fix(): Fixes multiple minor security vulnerabilities (#13222)

bug(snappy): Make sure right snappy version is installed fix(docker): update Dockerize to version v0.9.3 fix(gms): fixes dgraph4j netty deps fix(docker): remove SGID on /home/datahub and /home/datahub-integration fix(datahub-actions): bump setuptools and wheel version fix(docker): update c-ares version fix(docker): datahub-actions addendum
2025-11-01 19:25:56 +00:00 · 2025-04-21 16:39:26 -05:00 · 2025-04-21 16:39:26 -05:00 · 8a17ba14d6
commit 8a17ba14d6
parent fa750573e2
16 changed files with 52 additions and 31 deletions
--- a/build.gradle
+++ b/build.gradle
@ -141,7 +141,8 @@ project.ext.externalDependency = [
    'datastaxOssCore': 'com.datastax.oss:java-driver-core:4.14.1',
    'datastaxOssQueryBuilder': 'com.datastax.oss:java-driver-query-builder:4.14.1',
    'dgraph4j' : 'io.dgraph:dgraph4j:24.1.1',
-    'dgraphNetty': 'io.grpc:grpc-netty-shaded:1.69.0',
+    'dgraphNetty': 'io.grpc:grpc-netty:1.71.0',
+    'dgraphShadedNetty': 'io.grpc:grpc-netty-shaded:1.71.0',
    'dropwizardMetricsCore': 'io.dropwizard.metrics:metrics-core:4.2.3',
    'dropwizardMetricsJmx': 'io.dropwizard.metrics:metrics-jmx:4.2.3',
    'ebean': 'io.ebean:ebean:' + ebeanVersion,
@ -201,7 +202,7 @@ project.ext.externalDependency = [
    'kafkaAvroSerde': "io.confluent:kafka-streams-avro-serde:$kafkaVersion",
    'kafkaAvroSerializer': "io.confluent:kafka-avro-serializer:$kafkaVersion",
    'kafkaClients': "org.apache.kafka:kafka-clients:$kafkaVersion-ccs",
-    'snappy': 'org.xerial.snappy:snappy-java:1.1.10.5',
+    'snappy': 'org.xerial.snappy:snappy-java:1.1.10.7',
    'logbackClassic': "ch.qos.logback:logback-classic:$logbackClassic",
    'logbackClassicJava8' : "ch.qos.logback:logback-classic:$logbackClassicJava8",
    'slf4jApi': "org.slf4j:slf4j-api:$slf4jVersion",
--- a/datahub-actions/pyproject.toml
+++ b/datahub-actions/pyproject.toml
@ -1,6 +1,6 @@
 [build-system]
 build-backend = "setuptools.build_meta"
-requires = ["setuptools>=54.0.0", "wheel", "pip>=21.0.0"]
+requires = ["setuptools>65.5.1", "wheel>0.38.1", "pip>=21.0.0"]

 [tool.ruff]
 line-length = 88
--- a/docker/datahub-actions/Dockerfile
+++ b/docker/datahub-actions/Dockerfile
@ -37,8 +37,8 @@ RUN existing_group=$(getent group 1000 | cut -d: -f1) && \
    fi && \
    # Create and set proper permissions for datahub directories
    mkdir -p $HOME && \
-    chown -R datahub:datahub $HOME
-
+    chown -R datahub:datahub $HOME && \
+    chmod g-s $HOME

 # Setup the PPA for alternative Python versions.
 # TODO: Eventually we should switch to using uv's support for python-build-standalone.
--- a/docker/datahub-frontend/Dockerfile
+++ b/docker/datahub-frontend/Dockerfile
@ -17,7 +17,9 @@ RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then
 # PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
 ENV JMX_VERSION=0.20.0
 RUN apk --no-cache --update-cache --available upgrade \
-    && apk --no-cache add curl sqlite libc6-compat snappy \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add curl sqlite libc6-compat \
+    && apk --no-cache add snappy=~1.2 --repository=${ALPINE_REPO_URL}/edge/main \
    && apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community \
    && apk --no-cache add jattach --repository ${ALPINE_REPO_URL}/edge/community/ \
    && wget ${GITHUB_REPO_URL}/open-telemetry/opentelemetry-java-instrumentation/releases/download/v2.15.0/opentelemetry-javaagent.jar -O opentelemetry-javaagent.jar \
--- a/docker/datahub-gms/Dockerfile
+++ b/docker/datahub-gms/Dockerfile
@ -11,7 +11,7 @@ FROM golang:1-alpine3.21 AS binary
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

