[Security] org.inferred:freebuilder:1.14.9 dependency causes Bookkeeper to be flagged for jQuery vulnerabilities #2732
Labels
Comments
|
BookKEeper does not have a Web UI btw I agree that we can mark it as "optional" or exclude it at all |
lhotari
added a commit
to lhotari/bookkeeper
that referenced
this issue
Jun 10, 2021
…ype in build Fixes apache#2732 - Freebuilder shouldn't be exposed as a transitive dependency - it's an annotation processor which should be defined - optional in maven - compileOnly in gradle
lhotari
added a commit
to datastax/bookkeeper
that referenced
this issue
Jun 16, 2021
…ype in build Fixes apache#2732 - Freebuilder shouldn't be exposed as a transitive dependency - it's an annotation processor which should be defined - optional in maven - compileOnly in gradle
sijie
pushed a commit
to apache/pulsar
that referenced
this issue
Jun 18, 2021
### Motivation [Freebuilder](https://github.com/inferred/FreeBuilder) is an annotation processor used in Bookkeeper's StorageClientSetting interface: https://github.com/apache/bookkeeper/blob/16e8ba772bb5cf4c7546fb559bd9d455d4e42625/stream/clients/java/base/src/main/java/org/apache/bookkeeper/clients/config/StorageClientSettings.java#L27-L33 The annotation processor is only needed at compile time. The Freebuilder library gets flagged as a vulnerable library by Sonatype IQ. This causes Pulsar distribution to be flagged as vulnerable since Freebuilder is a transitive dependency. ### Additional context There's a separate issue in Bookkeeper to change the dependency to optional / compileOnly: apache/bookkeeper#2732 ### Modifications Exclude freebuilder library and replace the code that used shaded dependencies from the freebuilder library.
yangl
pushed a commit
to yangl/pulsar
that referenced
this issue
Jun 23, 2021
### Motivation [Freebuilder](https://github.com/inferred/FreeBuilder) is an annotation processor used in Bookkeeper's StorageClientSetting interface: https://github.com/apache/bookkeeper/blob/16e8ba772bb5cf4c7546fb559bd9d455d4e42625/stream/clients/java/base/src/main/java/org/apache/bookkeeper/clients/config/StorageClientSettings.java#L27-L33 The annotation processor is only needed at compile time. The Freebuilder library gets flagged as a vulnerable library by Sonatype IQ. This causes Pulsar distribution to be flagged as vulnerable since Freebuilder is a transitive dependency. ### Additional context There's a separate issue in Bookkeeper to change the dependency to optional / compileOnly: apache/bookkeeper#2732 ### Modifications Exclude freebuilder library and replace the code that used shaded dependencies from the freebuilder library.
codelipenghui
pushed a commit
to apache/pulsar
that referenced
this issue
Jun 25, 2021
### Motivation [Freebuilder](https://github.com/inferred/FreeBuilder) is an annotation processor used in Bookkeeper's StorageClientSetting interface: https://github.com/apache/bookkeeper/blob/16e8ba772bb5cf4c7546fb559bd9d455d4e42625/stream/clients/java/base/src/main/java/org/apache/bookkeeper/clients/config/StorageClientSettings.java#L27-L33 The annotation processor is only needed at compile time. The Freebuilder library gets flagged as a vulnerable library by Sonatype IQ. This causes Pulsar distribution to be flagged as vulnerable since Freebuilder is a transitive dependency. ### Additional context There's a separate issue in Bookkeeper to change the dependency to optional / compileOnly: apache/bookkeeper#2732 ### Modifications Exclude freebuilder library and replace the code that used shaded dependencies from the freebuilder library. (cherry picked from commit 406770c)
Ghatage
pushed a commit
that referenced
this issue
Jun 27, 2021
