Skip to content

Fix vulnerability issues on presto-redshift, commons-compress and snappy-java#25106

Merged
ZacBlanco merged 1 commit into
prestodb:masterfrom
ShahimSharafudeen:whitesource_scan_cve_fix
May 19, 2025
Merged

Fix vulnerability issues on presto-redshift, commons-compress and snappy-java#25106
ZacBlanco merged 1 commit into
prestodb:masterfrom
ShahimSharafudeen:whitesource_scan_cve_fix

Conversation

@ShahimSharafudeen

@ShahimSharafudeen ShahimSharafudeen commented May 14, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Fix the vulnerability issues in postgresql, commons-compress and snappy-java

  1. Upgrade commons-compress version at 1.26.2 across the codebase to address CVE-2021-35517, CVE-2021-35516, CVE-2021-36090, CVE-2021-35515 and CVE-2024-25710
  2. Replace dependency from PostgreSQL to redshift-jdbc42 to address CVE-2024-1597, CVE-2022-31197 and CVE-2020-13692
  3. Upgrade snappy-java version at 1.1.10.4 across the codebase to address CVE-2023-43642

Motivation and Context

These dependency upgrades were implemented to mitigate CVEs present in previous versions

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Upgrade commons-compress version to 1.26.2 across the codebase to address 'CVE-2021-35517 <https://github.com/advisories/GHSA-xqfj-vm6h-2x34>' , 'CVE-2021-35516<https://github.com/advisories/GHSA-crv7-7245-f45f>', 'CVE-2021-36090 <https://github.com/advisories/GHSA-mc84-pj99-q6hh>', 'CVE-2021-35515 <https://github.com/advisories/GHSA-7hfm-57qf-j43q>' and 'CVE-2024-25710 <https://github.com/advisories/GHSA-4g9r-vxhx-9pgx>'
* Replace dependency from PostgreSQL to redshift-jdbc42 to address 'CVE-2024-1597 <https://github.com/advisories/GHSA-24rp-q3w6-vc56>', 'CVE-2022-31197 <https://github.com/advisories/GHSA-r38f-c4h4-hqq2>' and 'CVE-2020-13692 <https://github.com/advisories/GHSA-88cc-g835-76rp>'
* Upgrade snappy-java version at 1.1.10.4 across the codebase to address 'CVE-2023-43642 <https://github.com/advisories/GHSA-55g7-9cwv-5qfv>'

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label May 14, 2025
@ShahimSharafudeen ShahimSharafudeen force-pushed the whitesource_scan_cve_fix branch 4 times, most recently from f3de88a to 83dfe5d Compare May 14, 2025 17:20
@ShahimSharafudeen ShahimSharafudeen marked this pull request as ready for review May 14, 2025 17:42
@ShahimSharafudeen ShahimSharafudeen requested review from a team and shrinidhijoshi as code owners May 14, 2025 17:42
@prestodb-ci prestodb-ci requested review from a team, Dilli-Babu-Godari and wanglinsong and removed request for a team May 14, 2025 17:42
@ShahimSharafudeen ShahimSharafudeen force-pushed the whitesource_scan_cve_fix branch from 83dfe5d to c080f3f Compare May 15, 2025 08:06
@aaneja aaneja changed the title Fix vulnerability issues on postgresql, commons-compress and helix-core Fix vulnerability issues on presto-redshift, commons-compress and helix-core May 15, 2025
aaneja
aaneja previously approved these changes May 15, 2025
View reviewed changes
ZacBlanco
ZacBlanco requested changes May 15, 2025
View reviewed changes
Comment thread presto-pinot-toolkit/pom.xml Outdated
@ShahimSharafudeen
Fix vulnerability issues in postgresql, commons-compress and snappy-java
d32c0a8 
Upgrade commons-compress version at 1.26.2 across the codebase to address security vulnerabilities
Upgrade snappy-java version at 1.1.10.4 across the codebase to address security vulnerabilities
Replace dependency from PostgreSQL to redshift-jdbc42 to address security vulnerabilities
@ShahimSharafudeen ShahimSharafudeen changed the title Fix vulnerability issues on presto-redshift, commons-compress and helix-core Fix vulnerability issues on presto-redshift, commons-compress and snappy-java May 16, 2025
@ShahimSharafudeen ShahimSharafudeen force-pushed the whitesource_scan_cve_fix branch from c080f3f to d32c0a8 Compare May 16, 2025 05:23
ZacBlanco
ZacBlanco approved these changes May 16, 2025
View reviewed changes

@ZacBlanco ZacBlanco left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks @ShahimSharafudeen

@ZacBlanco ZacBlanco merged commit 60941a7 into prestodb:master May 19, 2025
97 checks passed
@ZacBlanco ZacBlanco mentioned this pull request May 29, 2025
Merged
21 tasks
This was referenced May 30, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ZacBlanco ZacBlanco ZacBlanco approved these changes

@hantangwangd hantangwangd hantangwangd approved these changes

@aaneja aaneja aaneja left review comments

@shrinidhijoshi shrinidhijoshi Awaiting requested review from shrinidhijoshi shrinidhijoshi is a code owner

@wanglinsong wanglinsong Awaiting requested review from wanglinsong wanglinsong was automatically assigned from prestodb/ibm-reviewers

@Dilli-Babu-Godari Dilli-Babu-Godari Awaiting requested review from Dilli-Babu-Godari Dilli-Babu-Godari was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ShahimSharafudeen @aaneja @ZacBlanco @hantangwangd @prestodb-ci