-ENV DOCKERIZE_VERSION=v0.9.1
+ENV DOCKERIZE_VERSION=v0.9.3
 WORKDIR /go/src/github.com/jwilder

 # Optionally set corporate mirror for apk
@ -38,7 +38,9 @@ RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then

 # PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
 RUN apk --no-cache --update-cache --available upgrade \
-    && apk --no-cache add curl bash coreutils gcompat sqlite libc6-compat snappy \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add curl bash coreutils gcompat sqlite libc6-compat \
+    && apk --no-cache add snappy=~1.2 --repository=${ALPINE_REPO_URL}/edge/main \
    && apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community \
    && apk --no-cache add jattach --repository ${ALPINE_REPO_URL}/edge/community/ \
    && wget --no-verbose ${GITHUB_REPO_URL}/open-telemetry/opentelemetry-java-instrumentation/releases/download/v2.15.0/opentelemetry-javaagent.jar \
@ -63,7 +65,7 @@ FROM ${APP_ENV}-install AS final

 RUN mkdir -p /etc/datahub/plugins/auth/resources

-RUN addgroup -S datahub && adduser -S datahub -G datahub
+RUN addgroup -S datahub && adduser -S datahub -G datahub && chmod g-s /home/datahub
 RUN chown -R datahub:datahub /etc/datahub /datahub
 USER datahub

--- a/docker/datahub-ingestion-base/Dockerfile
+++ b/docker/datahub-ingestion-base/Dockerfile
@ -36,8 +36,8 @@ RUN existing_group=$(getent group 1000 | cut -d: -f1) && \
    fi && \
    # Create and set proper permissions for datahub directories
    mkdir -p $HOME && \
-    chown -R datahub:datahub $HOME
-
+    chown -R datahub:datahub $HOME && \
+    chmod g-s $HOME

 # Setup the PPA for alternative Python versions.
 # TODO: Eventually we should switch to using uv's support for python-build-standalone.
--- a/docker/datahub-ingestion/Dockerfile
+++ b/docker/datahub-ingestion/Dockerfile
@ -37,8 +37,8 @@ RUN existing_group=$(getent group 1000 | cut -d: -f1) && \
    fi && \
    # Create and set proper permissions for datahub directories
    mkdir -p $HOME && \
-    chown -R datahub:datahub $HOME
-
+    chown -R datahub:datahub $HOME && \
+    chmod g-s $HOME

 # Setup the PPA for alternative Python versions.
 # TODO: Eventually we should switch to using uv's support for python-build-standalone.
--- a/docker/datahub-mae-consumer/Dockerfile
+++ b/docker/datahub-mae-consumer/Dockerfile
@ -11,7 +11,7 @@ FROM golang:1-alpine3.21 AS binary
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

-ENV DOCKERIZE_VERSION=v0.9.1
+ENV DOCKERIZE_VERSION=v0.9.3
 WORKDIR /go/src/github.com/jwilder

 # Optionally set corporate mirror for apk
@ -37,7 +37,9 @@ RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then
 ENV JMX_VERSION=0.20.0
 # PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
 RUN apk --no-cache --update-cache --available upgrade \
-    && apk --no-cache add curl bash coreutils sqlite libc6-compat snappy \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add curl bash coreutils sqlite libc6-compat \
+    && apk --no-cache add snappy=~1.2 --repository=${ALPINE_REPO_URL}/edge/main \
    && apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community \
    && apk --no-cache add jattach --repository ${ALPINE_REPO_URL}/edge/community/ \
    && wget --no-verbose ${GITHUB_REPO_URL}/open-telemetry/opentelemetry-java-instrumentation/releases/download/v2.15.0/opentelemetry-javaagent.jar \
@ -60,7 +62,7 @@ FROM base AS dev-install

