Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump commons-compress transitively to fix high vulnerability #106

Merged
merged 3 commits into from
Jun 26, 2024

Conversation

jonflynng
Copy link
Contributor

@jonflynng jonflynng commented Jun 24, 2024

Why?

There is a high vulnerability introduced through version 1.24 of the commons-compress library. Info here: https://app.snyk.io/org/guardian-ophan/project/234d8861-20e1-4b9c-b41a-e7ed4f372d3e

Can fix by upgrading to 1.26.

The commons-compress dependency is introduced through org.apache.avro. The last release was in September 2023. This PR fixes it transitively while we wait for them to fix it on their side and release a patch.

What does this change?

Upgrades commons-compress transitively to 1.26.

How to test

How can we measure success?

Have we considered potential risks?

Images

Accessibility

@jonflynng jonflynng requested a review from a team as a code owner June 24, 2024 14:08
@jonflynng jonflynng requested a review from rtyley June 25, 2024 08:48
Copy link
Member

@rtyley rtyley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this change is low-risk, at least as far as Ophan's avro-logger is concerned. That's because avro-logger uses kinesis checkpointing - so even if this new release was to fail and throw exceptions, you could just re-deploy the old version of avro-logger and it would pick-up again from the last successful kinesis checkpoint.

build.sbt Outdated
@@ -16,12 +16,13 @@ lazy val core = project.settings(
name := "marley",
Compile / scalacOptions ++= Seq("-release:11", "-Ymacro-annotations"),
libraryDependencies ++= Seq(
"org.apache.avro" % "avro" % "1.11.3",
"org.apache.avro" % "avro" % "1.11.3" exclude("org.apache.commons", "commons-compress"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The avro library was upgraded to use commons-compress version 1.26.0 with apache/avro#2758, merged in February 2024 - but unfortunately not released yet.

I'm not sure if the exclude is necessary - without it, sbt will still automatically select the latest of the two commons-compress library versions, either the one we specify in this build.sbt, or the one that avro pulls in. The only difference with exclude is that the version from avro will be ignored, even if it ends up being higher with a later release of avro?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok, I'll amend

build.sbt Outdated
"org.xerial.snappy" % "snappy-java" % "1.1.10.5",
"org.parboiled" %% "parboiled" % "2.5.0",
"org.scala-lang" % "scala-compiler" % scalaVersion.value % "provided",
"org.scalatest" %% "scalatest" % "3.2.16" % Test,
"org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test
"org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test,
"org.apache.commons" % "commons-compress" % "1.26.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that commons-compress is now up to 1.26.2, so we might as well use that!

Suggested change
"org.apache.commons" % "commons-compress" % "1.26.0"
"org.apache.commons" % "commons-compress" % "1.26.2"

@jonflynng jonflynng merged commit e2ebb7d into main Jun 26, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants