Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 #3575

Merged
merged 2 commits into from
Feb 21, 2025
Merged

address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 #3575

merged 2 commits into from
Feb 21, 2025
+29 −17

Conversation

jngz-es
Copy link
Collaborator

@jngz-es jngz-es commented Feb 20, 2025

Description

[Describe what this change achieves]

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@jngz-es jngz-es had a problem deploying to ml-commons-cicd-env February 20, 2025 23:17 — with GitHub Actions Failure
@jngz-es jngz-es had a problem deploying to ml-commons-cicd-env February 20, 2025 23:17 — with GitHub Actions Failure
@jngz-es
Copy link
Collaborator Author

jngz-es commented Feb 20, 2025

Something wrong with test cases about json path, taking a look.

@peterzhuamazon
Copy link
Member

peterzhuamazon commented Feb 20, 2025
edited
Loading

Hi @jngz-es please pending 24970 as we have a PR in core trying to update as well.
And ml can take the same value from core instead of hardcoding.

opensearch-project/OpenSearch#17396
#3565

cc: @dhrubo-os

Thanks.

@jngz-es
Copy link
Collaborator Author

jngz-es commented Feb 20, 2025

Hi @jngz-es please pending 24970 as we have a PR in core trying to update as well.
And ml can take the same value from core instead of hardcoding.

Yeah, will do.

@peterzhuamazon peterzhuamazon mentioned this pull request Feb 21, 2025
Closed
1 task
@peterzhuamazon
Copy link
Member

Hi @jngz-es please proceed with the changes and merge.
We will postpone the core update due to more dependencies.

Thanks.

@jngz-es jngz-es had a problem deploying to ml-commons-cicd-env February 21, 2025 00:30 — with GitHub Actions Failure
@jngz-es jngz-es had a problem deploying to ml-commons-cicd-env February 21, 2025 00:30 — with GitHub Actions Failure
@jngz-es
Copy link
Collaborator Author

jngz-es commented Feb 21, 2025

Hi @peterzhuamazon , I got the below error which is confusing me. Do you have any idea?

Execution failed for task ':opensearch-ml-algorithms:compileJava'.
> Could not resolve all files for configuration ':opensearch-ml-algorithms:compileClasspath'.
   > Could not find software.amazon.awssdk:bom:${versions.aws}.
     Required by:
         project :opensearch-ml-algorithms
   > Could not find software.amazon.awssdk:apache-client:.
     Required by:
         project :opensearch-ml-algorithms

@jngz-es
add exact version 2.5.2 for json-smart
58cb6ac 
hardcode awssdk version to 2.30.18

Signed-off-by: Jing Zhang <[email protected]>
@jngz-es jngz-es had a problem deploying to ml-commons-cicd-env February 21, 2025 01:28 — with GitHub Actions Failure
@jngz-es jngz-es temporarily deployed to ml-commons-cicd-env February 21, 2025 01:28 — with GitHub Actions Inactive
@jngz-es jngz-es temporarily deployed to ml-commons-cicd-env February 21, 2025 01:28 — with GitHub Actions Inactive
@jngz-es jngz-es had a problem deploying to ml-commons-cicd-env February 21, 2025 02:30 — with GitHub Actions Failure
@jngz-es jngz-es had a problem deploying to ml-commons-cicd-env February 21, 2025 03:30 — with GitHub Actions Failure
@jngz-es jngz-es temporarily deployed to ml-commons-cicd-env February 21, 2025 04:05 — with GitHub Actions Inactive
@jngz-es jngz-es temporarily deployed to ml-commons-cicd-env February 21, 2025 04:05 — with GitHub Actions Inactive
@codecov Codecov
Copy link

codecov bot commented Feb 21, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.29%. Comparing base (d7dec0f) to head (58cb6ac).
Report is 21 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #3575      +/-   ##
============================================
+ Coverage     80.25%   80.29%   +0.04%     
- Complexity     6906     6936      +30     
============================================
  Files           610      610              
  Lines         30077    30296     +219     
  Branches       3368     3388      +20     
============================================
+ Hits          24137    24326     +189     
- Misses         4487     4507      +20     
- Partials       1453     1463      +10
Flag Coverage Δ
ml-commons 80.29% <ø> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jngz-es jngz-es temporarily deployed to ml-commons-cicd-env February 21, 2025 05:05 — with GitHub Actions Inactive
@jngz-es jngz-es temporarily deployed to ml-commons-cicd-env February 21, 2025 05:05 — with GitHub Actions Inactive
@jngz-es jngz-es merged commit 4d95466 into opensearch-project:main Feb 21, 2025
14 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Feb 21, 2025
@jngz-es @github-actions
address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 (#3575)
20735ce 
* address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699

Signed-off-by: Jing Zhang <[email protected]>

* add exact version 2.5.2 for json-smart
hardcode awssdk version to 2.30.18

Signed-off-by: Jing Zhang <[email protected]>

---------

Signed-off-by: Jing Zhang <[email protected]>
(cherry picked from commit 4d95466)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Feb 21, 2025
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Feb 21, 2025
@jngz-es @github-actions
address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 (#3575)
1f431c2 
* address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699

Signed-off-by: Jing Zhang <[email protected]>

* add exact version 2.5.2 for json-smart
hardcode awssdk version to 2.30.18

Signed-off-by: Jing Zhang <[email protected]>

---------

Signed-off-by: Jing Zhang <[email protected]>
(cherry picked from commit 4d95466)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Feb 21, 2025
Merged
peterzhuamazon pushed a commit that referenced this pull request Feb 21, 2025
@opensearch-trigger-bot @jngz-es
address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 (#3575) (#…
430241e 
…3578)

* address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699

Signed-off-by: Jing Zhang <[email protected]>

* add exact version 2.5.2 for json-smart
hardcode awssdk version to 2.30.18

Signed-off-by: Jing Zhang <[email protected]>

---------

Signed-off-by: Jing Zhang <[email protected]>
(cherry picked from commit 4d95466)

Co-authored-by: Jing Zhang <[email protected]>
jngz-es added a commit that referenced this pull request Feb 21, 2025
@opensearch-trigger-bot @jngz-es
address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 (#3575) (#…
5132aab 
…3577)

* address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699

Signed-off-by: Jing Zhang <[email protected]>

* add exact version 2.5.2 for json-smart
hardcode awssdk version to 2.30.18

Signed-off-by: Jing Zhang <[email protected]>

---------

Signed-off-by: Jing Zhang <[email protected]>
(cherry picked from commit 4d95466)

Co-authored-by: Jing Zhang <[email protected]>
@cwperks cwperks mentioned this pull request Feb 27, 2025
Closed
@maxlepikhin
Copy link
Contributor

Hi @jngz-es , when will this fix be released as part of OpenSearch image?

@jngz-es jngz-es deleted the CVE-2025-25193 branch March 26, 2025 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zhangxunmt Zhangxunmt Zhangxunmt approved these changes

@ylwu-amzn ylwu-amzn ylwu-amzn approved these changes

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@dhrubo-os dhrubo-os Awaiting requested review from dhrubo-os dhrubo-os is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

Assignees
No one assigned
Labels
backport 2.x backport 2.19
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jngz-es @peterzhuamazon @maxlepikhin @Zhangxunmt @ylwu-amzn