 FROM ${APP_ENV}-install AS final

-RUN addgroup -S datahub && adduser -S datahub -G datahub
+RUN addgroup -S datahub && adduser -S datahub -G datahub && chmod g-s /home/datahub
 USER datahub

 ENV JMX_OPTS=""
--- a/docker/datahub-mce-consumer/Dockerfile
+++ b/docker/datahub-mce-consumer/Dockerfile
@ -11,7 +11,7 @@ FROM golang:1-alpine3.21 AS binary
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

-ENV DOCKERIZE_VERSION=v0.9.1
+ENV DOCKERIZE_VERSION=v0.9.3
 WORKDIR /go/src/github.com/jwilder

 # Optionally set corporate mirror for apk
@ -37,7 +37,9 @@ RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then
 ENV JMX_VERSION=0.20.0
 # PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
 RUN apk --no-cache --update-cache --available upgrade \
-    && apk --no-cache add curl bash sqlite libc6-compat snappy \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add curl bash sqlite libc6-compat \
+    && apk --no-cache add snappy=~1.2 --repository=${ALPINE_REPO_URL}/edge/main \
    && apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community \
    && apk --no-cache add jattach --repository ${ALPINE_REPO_URL}/edge/community/ \
    && wget --no-verbose ${GITHUB_REPO_URL}/open-telemetry/opentelemetry-java-instrumentation/releases/download/v2.15.0/opentelemetry-javaagent.jar \
@ -61,7 +63,7 @@ COPY metadata-models/src/main/resources/entity-registry.yml /datahub/datahub-mce

 FROM ${APP_ENV}-install AS final

-RUN addgroup -S datahub && adduser -S datahub -G datahub
+RUN addgroup -S datahub && adduser -S datahub -G datahub && chmod g-s /home/datahub
 USER datahub

 ENV JMX_OPTS=""
--- a/docker/datahub-upgrade/Dockerfile
+++ b/docker/datahub-upgrade/Dockerfile
@ -11,7 +11,7 @@ FROM golang:1-alpine3.21 AS binary
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

-ENV DOCKERIZE_VERSION=v0.9.1
+ENV DOCKERIZE_VERSION=v0.9.3
 WORKDIR /go/src/github.com/jwilder

 # Optionally set corporate mirror for apk
@ -38,8 +38,10 @@ ENV JMX_VERSION=0.20.0
 # Upgrade Alpine and base packages
 # PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
 RUN apk --no-cache --update-cache --available upgrade \
-    && apk --no-cache add curl bash coreutils gcompat sqlite libc6-compat snappy \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add curl bash coreutils gcompat sqlite libc6-compat \
    && apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community \
+    && apk --no-cache add snappy=~1.2 --repository=${ALPINE_REPO_URL}/edge/main \
    && mkdir -p /datahub/datahub-upgrade/lib \
    && wget --no-verbose -P /datahub/datahub-upgrade/lib ${GITHUB_REPO_URL}/open-telemetry/opentelemetry-java-instrumentation/releases/download/v2.15.0/opentelemetry-javaagent.jar \
    && wget --no-verbose -P /datahub/datahub-upgrade/lib ${MAVEN_CENTRAL_REPO_URL}/io/prometheus/jmx/jmx_prometheus_javaagent/${JMX_VERSION}/jmx_prometheus_javaagent-${JMX_VERSION}.jar -O jmx_prometheus_javaagent.jar \
@ -62,7 +64,7 @@ FROM base AS dev-install

 FROM ${APP_ENV}-install AS final

-RUN addgroup -S datahub && adduser -S datahub -G datahub
+RUN addgroup -S datahub && adduser -S datahub -G datahub && chmod g-s /home/datahub
 USER datahub

 ENV OTEL_EXPORTER_OTLP_MAX_PAYLOAD_SIZE=4194304 \
--- a/docker/elasticsearch-setup/Dockerfile
+++ b/docker/elasticsearch-setup/Dockerfile
@ -10,14 +10,16 @@ FROM golang:1-alpine3.21 AS binary

