dikhan / pagerduty-client Goto Github PK
View Code? Open in Web Editor NEWSimple PagerDuty client with full integration with PagerDuty Events APIs v2
Home Page: https://dikhan.github.io/pagerduty-client/
License: MIT License
Simple PagerDuty client with full integration with PagerDuty Events APIs v2
Home Page: https://dikhan.github.io/pagerduty-client/
License: MIT License
Update jackson-databind artifact version to 2.8.11.1 as suggested by GitHub after finding potential security vulnerabilities:
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11.1 or later. For example:
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>[2.8.11.1,)</version>
</dependency>
Details:
CVE-2017-17485 (high severity)
Vulnerable versions: < 2.8.11
Patched version: 2.8.11
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVE-2017-15095 (high severity)
Vulnerable versions: < 2.8.11
Patched version: 2.8.11
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVE-2018-7489 (high severity)
Vulnerable versions: < 2.8.11.1
Patched version: 2.8.11.1
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVE-2017-7525 (high severity)
Vulnerable versions: >= 2.8.0, < 2.8.9
Patched version: 2.8.9
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
FYI -
[error] While parsing annotations in /com/github/dikhan/pagerduty-client/3.0.2/pagerduty-client-3.0.2.jar(com/github/dikhan/pagerduty/client/events/domain/Incident.class), could not find NON_NULL in enum object Include.
[error] This is likely due to an implementation restriction: an annotation argument cannot refer to a member of the annotated class (SI-7014).
SI-7014 is - https://issues.scala-lang.org/browse/SI-7014
Possible this is caused by various collisions of class versions and needing to shade one or the other. But, this is the default behavior I am getting without doing finicky configurations.
Talked to PagerDuty support earlier today and got the following response:
The reason you will sometimes get something other than a 200 response code is because the Events API is asynchronous. It sends back a response immediately, so if it is still processing or it hasn’t been completed yet, it may send back a 201 or a 202 response.
Currently HttpApiServiceImpl
only looks for 200
so it needs some minor changes
From what i can tell PagerDuty Events API V2 will always return success
if everything was ok.
When using FakePagerDutyEventsClient
in a test i instead received success-trigger
.
Can this be changed to match PagerDuty API?
Regards,
Andreas
Hello,
I'm not sure if it's the right place where to fill the issue but let's go..
I setup the Jenkins PagerDuty plugin where Jenkins is running behind a proxy.
Jenkins is started with the following JVM args:
java -Dhttp.proxyHost=xxx -Dhttp.proxyPort=8080 -Dhttps.proxyHost=xxxx -Dhttps.proxyPort=xxx
But when the job trigger the pagerduty plugin, which use the current library, I have the following exception:
events.pagerduty.com/54.245.165.68] failed: Connection refused (Connection refused)
at com.github.dikhan.HttpApiServiceImpl.notifyEvent(HttpApiServiceImpl.java:52)
at com.github.dikhan.PagerDutyEventsClient.trigger(PagerDutyEventsClient.java:78)
at org.jenkinsci.plugins.pagerduty.util.PagerDutyUtils.triggerPagerDuty(PagerDutyUtils.java:106)
at org.jenkinsci.plugins.pagerduty.PagerDutyTrigger.perform(PagerDutyTrigger.java:217)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690)
at hudson.model.Build$BuildExecution.post2(Build.java:186)
at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635)
at hudson.model.Run.execute(Run.java:1752)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
So I'm wondering if it's the expected behavior, and if there a way to setup a proxy on this lib
Cheers
Hi,
There's a thread leak coming with the usage of unirest in pagerduty-client.
We are using pagerduty-client through pagerduty-plugin in Jenkins.
Issue was logged here, but under pagerduty-plugin : https://issues.jenkins.io/browse/JENKINS-53214
It would be good to update the jackson version so this fix can be included in there:
FasterXML/jackson-databind#2704
We are using the client to submit a trigger using the following code:
Payload payload = Payload.Builder.newBuilder()
.setSummary(createSummary(operation))
.setSource(operation.getAttribute().getId())
.setComponent(IdManager.getAncestorId(IdManager.Service.NODE_NODE, operation.getAttribute().getId()))
.setGroup(IdManager.getAncestorId(IdManager.Service.NODE_ECU, operation.getAttribute().getId()))
.setSeverity(convertHealthToSeverity(operation.getAttribute().getHealth()))
.setTimestamp(OffsetDateTime.ofInstant(Instant.ofEpochSecond(operation.getTimestamp()), ZoneOffset.UTC))
.setCustomDetails(Json.writeValueToString(operation.getAttribute()))
.build();
TriggerIncident incident = TriggerIncident.TriggerIncidentBuilder
.newBuilder(routingKey, payload)
.setDedupKey(operation.getAttribute().getId())
.setClient(client)
.build();
this.client.trigger(incident);
The serialized incident as a json looks like this:
{
"client":"--removed_for_security--",
"dedup_key":"cu3fbbe4-ne30773e-nnd17182-na11f804",
"event_action":"trigger",
"payload":{
"component":"cu3fbbe4-ne30773e-nnd17182",
"custom_details":"{\"ecuId\":\"cu3fbbe4-ne30773e\",\"health\":500,\"id\":\"cu3fbbe4-ne30773e-nnd17182-na11f804\",\"nodeId\":\"cu3fbbe4-ne30773e-nnd17182\",\"projectId\":\"cu3fbbe4-np932c1d\",\"read\":{\"type\":\"STRING\"},\"reference\":\"s1_server_disconnected_on_system_initialisation_alarm!\",\"value\":\"Critical\"}",
"group":"cu3fbbe4-ne30773e",
"severity":"critical",
"source":"cu3fbbe4-ne30773e-nnd17182-na11f804",
"summary":"The value of 's1_server_disconnected_on_system_initialisation_alarm' changed to Critical",
"timestamp":"2022-07-29T13:45:32Z"
},
"routing_key":"--removed_for_security--"
}
However, we are unexpectedly getting the following error:
com.github.dikhan.pagerduty.client.events.exceptions.NotifyEventException: com.mashape.unirest.http.exceptions.UnirestException: java.lang.RuntimeException: java.lang.RuntimeException: org.json.JSONException: A JSONArray text must start with '[' at 1 [character 2 line 1]
Any ideas?
The version used in this client has a security vulnerability:
https://snyk.io/vuln/SNYK-JAVA-COMMONSIO-1277109
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.