Fix CVE

Signed-off-by: N Gao Hongtao <hanahmily@gmail.com>

Fix CVE
Signed-off-by: N Gao Hongtao <hanahmily@gmail.com>
c931a775 · Gao Hongtao · cf8a59ea · c931a775 · c931a775 · c931a775
6 changed file
--- a/.github/workflows/docker-ci.yaml
+++ b/.github/workflows/docker-ci.yaml
@@ -60,7 +60,7 @@ jobs:
      - name: Build docker image
        run: export ES_VERSION=${{ matrix.es }} && export TAG=${{ matrix.es }} && (make docker || make docker)
      - name: Scan OAP image
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.0.18
        with:
          image-ref: 'skywalking/oap:${{ matrix.es }}'
          format: 'table'
@@ -69,7 +69,7 @@ jobs:
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
      - name: Scan UI image
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.0.18
        with:
          image-ref: 'skywalking/ui:${{ matrix.es }}'
          format: 'table'

--- a/apm-webapp/pom.xml
+++ b/apm-webapp/pom.xml
@@ -30,14 +30,17 @@

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <spring.boot.version>1.5.11.RELEASE</spring.boot.version>
+        <spring.boot.version>1.5.22.RELEASE</spring.boot.version>
        <log4j.version>2.6.2</log4j.version>
        <gson.version>2.8.2</gson.version>
        <apache-httpclient.version>4.5.3</apache-httpclient.version>
        <spring-cloud-dependencies.version>Edgware.SR1</spring-cloud-dependencies.version>
        <frontend-maven-plugin.version>1.11.0</frontend-maven-plugin.version>
        <logback-classic.version>1.2.3</logback-classic.version>
-        <jackson-version>2.9.10</jackson-version>
+        <jackson-version>2.12.2</jackson-version>
+        <yaml.version>1.28</yaml.version>
+        <netty.version>4.1.65.Final</netty.version>
+        <tomcat.version>8.5.66</tomcat.version>

        <ui.path>${project.parent.basedir}/skywalking-ui</ui.path>
    </properties>
@@ -101,6 +104,26 @@
            <artifactId>logback-classic</artifactId>
            <version>${logback-classic.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>${yaml.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler</artifactId>
+            <version>${netty.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>${tomcat.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-websocket</artifactId>
+            <version>${tomcat.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>

--- a/docker/oap/Dockerfile.oap
+++ b/docker/oap/Dockerfile.oap
@@ -16,7 +16,23 @@

 ARG BASE_IMAGE='adoptopenjdk/openjdk8:alpine'

-FROM apache/skywalking-base:8.1.0-es6 AS cli
+FROM golang:1.14 AS cli
+
+ARG COMMIT_HASH=9f267876493943716434fdaa30047a14c0b5b2d9
+ARG CLI_CODE=${COMMIT_HASH}.tar.gz
+ARG CLI_CODE_URL=https://github.com/apache/skywalking-cli/archive/${CLI_CODE}
+
+ENV CGO_ENABLED=0
+ENV GO111MODULE=on
+
+WORKDIR /cli
+
+ADD ${CLI_CODE_URL} .
+RUN tar -xf ${CLI_CODE} --strip 1
+RUN rm ${CLI_CODE}
+
+RUN mkdir -p /skywalking/bin/
+RUN make linux && mv bin/swctl-latest-linux-amd64 /skywalking/bin/swctl

 FROM $BASE_IMAGE


--- a/docker/ui/Dockerfile.ui
+++ b/docker/ui/Dockerfile.ui
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM openjdk:8u181-jdk-stretch
+FROM adoptopenjdk/openjdk8:alpine

 ENV DIST_NAME=apache-skywalking-apm-bin \
    JAVA_OPTS=" -Xms256M " \
@@ -37,4 +37,4 @@ COPY logback.xml webapp/

 EXPOSE 8080

-ENTRYPOINT ["bash", "docker-entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["sh", "docker-entrypoint.sh"]
\ No newline at end of file
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -79,8 +79,8 @@
        <commons-lang3.version>3.7</commons-lang3.version>
        <commons-text.version>1.4</commons-text.version>
        <simpleclient.version>0.6.0</simpleclient.version>
-        <apollo.version>1.4.0</apollo.version>
-        <nacos.version>1.3.1</nacos.version>
+        <apollo.version>1.8.0</apollo.version>
+        <nacos.version>1.4.2</nacos.version>
        <maven-docker-plugin.version>0.30.0</maven-docker-plugin.version>
        <curator.version>4.3.0</curator.version>
        <curator-test.version>2.12.0</curator-test.version>

--- a/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml
+++ b/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml
@@ -41,7 +41,7 @@
        <dependency>
            <groupId>com.orbitz.consul</groupId>
            <artifactId>consul-client</artifactId>
-            <version>1.2.6</version>
+            <version>1.4.2</version>
            <exclusions>
                <exclusion>
                    <groupId>com.google.guava</groupId>