDistributedServiceDelegate;
 
   @Override
   public String getDefaultInstanceType() {

diff --git a/...y/spinnaker/v1/service/distributed/kubernetes/v2/KubernetesV2MonitoringDaemonService.java b/...y/spinnaker/v1/service/distributed/kubernetes/v2/KubernetesV2MonitoringDaemonService.java
@@ -26,6 +26,7 @@
 import lombok.EqualsAndHashCode;
 import lombok.experimental.Delegate;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
 @Data
@@ -35,7 +36,7 @@ public class KubernetesV2MonitoringDaemonService extends SpinnakerMonitoringDaem
     implements KubernetesV2Service<SpinnakerMonitoringDaemonService.SpinnakerMonitoringDaemon> {
   final DeployPriority deployPriority = new DeployPriority(0);
 
-  @Delegate @Autowired KubernetesV2ServiceDelegate serviceDelegate;
+  @Lazy @Delegate @Autowired KubernetesV2ServiceDelegate serviceDelegate;
 
   @Override
   public boolean runsOnJvm() {

diff --git a/...aker/halyard/deploy/spinnaker/v1/service/distributed/kubernetes/v2/KubernetesV2Utils.java b/...aker/halyard/deploy/spinnaker/v1/service/distributed/kubernetes/v2/KubernetesV2Utils.java
@@ -44,6 +44,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 
@@ -178,12 +179,12 @@ public ResourceSpec createResourceSpec(
   }
 
   public String prettify(String input) {
-    Yaml yaml = new Yaml(new SafeConstructor());
+    Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
     return yaml.dump(yaml.load(input));
   }
 
   public Map<String, Object> parseManifest(String input) {
-    Yaml yaml = new Yaml(new SafeConstructor());
+    Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
     return mapper.convertValue(yaml.load(input), new TypeReference<Map<String, Object>>() {});
   }