Upgrade OAP dependencies (#7119)

* Introduce trivy to scan images Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Fix CVE Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Update licenses Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Remove log4j 1.x Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Update CHANGES.md Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Update LICENSE refer to webapp Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> Co-authored-by: 吴晟 Wu Sheng <wu.sheng@foxmail.com>

Upgrade OAP dependencies (#7119)
* Introduce trivy to scan images Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Fix CVE Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Update licenses Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Remove log4j 1.x Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Update CHANGES.md Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> * Update LICENSE refer to webapp Signed-off-by: N Gao Hongtao <hanahmily@gmail.com> Co-authored-by: 吴晟 Wu Sheng <wu.sheng@foxmail.com>
669fe159 · Gao Hongtao · GitHub · 9b6c0d1b · 669fe159 · 669fe159
9 changed file
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -14,6 +14,26 @@ Release Notes.
 * Disable Spring sleuth meter analyzer by default.
 * Use MAL to calculate JVM metrics, remove OAL dependency.
 * Only count 5xx as error in Envoy ALS receiver.
+* Upgrade apollo core caused by CVE-2020-15170.
+* Upgrade kubernetes client caused by CVE-2020-28052.
+* Upgrade Elasticsearch 7 client caused by CVE-2020-7014.
+* Upgrade jackson related libs caused by CVE-2018-11307, CVE-2018-14718~CVE-2018-14721, CVE-2018-19360~CVE-2018-19362,
+   CVE-2019-14379, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943,
+   CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548,
+   CVE-2018-12022, CVE-2018-12023, CVE-2019-12086, CVE-2019-14439, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968,
+   CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060,
+   CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-35490,
+   CVE-2020-35491, CVE-2020-35728 and CVE-2020-36179~CVE-2020-36190.
+* Exclude log4j 1.x caused by CVE-2019-17571.
+* Upgrade log4j 2.x caused by CVE-2020-9488.
+* Upgrade nacos libs caused by CVE-2021-29441 and CVE-2021-29442.
+* Upgrade netty caused by CVE-2019-20444, CVE-2019-20445, CVE-2019-16869, CVE-2020-11612, CVE-2021-21290, CVE-2021-21295 
+   and CVE-2021-21409.
+* Upgrade consul client caused by CVE-2018-1000844, CVE-2018-1000850.
+* Upgrade zookeeper caused by CVE-2019-0201. 
+* Upgrade snake yaml caused by CVE-2017-18640.
+* Upgrade embed tomcat caused by CVE-2020-13935.
+

 #### UI


--- a/apm-webapp/pom.xml
+++ b/apm-webapp/pom.xml
@@ -30,14 +30,17 @@

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <spring.boot.version>1.5.11.RELEASE</spring.boot.version>
+        <spring.boot.version>1.5.22.RELEASE</spring.boot.version>
        <log4j.version>2.6.2</log4j.version>
        <gson.version>2.8.2</gson.version>
        <apache-httpclient.version>4.5.3</apache-httpclient.version>
        <spring-cloud-dependencies.version>Edgware.SR1</spring-cloud-dependencies.version>
        <frontend-maven-plugin.version>1.11.0</frontend-maven-plugin.version>
        <logback-classic.version>1.2.3</logback-classic.version>
-        <jackson-version>2.9.10</jackson-version>
+        <jackson-version>2.12.2</jackson-version>
+        <yaml.version>1.28</yaml.version>
+        <netty.version>4.1.65.Final</netty.version>
+        <tomcat.version>8.5.66</tomcat.version>

        <ui.path>${project.parent.basedir}/skywalking-ui</ui.path>
    </properties>
@@ -101,6 +104,26 @@
            <artifactId>logback-classic</artifactId>
            <version>${logback-classic.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>${yaml.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler</artifactId>
+            <version>${netty.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>${tomcat.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-websocket</artifactId>
+            <version>${tomcat.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>

