Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HBASE-28089 Upgrade BouncyCastle to fix CVE-2023-33201 #5407

Merged
merged 3 commits into from
Sep 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion hbase-asyncfs/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
4 changes: 2 additions & 2 deletions hbase-common/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -154,12 +154,12 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<artifactId>bcpkix-jdk18on</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down
2 changes: 1 addition & 1 deletion hbase-endpoint/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion hbase-examples/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
14 changes: 13 additions & 1 deletion hbase-http/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Expand Down Expand Up @@ -170,12 +170,24 @@
<artifactId>apacheds-core</artifactId>
<version>${apacheds.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.directory.server</groupId>
<artifactId>apacheds-protocol-ldap</artifactId>
<version>${apacheds.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.directory.server</groupId>
Expand Down
2 changes: 1 addition & 1 deletion hbase-mapreduce/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -586,10 +586,10 @@ under the License.
<supplement>
<project>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<artifactId>bcpkix-jdk18on</artifactId>

<licenses>
<!-- bcpkix-jdk15on is licensed under the Bouncy Castle License, which is equivalent to the MIT License -->
<!-- bcpkix-jdk18on is licensed under the Bouncy Castle License, which is equivalent to the MIT License -->
<license>
<name>MIT License</name>
<url>http://www.opensource.org/licenses/mit-license.php</url>
Expand Down
2 changes: 1 addition & 1 deletion hbase-rest/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@
<!--Test-->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
4 changes: 2 additions & 2 deletions hbase-server/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -331,12 +331,12 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<artifactId>bcpkix-jdk18on</artifactId>
<scope>test</scope>
</dependency>
<dependency>
Expand Down
31 changes: 28 additions & 3 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -856,7 +856,7 @@
<joni.version>2.1.43</joni.version>
<jcodings.version>1.0.57</jcodings.version>
<spy.version>2.12.2</spy.version>
<bouncycastle.version>1.70</bouncycastle.version>
<bouncycastle.version>1.76</bouncycastle.version>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we add an enforcer rule to ban org.bouncycastle:*-jdk15on or is this fine?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, will undo this changes if others feel this is not needed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the ban plugin is working correctly by deleting the explicit exclusion from org.apache.directory.server:apacheds-protocol-ldap and letting org.bouncycastle:bcprov-jdk15on dependency come transitively.

Next ran mvn clean verify and following error is thrown (as expected):

