Skip to content

Commit 92d6b85

Browse files
Joob1nclaude
andauthored
[BugFix][CVE] Remove vulnerable stale transitive dependencies and enforce bans (#76097)
Signed-off-by: Joob1n <1208247864@qq.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
1 parent 4297e7d commit 92d6b85

5 files changed

Lines changed: 176 additions & 4 deletions

File tree

fe/build.gradle.kts

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,14 @@ subprojects {
127127
implementation("com.qcloud.cos:hadoop-cos:3.3.0-8.3.2")
128128
implementation("com.qcloud:chdfs_hadoop_plugin_network:3.2")
129129
implementation("com.squareup.okhttp3:okhttp:4.10.0")
130+
// keep on the same train as okhttp (tencentcloud-sdk declares 3.12.x)
131+
implementation("com.squareup.okhttp3:logging-interceptor:4.10.0")
130132
implementation("com.squareup.okio:okio:3.4.0")
133+
// okhttp 4.10.0 drags in okio-jvm 3.0.0 (CVE-2023-3635); keep it aligned with okio
134+
implementation("com.squareup.okio:okio-jvm:3.4.0")
135+
// tencentcloud-sdk below 3.1.1471 drags in EOL okhttp 2.7.5 (via hadoop-cos)
136+
implementation("com.tencentcloudapi:tencentcloud-sdk-java-common:3.1.1471")
137+
implementation("com.tencentcloudapi:tencentcloud-sdk-java-kms:3.1.1471")
131138
implementation("com.starrocks:fe-testing:${project.version}")
132139
implementation("com.starrocks:hive-udf:${project.version}")
133140
implementation("com.starrocks:jprotobuf-starrocks:${project.ext["jprotobuf-starrocks.version"]}")
@@ -173,7 +180,8 @@ subprojects {
173180
implementation("org.apache.arrow:flight-sql-jdbc-driver:${project.ext["arrow.version"]}")
174181
implementation("org.apache.avro:avro:${project.ext["avro.version"]}")
175182
implementation("org.apache.commons:commons-dbcp2:2.9.0")
176-
implementation("org.apache.commons:commons-lang3:3.9")
183+
// 3.18.0 fixes CVE-2025-48924
184+
implementation("org.apache.commons:commons-lang3:3.18.0")
177185
implementation("org.apache.commons:commons-pool2:2.3")
178186
implementation("org.apache.groovy:groovy-groovysh:4.0.9")
179187
implementation("org.apache.hadoop:hadoop-aliyun:${project.ext["hadoop.version"]}")
@@ -258,6 +266,18 @@ subprojects {
258266
}
259267
}
260268

269+
// Mirror the Maven-side CVE exclusions/enforcer bans (see fe/pom.xml):
270+
// these artifacts must never appear on any FE classpath.
271+
configurations.all {
272+
// superseded by bcprov-jdk18on; 1.70 carries multiple open CVEs
273+
exclude(group = "org.bouncycastle", module = "bcprov-jdk15on")
274+
// EOL okhttp 2.x line (okhttp3 lives under com.squareup.okhttp3)
275+
exclude(group = "com.squareup.okhttp")
276+
// JSP engine, unused by FE; tomcat 9.0.93 carries CVE-2025-55754/CVE-2025-52434
277+
exclude(group = "org.apache.tomcat")
278+
exclude(group = "org.apache.tomcat.embed")
279+
}
280+
261281
// Resolve capability conflicts: at.yawk.lz4:lz4-java replaces org.lz4:lz4-java and org.lz4:lz4-pure-java
262282
configurations.all {
263283
resolutionStrategy.capabilitiesResolution {

fe/pom.xml

Lines changed: 80 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,6 @@ under the License.
5353
<!-- jackson-annotations doesn't have 2.21.4 version released -->
5454
<jackson-annotations.version>2.21</jackson-annotations.version>
5555
<spark.version>3.5.7</spark.version>
56-
<tomcat.version>8.5.70</tomcat.version>
5756
<parquet.version>1.16.0</parquet.version>
5857
<orc.version>1.9.1</orc.version>
5958
<hadoop.version>3.4.3</hadoop.version>
@@ -262,10 +261,11 @@ under the License.
262261
</dependency>
263262

264263
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
264+
<!-- 3.18.0 fixes CVE-2025-48924 (ClassUtils.getClass StackOverflow) -->
265265
<dependency>
266266
<groupId>org.apache.commons</groupId>
267267
<artifactId>commons-lang3</artifactId>
268-
<version>3.9</version>
268+
<version>3.18.0</version>
269269
</dependency>
270270

271271
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-pool2 -->
@@ -587,13 +587,28 @@ under the License.
587587
<version>4.10.0</version>
588588
</dependency>
589589

590+
<!-- keep on the same train as okhttp (tencentcloud-sdk declares 3.12.x) -->
591+
<dependency>
592+
<groupId>com.squareup.okhttp3</groupId>
593+
<artifactId>logging-interceptor</artifactId>
594+
<version>4.10.0</version>
595+
</dependency>
596+
590597
<!-- https://mvnrepository.com/artifact/com.squareup.okio/okio -->
591598
<dependency>
592599
<groupId>com.squareup.okio</groupId>
593600
<artifactId>okio</artifactId>
594601
<version>3.4.0</version>
595602
</dependency>
596603

604+
<!-- pin okio-jvm to the same version as okio; okhttp 4.10.0 drags in
605+
okio-jvm 3.0.0 which is affected by CVE-2023-3635 -->
606+
<dependency>
607+
<groupId>com.squareup.okio</groupId>
608+
<artifactId>okio-jvm</artifactId>
609+
<version>3.4.0</version>
610+
</dependency>
611+
597612
<!-- https://mvnrepository.com/artifact/javax.validation/validation-api -->
598613
<dependency>
599614
<groupId>javax.validation</groupId>
@@ -1049,6 +1064,19 @@ under the License.
10491064
<version>3.3.0-8.3.2</version>
10501065
</dependency>
10511066

1067+
<!-- hadoop-cos pulls tencentcloud-sdk 3.1.213 whose okhttp 2.7.5 is EOL;
1068+
3.1.1471+ ships okhttp3, keeping COS client-side encryption usable -->
1069+
<dependency>
1070+
<groupId>com.tencentcloudapi</groupId>
1071+
<artifactId>tencentcloud-sdk-java-kms</artifactId>
1072+
<version>3.1.1471</version>
1073+
</dependency>
1074+
<dependency>
1075+
<groupId>com.tencentcloudapi</groupId>
1076+
<artifactId>tencentcloud-sdk-java-common</artifactId>
1077+
<version>3.1.1471</version>
1078+
</dependency>
1079+
10521080
<!-- https://mvnrepository.com/artifact/com.qcloud/chdfs_hadoop_plugin_network -->
10531081
<dependency>
10541082
<groupId>com.qcloud</groupId>
@@ -1139,6 +1167,11 @@ under the License.
11391167
<groupId>org.apache.hbase.thirdparty</groupId>
11401168
<artifactId>hbase-shaded-netty</artifactId>
11411169
</exclusion>
1170+
<!-- JSP engine, unused here; tomcat-jasper 9.0.93 carries open CVEs -->
1171+
<exclusion>
1172+
<groupId>org.apache.tomcat</groupId>
1173+
<artifactId>*</artifactId>
1174+
</exclusion>
11421175
</exclusions>
11431176
</dependency>
11441177

