Does Dremio have a list of know false positive security findings in its dependencies?

We’re evaluating Dremio, and as part of that process we’ve preformed a dependency scan and found a number of issues. I’m sure lots of the CVEs are not applicable due to the way Dremio consumes the dependency, but so far haven’t found anything in these forms. Some apache projects like Solr have a public list to acknowledge these. Just looking to try and reduce duplicated effort and coming back here with a list of issues that are likely NA.

https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools

Hello @bradpark,

We do our own internal scans and have a suppression list of CVE’s that we consider “false positives” and can be safely ignored. We are working on making this publicly accessible, but it’s not there yet.

Do you have a particular set of CVE that are concerning you?

Thanks @ben, so it’s a bit of a long list and I’ve tried to format it the best that I can after filtering out obvious false-positives. I’ve also attached a spreadsheet listing every CVE, package, and how it is introduced into Dremio dremio-vulns.zip (12.3 KB). The spreadsheet looks worse than it is, 133 of 178 are related to two instances of Jackson Databind.

Let me know if there is anything else I can provide.

Dremio consumes Apache Avatica 1.12

Avictia consumers Jackson Databind 2.9.6 which currently has some 45 CVEs associated with it. 
While Avictia has since upgrade to Jackson 2.10.0 as of 1.16

Avictia also consumes protobuf-java 3.3.0 which is susceptible  to CVE-2015-5237. As of Avatica 1.13 they have upgraded to protobuf 3.5.1 which mitigates the CVE.

Dremio consumes dremio-ce-hive2-plugin, which seems to be the dremio fork of hive. Hive includes the following dependencies that were identified as containing known vulnerabilities

Hive itself shades several Apache HBase 1.1.13 jars that lack the fix for CVE-2018-8025

Hive also consumes jetty:6.1.26 which was release in 2010. Since then the project as moved from being managed by Mortbay to a standalone Jetty group. The name changes make it hard to follow from a CPE perspective, you can see the older mortbay CPE here: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Amortbay&cpe_product=cpe%3A%2F%3Amortbay%3Ajetty&cpe_version=cpe%3A%2F%3Amortbay%3Ajetty%3A6.1.26
Sonatype has a nice display that cuts across the different maintainers 
https://ossindex.sonatype.org/component/pkg:maven/org.mortbay.jetty/jetty@6.1.26

Hive also has jQuery 1.8.2 which contains several known issues, https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe:2.3:a:jquery:jquery:1.8.3:*:*:*:*:*:*:*

Netty 4.1.34 has the following known issues https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Anetty&cpe_product=cpe%3A%2F%3Anetty%3Anetty&cpe_version=cpe%3A%2F%3Anetty%3Anetty%3A4.1.34

Jackson Databind 2.1.1 which has numerous CVEs predominantly related to gadget serialization https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.1.1

Guava 14.0.1 vulnerable to CVE-2018-10237

Protobuf-java 2.5.0 is vulnerable to buffer overflow CVE-2015-5237

Finally the Dremio hive fork itself seems to be based on 2.1.1, meaning it may be susceptible to the following CVEs https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe:2.3:a:apache:hive:2.1.1:*:*:*:*:*:*:*

dremio-twill-shaded contains guava 13.0.1 vulnerable to CVE-2018-10237

htrace-core4 4.1.0-incubating contains jackson-databind 2.4.0 which has a long list of know vulnerabilities https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.4.0

Dremio itself also directly consumes the following packages with known issues:

Elasticsearch 5.5.3 vulnerable to three known issues https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aelastic&cpe_product=cpe%3A%2F%3Aelastic%3Aelasticsearch&cpe_version=cpe%3A%2F%3Aelastic%3Aelasticsearch%3A5.5.3


Jackson-maper-asl 1.9.13, this project has been turned into jackson-databind and is susceptible to the same list of isses, as well as one of it's own CVE-2019-10172

Netty 3.10.6 vulnerable to the following https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Anetty&cpe_product=cpe%3A%2F%3Anetty%3Anetty&cpe_version=cpe%3A%2F%3Anetty%3Anetty%3A3.10.6

postgresql 42.2.5 vulnerable to CVE-2020-13692

scala-compiler 2.10.1 which contains vulnerable versions of jQuery https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe:2.3:a:jquery:jquery:1.8.0:*:*:*:*:*:*:*

scala-reflect 2.10.1 vulnerable to CVE-2017-15288

Any update?

I have a problem with netty-3.10.6
can I just replace it with 4.1.44 ?

What about that list of known CVS?

And I do not see “Issues” tab on GitHub - dremio/dremio-oss: Dremio - the missing link in modern data
How does one report issues? And is anyone fixing them? As I do see quite a lot of pending PR…

@sirkubax

Apologies for the delay

I discussed with the security team

We take security issues very seriously at Dremio. If there is an exploitable security issue, we resolve them within our internal security SLAs based on severity/priority. In case of non exploitable security issues for the third party libraries, we always try to update it to the latest possible version at regular cadence. Please always update to latest Dremio version
To know more about security at Dremio: