Skip to content

Commit

Permalink
debezium-connector-spanner-3.0/3.0.4-r0: cve remediation (#36050)
Browse files Browse the repository at this point in the history 
GHSA-5mg8-w23w-74h3 relates to guava, which comes from a transitive
dependnecy:

```
[INFO] --- dependency:3.1.1:tree (default-cli) @ debezium-connector-spanner ---
[INFO] io.debezium:debezium-connector-spanner:jar:3.0.4.Final
[INFO] \- com.google.cloud:google-cloud-spanner:jar:6.30.1:compile
[INFO]    \- com.google.guava:guava:jar:32.0.0-jre:import
```

Remediating this involved bumping `google-cloud-spanner`, as opposed to
attempting to bump guava as a top-level dependency in this application.
It seems to have remediated the CVE. I also expanded the tests to try
and cover a functional test from melange.

--------------

debezium-connector-spanner-3.0/3.0.4-r0: fix GHSA-5mg8-w23w-74h3

Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/debezium-connector-spanner-3.0.advisories.yaml

---------

Signed-off-by: Mark McCormick <[email protected]>
Co-authored-by: octo-sts[bot] <[email protected]>
Co-authored-by: Mark McCormick <[email protected]>
  • Loading branch information
@octo-sts @mamccorm
3 people authored Dec 12, 2024
1 parent 024518f commit ed7883c
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 18 deletions.
10 changes: 7 additions & 3 deletions debezium-connector-spanner-3.0.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package:
name: debezium-connector-spanner-3.0
version: 3.0.4
epoch: 1
epoch: 2
description: An incubating Debezium CDC connector for Google Spanner
copyright:
- license: Apache-2.0
Expand Down Expand Up @@ -77,6 +77,10 @@ test:
- name: Verify JAR presence
runs: |
test -f /usr/share/java/debezium/debezium-connector-spanner/debezium-connector-spanner-${{package.version}}.Final.jar
- name: Validate JAR metadata
- name: Simple functional initialization test
runs: |
jar tf /usr/share/java/debezium/debezium-connector-spanner/debezium-connector-spanner-${{package.version}}.Final.jar | grep -q "META-INF/MANIFEST.MF"
# SimpleTest.java is located in melange, under the folder associated with this package.
cp SimpleTest.java /usr/share/java/debezium/debezium-connector-spanner
cd /usr/share/java/debezium/debezium-connector-spanner
javac SimpleTest.java
java -cp ".:/usr/share/java/debezium/debezium-connector-spanner/*" SimpleTest
16 changes: 16 additions & 0 deletions debezium-connector-spanner-3.0/SimpleTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
/**
* Simple test to verify the Debezium Spanner Connector is properly installed and loadable.
* Tests class loading functionality by attempting to load a core connector class.
*/
public class SimpleTest {
public static void main(String[] args) {
try {
Class<?> cls = Class.forName("io.debezium.connector.spanner.SpannerStreamingChangeEventSource");
System.out.println("Successfully loaded class");
System.exit(0);
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}
}
}
23 changes: 8 additions & 15 deletions debezium-connector-spanner-3.0/pombump-deps.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,9 @@
patches:
# Mitigates CVE-2023-1428, CVE-2023-32732 and CVE-2023-32731
- groupId: io.grpc
artifactId: grpc-protobuf
version: 1.53.0
scope: import
type: jar
# Mitigates CVE-2024-7254
- groupId: com.google.protobuf
artifactId: protobuf-java
version: 3.25.5
# Mitigates CVE-2020-8908 and CVE-2023-2976
# FIXME: Resulting build faiure after major version bump to 32.1.2-jre.
# - groupId: com.google.guava
# artifactId: guava
# version: 32.1.2-jre
- groupId: io.grpc
artifactId: grpc-protobuf
version: 1.53.0
scope: import
type: jar
- groupId: com.google.protobuf
artifactId: protobuf-java
version: 3.25.5
4 changes: 4 additions & 0 deletions debezium-connector-spanner-3.0/pombump-properties.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

properties:
- property: google.cloud.spanner.version
value: "6.82.0"

0 comments on commit ed7883c

Please sign in to comment.