@@ -1297,6 +1330,12 @@ under the License.
12971330
<groupId>org.lz4</groupId>
12981331
<artifactId>lz4-pure-java</artifactId>
12991332
</exclusion>
1333+
<!-- aliyun-java-auth drags in bcprov-jdk15on 1.70 (multiple CVEs);
1334+
bcprov-jdk18on 1.84 on the classpath provides the same packages -->
1335+
<exclusion>
1336+
<groupId>org.bouncycastle</groupId>
1337+
<artifactId>bcprov-jdk15on</artifactId>
1338+
</exclusion>
13001339
</exclusions>
13011340
</dependency>
13021341

@@ -1626,6 +1665,45 @@ under the License.
16261665
</dependencies>
16271666
</dependencyManagement>
16281667

1668+
<build>
1669+
<plugins>
1670+
<plugin>
1671+
<groupId>org.apache.maven.plugins</groupId>
1672+
<artifactId>maven-enforcer-plugin</artifactId>
1673+
<version>3.5.0</version>
1674+
<executions>
1675+
<execution>
1676+
<id>ban-vulnerable-dependencies</id>
1677+
<goals>
1678+
<goal>enforce</goal>
1679+
</goals>
1680+
<configuration>
1681+
<rules>
1682+
<bannedDependencies>
1683+
<excludes>
1684+
<!-- superseded by bcprov-jdk18on; 1.70 carries multiple open CVEs -->
1685+
<exclude>org.bouncycastle:bcprov-jdk15on</exclude>
1686+
<!-- EOL okhttp 2.x line -->
1687+
<exclude>com.squareup.okhttp:*</exclude>
1688+
<!-- okio-jvm below 3.4.0 is affected by CVE-2023-3635 -->
1689+
<exclude>com.squareup.okio:okio-jvm:[,3.4.0)</exclude>
1690+
<!-- commons-lang3 below 3.18.0 is affected by CVE-2025-48924 -->
1691+
<exclude>org.apache.commons:commons-lang3:[,3.18.0)</exclude>
1692+
<!-- JSP engine, unused by FE; 9.0.93 carries CVE-2025-55754/CVE-2025-52434 -->
1693+
<exclude>org.apache.tomcat:*</exclude>
1694+
<exclude>org.apache.tomcat.embed:*</exclude>
1695+
<!-- tencentcloud-sdk below 3.1.1471 drags in EOL okhttp 2.7.5 -->
1696+
<exclude>com.tencentcloudapi:*:[,3.1.1471)</exclude>
1697+
</excludes>
1698+
</bannedDependencies>
1699+
</rules>
1700+
</configuration>
1701+
</execution>
1702+
</executions>
1703+
</plugin>
1704+
</plugins>
1705+
</build>
1706+
16291707
<reporting>
16301708
<plugins>
16311709
<plugin>

java-extensions/odps-reader/pom.xml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,9 +91,23 @@
9191
<artifactId>lz4-pure-java</artifactId>
9292
<groupId>org.lz4</groupId>
9393
</exclusion>
94+
<!-- aliyun-java-auth drags in bcprov-jdk15on 1.70 (multiple CVEs);
95+
bcprov-jdk18on 1.84 on the classpath provides the same packages -->
96+
<exclusion>
97+
<groupId>org.bouncycastle</groupId>
98+
<artifactId>bcprov-jdk15on</artifactId>
99+
</exclusion>
94100
</exclusions>
95101
</dependency>
96102

103+
<!-- aliyun-java-auth needs org.bouncycastle.*; the vulnerable bcprov-jdk15on
104+
is excluded above, so ship bcprov-jdk18on in odps-reader-lib instead
105+
(each BE reader has its own isolated classpath) -->
106+
<dependency>
107+
<groupId>org.bouncycastle</groupId>
108+
<artifactId>bcprov-jdk18on</artifactId>
109+
</dependency>
110+
97111
<dependency>
98112
<groupId>com.fasterxml.jackson.core</groupId>
99113
<artifactId>jackson-databind</artifactId>

java-extensions/pom.xml

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -360,6 +360,12 @@
360360
<groupId>org.slf4j</groupId>
361361
<artifactId>slf4j-reload4j</artifactId>
362362
</exclusion>
363+
<!-- json-simple 1.1.1 leaks junit 4.10 as a compile dependency
364+
(CVE-2020-15250); it must not ship in the runtime lib -->
365+
<exclusion>
366+
<groupId>junit</groupId>
367+
<artifactId>junit</artifactId>
368+
</exclusion>
363369
</exclusions>
364370
</dependency>
365371

