-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump commons-compress
transitively to fix high vulnerability
#106
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this change is low-risk, at least as far as Ophan's avro-logger
is concerned. That's because avro-logger
uses kinesis checkpointing - so even if this new release was to fail and throw exceptions, you could just re-deploy the old version of avro-logger
and it would pick-up again from the last successful kinesis checkpoint.
build.sbt
Outdated
@@ -16,12 +16,13 @@ lazy val core = project.settings( | |||
name := "marley", | |||
Compile / scalacOptions ++= Seq("-release:11", "-Ymacro-annotations"), | |||
libraryDependencies ++= Seq( | |||
"org.apache.avro" % "avro" % "1.11.3", | |||
"org.apache.avro" % "avro" % "1.11.3" exclude("org.apache.commons", "commons-compress"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The avro
library was upgraded to use commons-compress
version 1.26.0 with apache/avro#2758, merged in February 2024 - but unfortunately not released yet.
I'm not sure if the exclude
is necessary - without it, sbt
will still automatically select the latest of the two commons-compress
library versions, either the one we specify in this build.sbt
, or the one that avro
pulls in. The only difference with exclude
is that the version from avro
will be ignored, even if it ends up being higher with a later release of avro
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ok, I'll amend
build.sbt
Outdated
"org.xerial.snappy" % "snappy-java" % "1.1.10.5", | ||
"org.parboiled" %% "parboiled" % "2.5.0", | ||
"org.scala-lang" % "scala-compiler" % scalaVersion.value % "provided", | ||
"org.scalatest" %% "scalatest" % "3.2.16" % Test, | ||
"org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test | ||
"org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test, | ||
"org.apache.commons" % "commons-compress" % "1.26.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that commons-compress
is now up to 1.26.2, so we might as well use that!
"org.apache.commons" % "commons-compress" % "1.26.0" | |
"org.apache.commons" % "commons-compress" % "1.26.2" |
Why?
There is a high vulnerability introduced through version 1.24 of the
commons-compress
library. Info here: https://app.snyk.io/org/guardian-ophan/project/234d8861-20e1-4b9c-b41a-e7ed4f372d3eCan fix by upgrading to 1.26.
The
commons-compress
dependency is introduced throughorg.apache.avro
. The last release was in September 2023. This PR fixes it transitively while we wait for them to fix it on their side and release a patch.What does this change?
Upgrades
commons-compress
transitively to 1.26.How to test
How can we measure success?
Have we considered potential risks?
Images
Accessibility