--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -251,7 +251,7 @@ The text of each license is the standard Apache 2.0 license.
    Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0
    Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0
    Spring Framework 4.3.14.RELEASE: https://github.com/spring-projects/spring-framework, Apache 2.0
-    Spring Boot 1.5.10: https://spring.io/, Apache 2.0
+    Spring Boot 1.5.22.RELEASE: https://spring.io/, Apache 2.0
    Spring Cloud Config 1.4.1: https://github.com/spring-cloud/spring-cloud-config, Apache-2.0
    Spring Cloud Netflix Zuul 1.3.0: https://github.com/spring-cloud/spring-cloud-netflix, Apache 2.0
    Apache: commons-logging 1.1.3: https://github.com/apache/commons-logging, Apache 2.0
@@ -263,7 +263,6 @@ The text of each license is the standard Apache 2.0 license.
    Apache: commons-beanutils 1.9.4: https://github.com/apache/commons-beanutils, Apache 2.0
    Apache: lucene 7.3.1, 8.3.0: https://github.com/apache/lucene-solr/tree/master/lucene, Apache 2.0
    Apache: httpasyncclient 4.1.2, 4.1.4: https://github.com/apache/httpasyncclient/tree/4.1.2, Apache 2.0
-    Apache: log4j 1.2.17: http://logging.apache.org/log4j/1.2/, Apache 2.0
    Apache: log4j2 2.14.1: https://github.com/apache/logging-log4j2, Apache 2.0
    Apache: zookeeper 3.5.7: https://github.com/apache/zookeeper, Apache 2.0
    Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0
@@ -271,7 +270,7 @@ The text of each license is the standard Apache 2.0 license.
    Apache: commons-io 2.4: https://github.com/apache/commons-io, Apache 2.0
    Apache: commons-compress 1.20: https://github.com/apache/commons-compress, Apache 2.0
    Apache: commons-collections4 4.4: https://mvnrepository.com/artifact/org.apache.commons/commons-collections4, Apache 2.0
-    Apache: tomcat 8.5.27: https://github.com/apache/tomcat/tree/trunk, Apache 2.0
+    Apache: tomcat 8.5.66: https://github.com/apache/tomcat/tree/trunk, Apache 2.0
    Apache: freemarker 2.3.28: https://github.com/apache/freemarker, Apache 2.0
    netty 4.1.65: https://github.com/netty/netty/blob/4.1/LICENSE.txt, Apache 2.0
    annotations 13.0: http://www.jetbrains.org, Apache 2.0
@@ -310,8 +309,8 @@ The text of each license is the standard Apache 2.0 license.
    kubernetes-client 12.0.1: https://github.com/kubernetes-client/java, Apache 2.0
    proto files from istio/istio: https://github.com/istio/istio  Apache 2.0
    proto files from istio/api: https://github.com/istio/api      Apache 2.0
-    nacos 1.3.1: https://github.com/alibaba/nacos, Apache 2.0
-    consul-client 1.2.6: https://github.com/rickfast/consul-client, Apache 2.0
+    nacos 1.4.2: https://github.com/alibaba/nacos, Apache 2.0
+    consul-client 1.4.2: https://github.com/rickfast/consul-client, Apache 2.0
    okhttp 3.14.9: https://github.com/square/okhttp, Apache 2.0
    prometheus client_java(simpleclient) 0.6.0: https://github.com/prometheus/client_java, Apache 2.0
    proto files from istio/istio: https://github.com/istio/istio  Apache 2.0
@@ -324,7 +323,7 @@ The text of each license is the standard Apache 2.0 license.
    json-flatter 0.6.0: https://github.com/wnameless/json-flattener  Apache 2.0
    Apache: commons-text 1.4: https://github.com/apache/commons-text Apache 2.0
    sundrio 0.9.2: https://github.com/sundrio/sundrio Apache 2.0
-    Ctripcorp: apollo 1.4.0: https://github.com/ctripcorp/apollo Apache 2.0
+    Ctripcorp: apollo 1.8.0: https://github.com/ctripcorp/apollo Apache 2.0
    etcd4j 2.18.0: https://github.com/jurmous/etcd4j Apache 2.0
    javaassist 3.25.0-GA: https://github.com/jboss-javassist/javassist Apache 2.0
    jackson-module-afterburner 2.12.2: https://github.com/FasterXML/jackson-modules-base, Apache 2.0

--- a/docker/oap/Dockerfile.oap
+++ b/docker/oap/Dockerfile.oap
@@ -16,7 +16,23 @@

 ARG BASE_IMAGE='adoptopenjdk/openjdk8:alpine'

-FROM apache/skywalking-base:8.1.0-es6 AS cli
+FROM golang:1.14 AS cli
+
+ARG COMMIT_HASH=9f267876493943716434fdaa30047a14c0b5b2d9
+ARG CLI_CODE=${COMMIT_HASH}.tar.gz
+ARG CLI_CODE_URL=https://github.com/apache/skywalking-cli/archive/${CLI_CODE}
+
+ENV CGO_ENABLED=0
+ENV GO111MODULE=on
+
+WORKDIR /cli
+
+ADD ${CLI_CODE_URL} .
+RUN tar -xf ${CLI_CODE} --strip 1
+RUN rm ${CLI_CODE}
+
+RUN mkdir -p /skywalking/bin/
+RUN make linux && mv bin/swctl-latest-linux-amd64 /skywalking/bin/swctl

 FROM $BASE_IMAGE


--- a/docker/ui/Dockerfile.ui
+++ b/docker/ui/Dockerfile.ui
@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM openjdk:8u181-jdk-stretch
+FROM adoptopenjdk/openjdk8:alpine

 ENV DIST_NAME=apache-skywalking-apm-bin \
    JAVA_OPTS=" -Xms256M " \
@@ -37,4 +37,4 @@ COPY logback.xml webapp/

 EXPOSE 8080

-ENTRYPOINT ["bash", "docker-entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["sh", "docker-entrypoint.sh"]
\ No newline at end of file
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -79,8 +79,8 @@
        <commons-lang3.version>3.7</commons-lang3.version>
        <commons-text.version>1.4</commons-text.version>
        <simpleclient.version>0.6.0</simpleclient.version>
-        <apollo.version>1.4.0</apollo.version>
-        <nacos.version>1.3.1</nacos.version>
+        <apollo.version>1.8.0</apollo.version>
+        <nacos.version>1.4.2</nacos.version>
        <maven-docker-plugin.version>0.30.0</maven-docker-plugin.version>
        <curator.version>4.3.0</curator.version>
        <curator-test.version>2.12.0</curator-test.version>
@@ -484,6 +484,10 @@
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
+                    <exclusion>
+                        <groupId>log4j</groupId>
+                        <artifactId>log4j</artifactId>
+                    </exclusion>
                </exclusions>
            </dependency>
            <dependency>
@@ -495,6 +499,10 @@
                        <groupId>com.google.guava</groupId>
                        <artifactId>guava</artifactId>
                    </exclusion>
+                    <exclusion>
+                        <groupId>log4j</groupId>
+                        <artifactId>log4j</artifactId>
+                    </exclusion>
                </exclusions>
                <scope>test</scope>
            </dependency>

--- a/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml
+++ b/oap-server/server-cluster-plugin/cluster-consul-plugin/pom.xml
@@ -41,7 +41,7 @@
        <dependency>
            <groupId>com.orbitz.consul</groupId>
            <artifactId>consul-client</artifactId>
-            <version>1.2.6</version>
+            <version>1.4.2</version>
            <exclusions>
                <exclusion>
                    <groupId>com.google.guava</groupId>

--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -5,8 +5,8 @@ animal-sniffer-annotations-1.18.jar
 annotations-13.0.jar
 antlr4-runtime-4.7.1.jar
 aopalliance-1.0.jar
-apollo-client-1.4.0.jar
-apollo-core-1.4.0.jar
+apollo-client-1.8.0.jar
+apollo-core-1.8.0.jar
 audience-annotations-0.5.0.jar
 bcpkix-jdk15on-1.68.jar
 bcprov-ext-jdk15on-1.68.jar
@@ -25,8 +25,8 @@ commons-lang3-3.7.jar
 commons-pool-1.5.4.jar
 commons-text-1.4.jar
 compiler-0.9.6.jar
-consul-client-1.2.6.jar
-converter-jackson-2.3.0.jar
+consul-client-1.4.2.jar
+converter-jackson-2.5.0.jar
 converter-moshi-2.5.0.jar
 curator-client-4.3.0.jar
 curator-framework-4.3.0.jar
@@ -72,8 +72,8 @@ jackson-databind-2.12.2.jar
 jackson-dataformat-cbor-2.10.4.jar
 jackson-dataformat-smile-2.10.4.jar
 jackson-dataformat-yaml-2.10.4.jar
-jackson-datatype-guava-2.9.5.jar
-jackson-datatype-jdk8-2.9.5.jar
+jackson-datatype-guava-2.9.10.jar
+jackson-datatype-jdk8-2.9.10.jar
 jackson-module-afterburner-2.12.2.jar
 jackson-module-kotlin-2.8.8.jar
 java-dataloader-2.0.2.jar
@@ -99,7 +99,6 @@ kotlin-reflect-1.1.1.jar
 kotlin-stdlib-1.1.60.jar
 lang-mustache-client-7.10.2.jar
 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-1.2.17.jar
 log4j-api-2.14.1.jar
 log4j-core-2.14.1.jar
 log4j-over-slf4j-1.7.30.jar
@@ -125,9 +124,9 @@ minimal-json-0.9.5.jar
 moshi-1.5.0.jar
 msgpack-core-0.8.16.jar
 mvel2-2.4.8.Final.jar
-nacos-api-1.3.1.jar
-nacos-client-1.3.1.jar
-nacos-common-1.3.1.jar
+nacos-api-1.4.2.jar
+nacos-client-1.4.2.jar
+nacos-common-1.4.2.jar
 netty-buffer-4.1.65.Final.jar
 netty-codec-4.1.65.Final.jar
 netty-codec-dns-4.1.65.Final.jar
@@ -154,7 +153,7 @@ protobuf-java-util-3.12.4.jar
 rank-eval-client-7.10.2.jar
 reactive-streams-1.0.2.jar
 reflectasm-1.11.7.jar
-retrofit-2.3.0.jar
+retrofit-2.5.0.jar
 s2-geometry-library-java-1.0.0.jar
 simpleclient-0.6.0.jar
 simpleclient_common-0.6.0.jar

--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -5,8 +5,8 @@ animal-sniffer-annotations-1.18.jar
 annotations-13.0.jar
 antlr4-runtime-4.7.1.jar
 aopalliance-1.0.jar
-apollo-client-1.4.0.jar
-apollo-core-1.4.0.jar
+apollo-client-1.8.0.jar
+apollo-core-1.8.0.jar
 audience-annotations-0.5.0.jar
 bcpkix-jdk15on-1.68.jar
 bcprov-ext-jdk15on-1.68.jar
@@ -24,8 +24,8 @@ commons-io-2.6.jar
 commons-lang3-3.7.jar
 commons-pool-1.5.4.jar
 commons-text-1.4.jar
-consul-client-1.2.6.jar
-converter-jackson-2.3.0.jar
+consul-client-1.4.2.jar
+converter-jackson-2.5.0.jar
 converter-moshi-2.5.0.jar
 curator-client-4.3.0.jar
 curator-framework-4.3.0.jar
@@ -70,8 +70,8 @@ jackson-databind-2.12.2.jar
 jackson-dataformat-cbor-2.8.10.jar
 jackson-dataformat-smile-2.8.10.jar
 jackson-dataformat-yaml-2.8.10.jar
-jackson-datatype-guava-2.9.5.jar
-jackson-datatype-jdk8-2.9.5.jar
+jackson-datatype-guava-2.9.10.jar
+jackson-datatype-jdk8-2.9.10.jar
 jackson-module-afterburner-2.12.2.jar
 jackson-module-kotlin-2.8.8.jar
 java-dataloader-2.0.2.jar
@@ -96,7 +96,6 @@ kafka-clients-2.4.1.jar
 kotlin-reflect-1.1.1.jar
 kotlin-stdlib-1.1.60.jar
 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-1.2.17.jar
 log4j-api-2.14.1.jar
 log4j-core-2.14.1.jar
 log4j-over-slf4j-1.7.30.jar
@@ -122,9 +121,9 @@ minimal-json-0.9.5.jar
 moshi-1.5.0.jar
 msgpack-core-0.8.16.jar
 mvel2-2.4.8.Final.jar
-nacos-api-1.3.1.jar
-nacos-client-1.3.1.jar
-nacos-common-1.3.1.jar
+nacos-api-1.4.2.jar
+nacos-client-1.4.2.jar
+nacos-common-1.4.2.jar
 netty-buffer-4.1.65.Final.jar
 netty-codec-4.1.65.Final.jar
 netty-codec-dns-4.1.65.Final.jar
@@ -151,7 +150,7 @@ protobuf-java-util-3.12.4.jar
 rank-eval-client-6.3.2.jar
 reactive-streams-1.0.2.jar
 reflectasm-1.11.7.jar
-retrofit-2.3.0.jar
+retrofit-2.5.0.jar
 simpleclient-0.6.0.jar
 simpleclient_common-0.6.0.jar
 simpleclient_hotspot-0.6.0.jar