@@ -515,6 +521,30 @@
515521
<artifactId>jackson-core</artifactId>
516522
<version>${jackson.version}</version>
517523
</dependency>
524+
<!-- 3.18.0 fixes CVE-2025-48924; udf-extensions bundles this into its
525+
jar-with-dependencies shipped under be/lib/jni-packages -->
526+
<dependency>
527+
<groupId>org.apache.commons</groupId>
528+
<artifactId>commons-lang3</artifactId>
529+
<version>3.18.0</version>
530+
</dependency>
531+
<!-- hadoop-yarn-common drags in 2.12.7 copies of these; keep them
532+
aligned with the managed jackson version -->
533+
<dependency>
534+
<groupId>com.fasterxml.jackson.jaxrs</groupId>
535+
<artifactId>jackson-jaxrs-base</artifactId>
536+
<version>${jackson.version}</version>
537+
</dependency>
538+
<dependency>
539+
<groupId>com.fasterxml.jackson.jaxrs</groupId>
540+
<artifactId>jackson-jaxrs-json-provider</artifactId>
541+
<version>${jackson.version}</version>
542+
</dependency>
543+
<dependency>
544+
<groupId>com.fasterxml.jackson.module</groupId>
545+
<artifactId>jackson-module-jaxb-annotations</artifactId>
546+
<version>${jackson.version}</version>
547+
</dependency>
518548
<!-- jackson -->
519549

520550
<!-- apache arrow -->
@@ -652,6 +682,37 @@
652682

653683
<build>
654684
<plugins>
685+
<plugin>
686+
<groupId>org.apache.maven.plugins</groupId>
687+
<artifactId>maven-enforcer-plugin</artifactId>
688+
<version>3.5.0</version>
689+
<executions>
690+
<execution>
691+
<id>ban-vulnerable-dependencies</id>
692+
<goals>
693+
<goal>enforce</goal>
694+
</goals>
695+
<configuration>
696+
<rules>
697+
<bannedDependencies>
698+
<excludes>
699+
<!-- superseded by bcprov-jdk18on; 1.70 carries multiple open CVEs -->
700+
<exclude>org.bouncycastle:bcprov-jdk15on</exclude>
701+
<!-- junit must never leak into runtime libs (CVE-2020-15250);
702+
test scope stays allowed -->
703+
<exclude>junit:junit:*:jar:compile</exclude>
704+
<exclude>junit:junit:*:jar:runtime</exclude>
705+
<!-- keep jackson-jaxrs aligned with the managed jackson version -->
706+
<exclude>com.fasterxml.jackson.jaxrs:*:[,2.15.0)</exclude>
707+
<!-- commons-lang3 below 3.18.0 is affected by CVE-2025-48924 -->
708+
<exclude>org.apache.commons:commons-lang3:[,3.18.0)</exclude>
709+
</excludes>
710+
</bannedDependencies>
711+
</rules>
712+
</configuration>
713+
</execution>
714+
</executions>
715+
</plugin>
655716
<plugin>
656717
<groupId>org.apache.maven.plugins</groupId>
657718
<artifactId>maven-compiler-plugin</artifactId>

java-extensions/udf-extensions/pom.xml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,6 @@
4343
<dependency>
4444
<groupId>org.apache.commons</groupId>
4545
<artifactId>commons-lang3</artifactId>
46-
<version>3.9</version>
4746
</dependency>
4847

4948
<!-- Apache Arrow: vectorized ("input"="arrow") Java UDF support.

0 commit comments

Comments
 (0)