 ARG ALPINE_REPO_URL

-ENV DOCKERIZE_VERSION=v0.9.1
+ENV DOCKERIZE_VERSION=v0.9.3
 WORKDIR /go/src/github.com/jwilder

 # Optionally set corporate mirror for apk
 RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; fi

 # PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
-RUN apk --no-cache --update add openssl git tar curl sqlite
+RUN apk --no-cache --update-cache --available upgrade \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add  openssl git tar curl sqlite

 WORKDIR /go/src/github.com/jwilder/dockerize

--- a/docker/kafka-setup/Dockerfile
+++ b/docker/kafka-setup/Dockerfile
@ -33,7 +33,10 @@ RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then
 RUN apk add --no-cache bash coreutils
 RUN apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community

-RUN apk add --no-cache -t .build-deps git curl ca-certificates jq gcc musl-dev libffi-dev zip
+RUN apk --no-cache --update-cache --available upgrade \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add -t .build-deps git curl ca-certificates jq gcc musl-dev libffi-dev zip
+
 RUN mkdir -p /opt \
  && if [ "${APACHE_DOWNLOAD_URL}" != "null" ] ; then mirror="${APACHE_DOWNLOAD_URL}/" ; else mirror=$(curl --stderr /dev/null https://www.apache.org/dyn/closer.cgi\?as_json\=1 | jq -r '.preferred'); fi \
  && curl -sSL "${mirror}kafka/${KAFKA_VERSION}/kafka_${SCALA_VERSION}-${KAFKA_VERSION}.tgz" \
--- a/docker/mysql-setup/Dockerfile
+++ b/docker/mysql-setup/Dockerfile
@ -5,13 +5,15 @@ FROM golang:1-alpine3.21 AS binary

 ARG ALPINE_REPO_URL

-ENV DOCKERIZE_VERSION=v0.9.1
+ENV DOCKERIZE_VERSION=v0.9.3
 WORKDIR /go/src/github.com/jwilder

 # Optionally set corporate mirror for apk
 RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; fi

-RUN apk --no-cache --update add openssl git tar curl
+RUN apk --no-cache --update-cache --available upgrade \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add  openssl git tar curl

 WORKDIR /go/src/github.com/jwilder/dockerize

--- a/docker/postgres-setup/Dockerfile
+++ b/docker/postgres-setup/Dockerfile
@ -5,13 +5,15 @@ FROM golang:1-alpine3.21 AS binary

 ARG ALPINE_REPO_URL

-ENV DOCKERIZE_VERSION=v0.9.1
+ENV DOCKERIZE_VERSION=v0.9.3
 WORKDIR /go/src/github.com/jwilder

 # Optionally set corporate mirror for apk
 RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; fi

-RUN apk --no-cache --update add openssl git tar curl
+RUN apk --no-cache --update-cache --available upgrade \
+    && apk --no-cache add 'c-ares>1.34.5'  --repository=${ALPINE_REPO_URL}/edge/main \
+    && apk --no-cache add  openssl git tar curl

 WORKDIR /go/src/github.com/jwilder/dockerize

--- a/docker/snippets/ubuntu_python_base
+++ b/docker/snippets/ubuntu_python_base
@ -27,8 +27,8 @@ RUN existing_group=$(getent group 1000 | cut -d: -f1) && \
    fi && \
    # Create and set proper permissions for datahub directories
    mkdir -p $HOME && \
-    chown -R datahub:datahub $HOME
-
+    chown -R datahub:datahub $HOME && \
+    chmod g-s $HOME

 # Setup the PPA for alternative Python versions.
 # TODO: Eventually we should switch to using uv's support for python-build-standalone.
--- a/metadata-io/build.gradle
+++ b/metadata-io/build.gradle
@ -37,6 +37,7 @@ dependencies {
    exclude group: 'io.grpc', module: 'grpc-protobuf'
  }
  implementation externalDependency.dgraphNetty
+  implementation externalDependency.dgraphShadedNetty
  implementation externalDependency.slf4jApi
  runtimeOnly externalDependency.logbackClassic
  compileOnly externalDependency.lombok