Comments (9)
vishalrv1904
commented on July 17, 2024
hi @benjben can you accommodate the above changes on the next release?
When is the next release planned?
from enrich.
vishalrv1904
commented on July 17, 2024
Hi @benjben any update on this?
from enrich.
benjben
commented on July 17, 2024
Hi @vishalrv1904 , I'm currently working on next Enrich release, that will come hopefully before the end of this week. I will address security vulnerabilities. Please note that in this release we will stop publishing Stream Enrich assets, so if you're still using snowplow-stream-enrich-kinesis, you'll need to switch to enrich-kinesis. Setup guide can be found here.
from enrich.
raghulrider
commented on July 17, 2024
Hi @benjben , We've successfully transitioned from using snowplow-stream-enrich-kinesis to enrich-kinesis. While we're aware that a new release of enrich-kinesis is anticipated in the near future, we wanted to proactively reach out and highlight a few vulnerabilities that we'd appreciate having addressed in the upcoming release. Please find the vulnerabilities that have been identified through our comprehensive security assessments.
Jar: snowplow-enrich-kinesis-3.8.2.jar
Security Vulnerabilities:
- CVE-2022-1471
- CVE-2022-31159
- CVE-2021-29425
- CVE-2022-41854
- CVE-2022-38752
- CVE-2023-2976
- CVE-2023-34462
- GHSA-xpw8-rcwv-8f8p
- CVE-2020-8908
from enrich.
benjben
commented on July 17, 2024
Hi @raghulrider @vishalrv1904 ,
Awesome that you could migrate swiftly to enrich-kinesis.
In case you missed it 3.9.0 has been released without high and critical vulnerabilities.
from enrich.
raghulrider
commented on July 17, 2024
Hi @benjben, The 3.9.0 fixed most of the security vulnerabilities, but still there are some security vulnerabilities remain. It would be great if these vulnerabilities are addressed in the next release. Your efforts are much appreciated!
Jar: snowplow-enrich-kinesis-3.9.0.jar
Security Vulnerabilities:
- CVE-2022-1471 (CRITICAL)
- CVE-2023-2976 (HIGH)
- CVE-2021-29425 (MEDIUM)
- CVE-2020-8908 (LOW)
from enrich.
benjben
commented on July 17, 2024
Hi @raghulrider , may I ask which tool you are using to detect vulnerabilities ?
from enrich.
raghulrider
commented on July 17, 2024
Hi @raghulrider , may I ask which tool you are using to detect vulnerabilities ?
The above mentioned vulnerabilities were identified by Orca Security Scanning tool.
from enrich.
vishalrv1904
commented on July 17, 2024
Hi, @benjben can you approve this PR for the next release?
#817
Which can help us to resolve the above-mentioned vulnerabilities.
from enrich.
Related Issues (20)
- enrich-kafka: add blob storage support
- Add Snowplow Community License
- Use cron expressions for assets refresh
- Enricher logs unnecessary line while validating date-time fields - "[ERROR] com.networknt.schema.DateTimeValidator - Invalid date-time: Invalid timezone offset: 123"
- Upgrade to Cats Effect 3 ecosystem
- enrich-kafka: support for multiple Azure blob storage account
- Remove config logging
- Move to Snowplow Limited Use License
- Add mandatory SLULA license acceptance flag
- Add headset to the list of valid platform codes
- Switch from Blaze client to Ember client
- Add Cross Navigation Enrichment
- Use SLF4J for Cats Effect starvation warning message
- Remove lacework workflow
- Issue when updating to snowplow-enrich-kinesis-4.0.0.jar HOT 1
- Stop publishing fat jars
- enrich-kafka: authenticate with Event Hubs using OAuth2
- Allow multiple javascript enrichments
- Allow passing an object of parameters to the JS enrichment
- Remove too long atomic fields
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enrich.