Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-945927 SNOW-945928 Fix Snyk vulnerabilities #641

Merged
merged 1 commit into from
Oct 19, 2023
Merged

SNOW-945927 SNOW-945928 Fix Snyk vulnerabilities #641

merged 1 commit into from
Oct 19, 2023

Conversation

sfc-gh-lsembera
Copy link
Contributor

This PR resolves the following Snyk findings:

  • bc-fips - In our e2e-jar-test project we depend on snowflake-jdbc-fips, which transitively depends on a vulnerable version of bc-fips. We explicitly pull in a newer version.
  • protobuf-java - SDK contains vulnerable transitive dependency pull in by hadoop-common. This PR marks protobuf-java as a direct dependency, so version specified by the SDK will be pulled in.

Closes #610
Closes #611
Closes #612
Closes #613
Closes #614
Closes #615
Closes #616
Closes #617
Closes #618
Closes #622
Closes #623
Closes #624
Closes #625

@sfc-gh-lsembera sfc-gh-lsembera requested review from sfc-gh-tzhang and a team as code owners October 19, 2023 15:17
@sfc-gh-xhuang
Copy link
Contributor

sfc-gh-xhuang commented Oct 19, 2023
edited
Loading

Is snowflake-jdbc-fips not updated to a newer version of bc-fips yet?

Should we just wait for them to upgrade? snowflakedb/snowflake-jdbc#1449
I've pinged on JIRA

sfc-gh-rcheng
sfc-gh-rcheng approved these changes Oct 19, 2023
View reviewed changes
Copy link
Collaborator

@sfc-gh-rcheng sfc-gh-rcheng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@sfc-gh-lsembera sfc-gh-lsembera merged commit 38d30c6 into master Oct 19, 2023
10 checks passed
@sfc-gh-lsembera sfc-gh-lsembera deleted the lsembera/additional-snyk-fixes branch October 19, 2023 19:23
@sfc-gh-lsembera
Copy link
Contributor Author

@sfc-gh-xhuang It does not hurt to update on our side, as well. This project is anyway just testing compatibility with fips. The customer would be defining which snowflake-jdbc-fips version version to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sfc-gh-rcheng sfc-gh-rcheng sfc-gh-rcheng approved these changes

@sfc-gh-tzhang sfc-gh-tzhang Awaiting requested review from sfc-gh-tzhang sfc-gh-tzhang is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-3040284 Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-3040284 Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-2331703 Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-2331703 Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-2331703
Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-3040284 Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-3167772 Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-3167772 Snyk: snowflake-ingest-java com.google.protobuf:protobuf-java 2.5.0 | Snyk ID - SNYK-JAVA-COMGOOGLEPROTOBUF-3167772 Snyk: snowflake-ingest-java org.bouncycastle:bc-fips 1.0.2.1 | Snyk ID - SNYK-JAVA-ORGBOUNCYCASTLE-3136316
3 participants
@sfc-gh-lsembera @sfc-gh-xhuang @sfc-gh-rcheng