fix(dependencies): update jinjava to remove CVE #950
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updating this removes CVE-2020-12668. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12668 At Armory, we have had the 2.5.4+ config for a year, meaning we have run 2.5.8 to 2.5.10 since they came out. So this is a pretty safe change. We are just moving our own overrides to open source to fix CVE's for everyone. In the past we weren’t able to update to 2.5.3 because of this bug: HubSpot/jinjava#429 Tests were created in Orca that demonstrated the bug: spinnaker/orca#3608 I have pinned orca to 2.5.10 and run these tests to ensure they pass. This implies that this bug has been fixed by 2.5.10.
claymccoy
force-pushed
the
updateJinjava
branch
from
9658ffd to
05a8062
Compare
j-sandy
reviewed
Apr 25, 2022
There was a problem hiding this comment.
jinjava 2.5.10 is free from direct vulnerability of CVE-2020-12668.
jinjava is runtime dependency. It is also required by orca-pipelinetemplate module in orca. The version of jinjava is imported by kork-artifact in orca-pipelinetemplate. Below is dependency insight for orca after upgrading jinjava in local kork:
> Task :orca-web:dependencyInsight
com.hubspot.jinjava:jinjava:2.5.10
variant "runtime" [
org.gradle.status = release (not requested)
org.gradle.usage = java-runtime
org.gradle.libraryelements = jar
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.jetbrains.kotlin.platform.type = jvm
org.gradle.jvm.version = 11
]
Selection reasons:
- By constraint
- Forced
com.hubspot.jinjava:jinjava:2.5.10
+--- io.spinnaker.kork:kork-artifacts:jinjava-upgrade-2-5-10-SNAPSHOT
| +--- project :orca-core (requested io.spinnaker.kork:kork-artifacts)
| | +--- runtimeClasspath
| | +--- project :orca-echo
| | | \--- runtimeClasspath
| | +--- project :orca-qos
| | | \--- runtimeClasspath
| | +--- project :orca-queue-redis
| | | \--- runtimeClasspath
| | +--- project :orca-queue-sql
| | | \--- runtimeClasspath
| | +--- project :orca-sql
| | | +--- runtimeClasspath
| | | +--- project :orca-queue-sql (*)
| | | +--- project :orca-sql-mysql
| | | | \--- runtimeClasspath
| | | \--- project :orca-sql-postgres
| | | \--- runtimeClasspath
| | +--- project :orca-queue
| | | +--- runtimeClasspath
| | | +--- project :orca-echo (*)
| | | +--- project :orca-qos (*)
| | | +--- project :orca-queue-redis (*)
| | | +--- project :orca-queue-sql (*)
| | | \--- project :orca-sql (*)
| | +--- project :orca-applications
| | | \--- runtimeClasspath
| | +--- project :orca-clouddriver-provider-titus
| | | \--- runtimeClasspath
| | +--- project :orca-keel
| | | +--- runtimeClasspath
| | | \--- project :orca-applications (*)
| | +--- project :orca-igor
| | | +--- runtimeClasspath
| | | +--- project :orca-echo (*)
| | | \--- project :orca-keel (*)
| | +--- project :orca-integrations-cloudfoundry
| | | \--- runtimeClasspath
| | +--- project :orca-kayenta
| | | \--- runtimeClasspath
| | +--- project :orca-mine
| | | \--- runtimeClasspath
| | +--- project :orca-pipelinetemplate
| | | \--- runtimeClasspath
| | +--- project :orca-clouddriver
| | | +--- runtimeClasspath
| | | +--- project :orca-applications (*)
| | | +--- project :orca-clouddriver-provider-titus (*)
| | | +--- project :orca-igor (*)
| | | +--- project :orca-integrations-cloudfoundry (*)
| | | +--- project :orca-kayenta (*)
| | | +--- project :orca-mine (*)
| | | \--- project :orca-pipelinetemplate (*)
| | +--- project :orca-bakery
| | | +--- runtimeClasspath
| | | \--- project :orca-clouddriver (*)
| | +--- project :orca-deploymentmonitor
| | | +--- runtimeClasspath
| | | \--- project :orca-clouddriver (*)
| | +--- project :orca-dry-run
| | | +--- runtimeClasspath
| | | \--- project :orca-echo (*)
| | +--- project :orca-flex
| | | \--- runtimeClasspath
| | +--- project :orca-migration
| | | \--- runtimeClasspath
| | +--- project :orca-redis
| | | +--- runtimeClasspath
| | | \--- project :orca-queue-redis (*)
| | +--- project :orca-front50
| | | +--- runtimeClasspath
| | | +--- project :orca-echo (*)
| | | +--- project :orca-qos (*)
| | | +--- project :orca-applications (*)
| | | +--- project :orca-igor (*)
| | | +--- project :orca-pipelinetemplate (*)
| | | +--- project :orca-clouddriver (*)
| | | +--- project :orca-bakery (*)
| | | +--- project :orca-migration (*)
| | | \--- project :orca-redis (*)
| | +--- project :orca-integrations-gremlin
| | | \--- runtimeClasspath
| | +--- project :orca-interlink
| | | +--- runtimeClasspath
| | | \--- project :orca-sql (*)
| | +--- project :orca-peering
| | | \--- runtimeClasspath
| | +--- project :orca-remote-stage
| | | \--- runtimeClasspath
| | +--- project :orca-webhook
| | | \--- runtimeClasspath
| | +--- project :orca-retrofit
| | | +--- project :orca-echo (*)
| | | +--- project :orca-applications (*)
| | | +--- project :orca-keel (*)
| | | +--- project :orca-igor (*)
| | | +--- project :orca-kayenta (*)
| | | +--- project :orca-mine (*)
| | | +--- project :orca-pipelinetemplate (*)
| | | +--- project :orca-clouddriver (*)
| | | +--- project :orca-bakery (*)
| | | +--- project :orca-deploymentmonitor (*)
| | | +--- project :orca-flex (*)
| | | +--- project :orca-front50 (*)
| | | \--- project :orca-integrations-gremlin (*)
| | \--- project :orca-kotlin
| | +--- project :orca-queue (*)
| | +--- project :orca-kayenta (*)
| | +--- project :orca-dry-run (*)
| | \--- project :orca-integrations-gremlin (*)
| +--- project :orca-api (requested io.spinnaker.kork:kork-artifacts)
| | +--- runtimeClasspath
| | +--- project :orca-queue (*)
| | +--- project :orca-clouddriver-provider-titus (*)
| | +--- project :orca-clouddriver (*)
| | +--- project :orca-remote-stage (*)
| | +--- project :orca-webhook (*)
| | \--- project :orca-core (*)
| \--- io.spinnaker.kork:kork-bom:jinjava-upgrade-2-5-10-SNAPSHOT
| +--- runtimeClasspath
| +--- project :orca-echo (*)
| +--- project :orca-qos (*)
| +--- project :orca-queue-redis (*)
| +--- project :orca-queue-sql (*)
| +--- project :orca-sql-mysql (*)
| +--- project :orca-sql-postgres (*)
| +--- project :orca-sql (*)
| +--- project :orca-queue (*)
| +--- project :keiko-redis-spring
| | +--- project :orca-queue-redis (*)
| | \--- project :orca-queue-sql (*)
| +--- project :keiko-spring
| | +--- runtimeClasspath
| | +--- project :orca-queue (*)
| | \--- project :keiko-redis-spring (*)
| +--- project :orca-applications (*)
| +--- project :orca-clouddriver-provider-titus (*)
| +--- project :orca-keel (*)
| +--- project :orca-igor (*)
| +--- project :orca-integrations-cloudfoundry (*)
| +--- project :orca-kayenta (*)
| +--- project :orca-mine (*)
| +--- project :orca-pipelinetemplate (*)
| +--- project :orca-clouddriver (*)
| +--- project :orca-bakery (*)
| +--- project :orca-deploymentmonitor (*)
| +--- project :orca-dry-run (*)
| +--- project :orca-flex (*)
| +--- project :orca-migration (*)
| +--- project :orca-redis (*)
| +--- project :orca-front50 (*)
| +--- project :orca-integrations-gremlin (*)
| +--- project :orca-interlink (*)
| +--- project :orca-peering (*)
| +--- project :orca-remote-stage (*)
| +--- project :orca-webhook (*)
| +--- project :orca-retrofit (*)
| +--- project :orca-kotlin (*)
| +--- project :orca-core (*)
| +--- project :keiko-sql
| | \--- project :orca-queue-sql (*)
| +--- project :keiko-redis
| | \--- project :keiko-redis-spring (*)
| +--- project :keiko-core
| | +--- project :orca-sql (*)
| | +--- project :orca-queue (*)
| | +--- project :keiko-spring (*)
| | +--- project :keiko-sql (*)
| | \--- project :keiko-redis (*)
| \--- project :orca-api (*)
+--- io.spinnaker.kork:kork-aws:jinjava-upgrade-2-5-10-SNAPSHOT
| +--- io.spinnaker.kork:kork-bom:jinjava-upgrade-2-5-10-SNAPSHOT (*)
| \--- io.spinnaker.kork:kork-pubsub-aws:jinjava-upgrade-2-5-10-SNAPSHOT
| +--- project :orca-interlink (requested io.spinnaker.kork:kork-pubsub-aws) (*)
| \--- io.spinnaker.kork:kork-bom:jinjava-upgrade-2-5-10-SNAPSHOT (*)
\--- io.spinnaker.kork:kork-bom:jinjava-upgrade-2-5-10-SNAPSHOT (*)
com.hubspot.jinjava:jinjava -> 2.5.10
\--- project :orca-pipelinetemplate
\--- runtimeClasspath
While performing test on orca-pipelinetemplate, 6 tests failed:
$ ./gradlew orca-pipelinetemplate:test -Dorg.gradle.jvmargs="-Xmx2g"
> Task :orca-pipelinetemplate:test
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (file:/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy/2.5.14/f0a005fb21e7bd9b7ebf04cd2ecda0fc8f3be59d/groovy-2.5.14.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransformSpec > should correctly coerce default values FAILED
Expected no exception to be thrown, but got 'com.netflix.spinnaker.orca.pipelinetemplate.exceptions.TemplateRenderException'
at spock.lang.Specification.noExceptionThrown(Specification.java:118)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransformSpec.should correctly coerce default values(RenderTransformSpec.groovy:381)
Caused by:
com.netflix.spinnaker.orca.pipelinetemplate.exceptions.TemplateRenderException: Failed rendering stage
at com.netflix.spinnaker.orca.pipelinetemplate.exceptions.TemplateRenderException.fromError(TemplateRenderException.java:30)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransform.renderStage(RenderTransform.java:187)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransform.renderStages(RenderTransform.java:167)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransform.render(RenderTransform.java:78)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransform.visitPipelineTemplate(RenderTransform.java:64)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransformSpec.should correctly coerce default values(RenderTransformSpec.groovy:378)
Caused by:
com.netflix.spinnaker.orca.pipelinetemplate.exceptions.TemplateRenderException: failed rendering jinja template
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.JinjaRenderer.render(JinjaRenderer.java:149)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.JinjaRenderer.renderGraph(JinjaRenderer.java:173)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.RenderUtil.deepRender(RenderUtil.java:55)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.RenderUtil.deepRender(RenderUtil.java:75)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.RenderUtil.deepRender(RenderUtil.java:30)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.graph.transform.RenderTransform.renderStage(RenderTransform.java:185)
... 4 more
Caused by:
com.hubspot.jinjava.interpret.FatalTemplateErrorsException: InterpretException: Error rendering tag
at com.hubspot.jinjava.Jinjava.render(Jinjava.java:191)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.JinjaRenderer.render(JinjaRenderer.java:121)
... 9 more
com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec > should correctly fall back to defaults defined in variable FAILED
Condition not satisfied:
result == '1'
| |
null false
4 differences (0% similarity)
(null)
(1---)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec.should correctly fall back to defaults defined in variable(ModuleTagSpec.groovy:99)
com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec > should correctly fall back to defaults defined in template FAILED
Condition not satisfied:
result == 'overrideValue'
| |
null false
12 differences (7% similarity)
(nul-------)l(--)
(overrideVa)l(ue)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec.should correctly fall back to defaults defined in template(ModuleTagSpec.groovy:135)
com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec > can access one template variable in the key of another FAILED
Condition not satisfied:
result == 'overrideValue'
| |
null false
12 differences (7% similarity)
(nul-------)l(--)
(overrideVa)l(ue)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec.can access one template variable in the key of another(ModuleTagSpec.groovy:159)
com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec > can handle a null context variable in the template FAILED
Condition not satisfied:
result == '1'
| |
null false
4 differences (0% similarity)
(null)
(1---)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec.can handle a null context variable in the template(ModuleTagSpec.groovy:181)
com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec > can handle a null context variable in another variable FAILED
Condition not satisfied:
result == '1'
| |
null false
4 differences (0% similarity)
(null)
(1---)
at com.netflix.spinnaker.orca.pipelinetemplate.v1schema.render.tags.ModuleTagSpec.can handle a null context variable in another variable(ModuleTagSpec.groovy:204)
212 tests completed, 6 failed
> Task :orca-pipelinetemplate:test FAILED
FAILURE: Build failed with an exception.
|
We may require to address orca-pipelinetemplate test issues, going to be raised with upgrade of jinjava, before upgrading jinjava in kork. |
|
HubSpot/jinjava#1008 is my attempt to fix jinjava. |
|
replaced by #1152 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updating this removes CVE-2020-12668.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12668
At Armory, we have had the 2.5.4+ config for a year, meaning we have run 2.5.8 to 2.5.10 since they came out. So this is a pretty safe change. We are just moving our own overrides to open source to fix CVE's for everyone.
In the past we weren’t able to update to 2.5.3 because of this bug:
HubSpot/jinjava#429
Tests were created in Orca that demonstrated the bug:
spinnaker/orca#3608
I have pinned orca to 2.5.10 and run these tests to ensure they pass. This implies that this bug has been fixed by 2.5.10.