.
.
[INFO] 
[INFO] --------------------< org.apache.hbase:hbase-http >---------------------
[INFO] Building Apache HBase - HTTP 4.0.0-alpha-1-SNAPSHOT              [16/50]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:3.1.0:clean (default-clean) @ hbase-http ---
[INFO] Deleting /Users/nihaljain/code/os/hbase/hbase-http/target
[INFO] 
[INFO] --- flatten-maven-plugin:1.3.0:clean (flatten.clean) @ hbase-http ---
[INFO] Deleting /Users/nihaljain/code/os/hbase/hbase-http/.flattened-pom.xml
[INFO] 
[INFO] --- build-helper-maven-plugin:3.0.0:bsh-property (negate-license-bundles-property) @ hbase-http ---
[INFO] 
[INFO] --- build-helper-maven-plugin:3.0.0:regex-property (create-license-file-path-property) @ hbase-http ---
[INFO] No match to regex '\\' found in '/Users/nihaljain/code/os/hbase/hbase-http/target/maven-shared-archive-resources/META-INF/LICENSE'. The initial value '/Users/nihaljain/code/os/temp/hbase/hbase-http/target/maven-shared-archive-resources/META-INF/LICENSE' is left as-is...
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-maven-version) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (hadoop-profile-min-maven-min-java-banned-xerces) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-jsr305) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-scala) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-commons-logging) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-other-logging-framework) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-jetty) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-jersey) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-htrace) @ hbase-http ---
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-bouncycastle-jdk15on) @ hbase-http ---
[WARNING] Rule 0: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Use org.bouncycastle:*-jdk18on instead
Found Banned Dependency: org.bouncycastle:bcprov-jdk15on:jar:1.62
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Apache HBase 4.0.0-alpha-1-SNAPSHOT:
[INFO] 
[INFO] Apache HBase ....................................... SUCCESS [  2.544 s]
[INFO] Apache HBase - Checkstyle .......................... SUCCESS [  0.653 s]
[INFO] Apache HBase - Annotations ......................... SUCCESS [  0.916 s]
[INFO] Apache HBase - Build Configuration ................. SUCCESS [  0.165 s]
[INFO] Apache HBase - Logging ............................. SUCCESS [  1.251 s]
[INFO] Apache HBase - Shaded Protocol ..................... SUCCESS [ 36.023 s]
[INFO] Apache HBase - Common .............................. SUCCESS [  9.505 s]
[INFO] Apache HBase - Metrics API ......................... SUCCESS [  1.602 s]
[INFO] Apache HBase - Metrics Implementation .............. SUCCESS [  1.717 s]
[INFO] Apache HBase - Hadoop Compatibility ................ SUCCESS [  3.534 s]
[INFO] Apache HBase - Client .............................. SUCCESS [  9.969 s]
[INFO] Apache HBase - Zookeeper ........................... SUCCESS [  2.485 s]
[INFO] Apache HBase - Replication ......................... SUCCESS [  2.522 s]
[INFO] Apache HBase - Balancer ............................ SUCCESS [  3.402 s]
[INFO] Apache HBase - Resource Bundle ..................... SUCCESS [  0.173 s]
[INFO] Apache HBase - HTTP ................................ FAILURE [  0.702 s]
[INFO] Apache HBase - Asynchronous FileSystem ............. SKIPPED
[INFO] Apache HBase - Procedure ........................... SKIPPED
[INFO] Apache HBase - Server .............................. SKIPPED
[INFO] Apache HBase - MapReduce ........................... SKIPPED
[INFO] Apache HBase - Testing Util ........................ SKIPPED
[INFO] Apache HBase - Thrift .............................. SKIPPED
[INFO] Apache HBase - Shell ............................... SKIPPED
[INFO] Apache HBase - Coprocessor Endpoint ................ SKIPPED
[INFO] Apache HBase - Backup .............................. SKIPPED
[INFO] Apache HBase - Integration Tests ................... SKIPPED
[INFO] Apache HBase - Rest ................................ SKIPPED
[INFO] Apache HBase - Examples ............................ SKIPPED
[INFO] Apache HBase - Shaded .............................. SKIPPED
[INFO] Apache HBase - Shaded - Client (with Hadoop bundled) SKIPPED
[INFO] Apache HBase - Shaded - Client ..................... SKIPPED
[INFO] Apache HBase - Shaded - MapReduce .................. SKIPPED
[INFO] Apache HBase - External Block Cache ................ SKIPPED
[INFO] Apache HBase - HBTop ............................... SKIPPED
[INFO] Apache HBase - Compression ......................... SKIPPED
[INFO] Apache HBase - Compression - Aircompressor ......... SKIPPED
[INFO] Apache HBase - Compression - Brotli ................ SKIPPED
[INFO] Apache HBase - Compression - LZ4 ................... SKIPPED
[INFO] Apache HBase - Compression - Snappy ................ SKIPPED
[INFO] Apache HBase - Compression - XZ .................... SKIPPED
[INFO] Apache HBase - Compression - ZStandard ............. SKIPPED
[INFO] Apache HBase - Assembly ............................ SKIPPED
[INFO] Apache HBase - Shaded - Testing Util ............... SKIPPED
[INFO] Apache HBase - Shaded - Testing Util Tester ........ SKIPPED
[INFO] Apache HBase Shaded Packaging Invariants ........... SKIPPED
[INFO] Apache HBase Shaded Packaging Invariants (with Hadoop bundled) SKIPPED
[INFO] Apache HBase - Archetypes .......................... SKIPPED
[INFO] Apache HBase - Exemplar for hbase-client archetype . SKIPPED
[INFO] Apache HBase - Exemplar for hbase-shaded-client archetype SKIPPED
[INFO] Apache HBase - Archetype builder ................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:18 min
[INFO] Finished at: 2023-09-17T01:38:00+05:30
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (banned-bouncycastle-jdk15on) on project hbase-http: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <args> -rf :hbase-http

<skyscreamer.version>1.5.1</skyscreamer.version>
<kerby.version>1.0.1</kerby.version>
<commons-crypto.version>1.1.0</commons-crypto.version>
Expand Down Expand Up @@ -1621,7 +1621,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<artifactId>bcprov-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
<scope>test</scope>
</dependency>
Expand All @@ -1633,7 +1633,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
<scope>test</scope>
</dependency>
Expand Down Expand Up @@ -2399,6 +2399,23 @@
</rules>
</configuration>
</execution>
<execution>
<id>banned-bouncycastle-jdk15on</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>org.bouncycastle:*-jdk15on</exclude>
</excludes>
<message>Use org.bouncycastle:*-jdk18on instead</message>
<searchTransitive>true</searchTransitive>
</bannedDependencies>
</rules>
</configuration>
</execution>
<execution>
<id>check-aggregate-license</id>
<goals>
Expand Down Expand Up @@ -4070,6 +4087,14 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-reload4j</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
Expand Down