From 46a25f04d71ef9871c77bfb012e6f9b8e800371c Mon Sep 17 00:00:00 2001 From: Lari Hotari Date: Fri, 18 Jun 2021 08:38:18 +0300 Subject: [PATCH] [Security] Exclude and remove freebuilder dependency (#10869) ### Motivation [Freebuilder](https://github.com/inferred/FreeBuilder) is an annotation processor used in Bookkeeper's StorageClientSetting interface: https://github.com/apache/bookkeeper/blob/16e8ba772bb5cf4c7546fb559bd9d455d4e42625/stream/clients/java/base/src/main/java/org/apache/bookkeeper/clients/config/StorageClientSettings.java#L27-L33 The annotation processor is only needed at compile time. The Freebuilder library gets flagged as a vulnerable library by Sonatype IQ. This causes Pulsar distribution to be flagged as vulnerable since Freebuilder is a transitive dependency. ### Additional context There's a separate issue in Bookkeeper to change the dependency to optional / compileOnly: https://github.com/apache/bookkeeper/issues/2732 ### Modifications Exclude freebuilder library and replace the code that used shaded dependencies from the freebuilder library. (cherry picked from commit 406770ceae11031a0b54a39255050ebc603f4976) --- .../server/src/assemble/LICENSE.bin.txt | 2 -- pom.xml | 4 ++++ pulsar-zookeeper-utils/pom.xml | 4 ++++ ...IsolatedBookieEnsemblePlacementPolicy.java | 22 +++++++------------ 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 9db99432d8621..02559b6c7ff17 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -486,8 +486,6 @@ The Apache Software License, Version 2.0 - org.apache.curator-curator-recipes-5.1.0.jar * Apache Yetus - org.apache.yetus-audience-annotations-0.5.0.jar - * @FreeBuilder - - org.inferred-freebuilder-1.14.9.jar * Kubernetes Client - io.kubernetes-client-java-12.0.1.jar - io.kubernetes-client-java-api-12.0.1.jar diff --git a/pom.xml b/pom.xml index 9d7f18629e837..9087dc2c645b7 100644 --- a/pom.xml +++ b/pom.xml @@ -469,6 +469,10 @@ flexible messaging model and an intuitive client API. org.codehaus.jackson jackson-mapper-asl + + org.inferred + freebuilder + diff --git a/pulsar-zookeeper-utils/pom.xml b/pulsar-zookeeper-utils/pom.xml index 0f592ab9787e7..30a751e6c0a44 100644 --- a/pulsar-zookeeper-utils/pom.xml +++ b/pulsar-zookeeper-utils/pom.xml @@ -64,6 +64,10 @@ org.apache.zookeeper zookeeper + + org.inferred + freebuilder + diff --git a/pulsar-zookeeper-utils/src/main/java/org/apache/pulsar/zookeeper/ZkIsolatedBookieEnsemblePlacementPolicy.java b/pulsar-zookeeper-utils/src/main/java/org/apache/pulsar/zookeeper/ZkIsolatedBookieEnsemblePlacementPolicy.java index e7f393a8251dd..93202963adbc3 100644 --- a/pulsar-zookeeper-utils/src/main/java/org/apache/pulsar/zookeeper/ZkIsolatedBookieEnsemblePlacementPolicy.java +++ b/pulsar-zookeeper-utils/src/main/java/org/apache/pulsar/zookeeper/ZkIsolatedBookieEnsemblePlacementPolicy.java @@ -18,7 +18,10 @@ */ package org.apache.pulsar.zookeeper; +import com.fasterxml.jackson.databind.ObjectMapper; +import io.netty.util.HashedWheelTimer; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -27,15 +30,14 @@ import java.util.Optional; import java.util.Set; import java.util.concurrent.TimeUnit; - -import com.fasterxml.jackson.core.JsonProcessingException; import org.apache.bookkeeper.client.BKException.BKNotEnoughBookiesException; import org.apache.bookkeeper.client.RackawareEnsemblePlacementPolicy; import org.apache.bookkeeper.client.RackawareEnsemblePlacementPolicyImpl; -import org.apache.bookkeeper.common.util.JsonUtil; import org.apache.bookkeeper.conf.ClientConfiguration; import org.apache.bookkeeper.feature.FeatureProvider; +import org.apache.bookkeeper.net.BookieId; import org.apache.bookkeeper.net.DNSToSwitchMapping; +import org.apache.bookkeeper.proto.BookieAddressResolver; import org.apache.bookkeeper.stats.StatsLogger; import org.apache.bookkeeper.zookeeper.ZooKeeperClient; import org.apache.commons.configuration.Configuration; @@ -44,22 +46,14 @@ import org.apache.commons.lang3.tuple.Pair; import org.apache.pulsar.common.policies.data.BookieInfo; import org.apache.pulsar.common.policies.data.BookiesRackConfiguration; +import org.apache.pulsar.common.policies.data.EnsemblePlacementPolicyConfig; import org.apache.pulsar.common.util.ObjectMapperFactory; import org.apache.pulsar.zookeeper.ZooKeeperCache.Deserializer; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.ZooKeeper; -import org.inferred.freebuilder.shaded.com.google.common.collect.Sets; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.fasterxml.jackson.databind.ObjectMapper; - -import io.netty.util.HashedWheelTimer; -import org.apache.bookkeeper.net.BookieId; -import org.apache.bookkeeper.proto.BookieAddressResolver; - -import org.apache.pulsar.common.policies.data.EnsemblePlacementPolicyConfig; - public class ZkIsolatedBookieEnsemblePlacementPolicy extends RackawareEnsemblePlacementPolicy implements Deserializer { private static final Logger LOG = LoggerFactory.getLogger(ZkIsolatedBookieEnsemblePlacementPolicy.class); @@ -210,10 +204,10 @@ private static Pair, Set> getIsolationGroup(EnsemblePlacemen String primaryIsolationGroupString = castToString(properties.getOrDefault(ISOLATION_BOOKIE_GROUPS, "")); String secondaryIsolationGroupString = castToString(properties.getOrDefault(SECONDARY_ISOLATION_BOOKIE_GROUPS, "")); if (!primaryIsolationGroupString.isEmpty()) { - pair.setLeft(Sets.newHashSet(primaryIsolationGroupString.split(","))); + pair.setLeft(new HashSet(Arrays.asList(primaryIsolationGroupString.split(",")))); } if (!secondaryIsolationGroupString.isEmpty()) { - pair.setRight(Sets.newHashSet(secondaryIsolationGroupString.split(","))); + pair.setRight(new HashSet(Arrays.asList(secondaryIsolationGroupString.split(",")))); } } return pair;