Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DGS-7159: update Msal4j dependency to bring in latest json-smart #2622

Merged
merged 2 commits into from
Apr 24, 2023
Merged

DGS-7159: update Msal4j dependency to bring in latest json-smart #2622

merged 2 commits into from
Apr 24, 2023

Conversation

janjwerner-confluent
Copy link
Member

Update msal4j used in serde to bring in updated json-smart dependency to address security hygiene cleanup of: CVE-2023-1370
commit / branch needs renaming after engineering ticket gets created from https://confluentinc.atlassian.net/browse/CVE-356

@janjwerner-confluent janjwerner-confluent requested a review from a team as a code owner April 22, 2023 16:11
@rayokota
Copy link
Member

Update msal4j used in serde to bring in updated json-smart dependency to address security hygiene cleanup of: CVE-2023-1370 commit / branch needs renaming after engineering ticket gets created from https://confluentinc.atlassian.net/browse/CVE-356

It seems there are new versions of the azure dependencies available, we should upgrade those instead

@janjwerner-confluent
Copy link
Member Author

janjwerner-confluent commented Apr 22, 2023
edited

Based on @rayokota suggestion I have updated to azure-identity to 1.8.2, but that does not solve the problem and still requires a pin of msal4j.

@rayokota
Copy link
Member

Based on @rayokota suggestion I have updated to azure-identity to 1.8.2, but that does not solve the problem and still requires a pin of msal4j.

Hmm, I'm confused, I thought 1.8.2 has the fix , see DataBiosphere/terra-cloud-resource-lib#160

Maybe try upgrading the other azure dependency as well?

@janjwerner-confluent
Copy link
Member Author

https://mvnrepository.com/artifact/com.azure/azure-identity/1.8.2
depends on:
https://mvnrepository.com/artifact/com.microsoft.azure/msal4j/1.13.7
that in turn depends on:
https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/9.35
that in turns brings the vulnerable:
https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.22

the commit:
DataBiosphere/terra-cloud-resource-lib@83d5e51#diff-66edc8269e42fa41dfa043929a8580e710fa57e310fd6ac88ba04a4b20e23efeR149
shows an update of json-smart to 2.4.10 and also usage of azure-json.
With the pin of msal4j:
[INFO] --- dependency:3.3.0:tree (default-cli) @ kafka-schema-registry-client-encryption-azure --- [INFO] io.confluent:kafka-schema-registry-client-encryption-azure:jar:7.4.0-0 [INFO] \- com.azure:azure-identity:jar:1.8.2:compile [INFO] \- com.microsoft.azure:msal4j:jar:1.13.8:compile [INFO] \- com.nimbusds:oauth2-oidc-sdk:jar:10.7.1:compile [INFO] \- com.nimbusds:nimbus-jose-jwt:jar:9.30.2:compile

without the pin of msal4j
[INFO] io.confluent:kafka-schema-registry-client-encryption-azure:jar:7.4.0-0 [INFO] \- com.azure:azure-identity:jar:1.8.2:compile [INFO] \- com.microsoft.azure:msal4j:jar:1.13.7:compile [INFO] \- com.nimbusds:oauth2-oidc-sdk:jar:9.35:compile [INFO] \- com.nimbusds:nimbus-jose-jwt:jar:9.22:compile

Current commit updates azure-identity as well as it pins msal4j.

rayokota
rayokota approved these changes Apr 24, 2023
View reviewed changes
Copy link
Member

@rayokota rayokota left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @janjwerner-confluent , LGTM

@janjwerner-confluent janjwerner-confluent merged commit f518bbe into 7.4.x Apr 24, 2023
3 checks passed
@janjwerner-confluent janjwerner-confluent deleted the DGS-xxxx branch April 24, 2023 14:52
@rayokota rayokota changed the title DGS-xxxx: update Msal4j dependency to bring in latest json-smart DGS-7159: update Msal4j dependency to bring in latest json-smart Apr 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rayokota rayokota rayokota approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@janjwerner-confluent @rayokota