Analysis of Security Vulnerabilities in GMS Releases

Original Slack Thread

Hello community.
We’ve observed the security vulnerabilities in the latest 0.11.0 release have increased significantly as compared to the 4 medium vulnerabilities that existed in the 0.10.5 version (chart version 0.1.185) for the GMS image.

Any idea what change has increased it? It would also be helpful if you can point us to the PRs that had reduced the vulnerabilities earlier. We’ll be more than happy to contribute those back.

Thanks in advance!

GMS specifically has seen the number decrease between releases.

Java (jar)
Total: 47 (UNKNOWN: 0, LOW: 1, MEDIUM: 31, HIGH: 13, CRITICAL: 2)


linkedin/datahub-gms:v0.11.0 (alpine 3.18.3)
Java (jar)
Total: 39 (UNKNOWN: 0, LOW: 1, MEDIUM: 29, HIGH: 7, CRITICAL: 2)```
The critical vulnerabilities are <https://avd.aquasec.com/nvd/cve-2016-1000027|CVE-2016-1000027> and <https://avd.aquasec.com/nvd/cve-2019-10202|CVE-2019-10202> both of which are flagged in 0.10.5 &amp; 0.11.0. The first one is flagged when using &lt; Spring 6.0, however is only present when using a specific deserialization which DH is not. The other critical is related to avro 1.7 which has been in DH for a very long time, however exploiting this would require access to the kafka topics.

Scanner details:
```$ trivy --version
Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-14 00:20:06.116174889 +0000 UTC
  NextUpdate: 2023-09-14 06:20:06.116174589 +0000 UTC
  DownloadedAt: 2023-09-14 01:05:07.747262 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-09-14 00:53:26.665333329 +0000 UTC
  NextUpdate: 2023-09-17 00:53:26.665331929 +0000 UTC
  DownloadedAt: 2023-09-14 01:05:35.167765 +0000 UTC```

Oh okay. So that means we technically cannot achieve 0 vulnerabilities is it?

Eventually, I think the <http://rest.li|rest.li> pegasus stack will support jdk17 which would unblock spring 6. I am not yet certain on whether avro can be upgrade, investigating what the blocker is there.