Fixes #2732 ### Motivation - Freebuilder 1.14.9 contains an outdate jquery js file which causes the library to be flagged as vulnerable with the highest threat level in Sonatype IQ vulnerability scanner. This also flags Bookkeeper and Pulsar as vulnerable with the highest threat level although it is a false positive and not an actual threat. - Freebuilder shouldn't be exposed as a transitive dependency - it's an annotation processor which should be defined - [optional in maven](https://github.com/inferred/FreeBuilder#maven) - [compileOnly in gradle](https://github.com/inferred/FreeBuilder#gradle) ### Changes - upgrade [Freebuilder](https://github.com/inferred/FreeBuilder) from 1.14.9 to 2.7.0 - make dependency optional in maven pom.xml - use `compileOnly` instead of `implementation` in gradle build Reviewers: Sijie Guo <None> This closes #2734 from lhotari/lh-fix-freebuilder-dependency-issue
zymap
pushed a commit
that referenced
this issue
Aug 18, 2021
Fixes #2732 ### Motivation - Freebuilder 1.14.9 contains an outdate jquery js file which causes the library to be flagged as vulnerable with the highest threat level in Sonatype IQ vulnerability scanner. This also flags Bookkeeper and Pulsar as vulnerable with the highest threat level although it is a false positive and not an actual threat. - Freebuilder shouldn't be exposed as a transitive dependency - it's an annotation processor which should be defined - [optional in maven](https://github.com/inferred/FreeBuilder#maven) - [compileOnly in gradle](https://github.com/inferred/FreeBuilder#gradle) ### Changes - upgrade [Freebuilder](https://github.com/inferred/FreeBuilder) from 1.14.9 to 2.7.0 - make dependency optional in maven pom.xml - use `compileOnly` instead of `implementation` in gradle build Reviewers: Sijie Guo <None> This closes #2734 from lhotari/lh-fix-freebuilder-dependency-issue (cherry picked from commit a445728)
bharanic-dev
pushed a commit
to bharanic-dev/pulsar
that referenced
this issue
Mar 18, 2022
### Motivation [Freebuilder](https://github.com/inferred/FreeBuilder) is an annotation processor used in Bookkeeper's StorageClientSetting interface: https://github.com/apache/bookkeeper/blob/16e8ba772bb5cf4c7546fb559bd9d455d4e42625/stream/clients/java/base/src/main/java/org/apache/bookkeeper/clients/config/StorageClientSettings.java#L27-L33 The annotation processor is only needed at compile time. The Freebuilder library gets flagged as a vulnerable library by Sonatype IQ. This causes Pulsar distribution to be flagged as vulnerable since Freebuilder is a transitive dependency. ### Additional context There's a separate issue in Bookkeeper to change the dependency to optional / compileOnly: apache/bookkeeper#2732 ### Modifications Exclude freebuilder library and replace the code that used shaded dependencies from the freebuilder library.
Ghatage
pushed a commit
to sijie/bookkeeper
that referenced
this issue
Jul 12, 2024
Fixes apache#2732 ### Motivation - Freebuilder 1.14.9 contains an outdate jquery js file which causes the library to be flagged as vulnerable with the highest threat level in Sonatype IQ vulnerability scanner. This also flags Bookkeeper and Pulsar as vulnerable with the highest threat level although it is a false positive and not an actual threat. - Freebuilder shouldn't be exposed as a transitive dependency - it's an annotation processor which should be defined - [optional in maven](https://github.com/inferred/FreeBuilder#maven) - [compileOnly in gradle](https://github.com/inferred/FreeBuilder#gradle) ### Changes - upgrade [Freebuilder](https://github.com/inferred/FreeBuilder) from 1.14.9 to 2.7.0 - make dependency optional in maven pom.xml - use `compileOnly` instead of `implementation` in gradle build Reviewers: Sijie Guo <None> This closes apache#2734 from lhotari/lh-fix-freebuilder-dependency-issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BUG REPORT
The org.inferred:freebuilder:1.14.9 dependency causes Bookkeeper to be flagged for jQuery vulnerabilities.
This happens in the Sonatype IQ vulnerability scanner which will also scan embedded js files. For example, it finds jQuery at the path
org/inferred/freebuilder/shaded/org/openjdk/tools/javadoc/internal/doclets/formats/html/resources/jquery/external/jquery jquery-1.10.2.jsinside the freebuilder jar file.Expected behavior
Bookkeeper shouldn't expose freebuilder as a dependency at all. It's an annotation processor which should be defined as optional dependency in maven and with
compileOnlyin gradle.The text was updated successfully, but these errors were encountered: