opensearch-project / spring-data-opensearch Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
The org.springframework.data.elasticsearch.annotations.Field has only dense_vector but not knn_vector. It looks we cannot annotate a field as knn_vector on the model through spring-data-opensearch libs.
Please approve or deny the release of spring-data-opensearch TAG: 1.0.1 COMMIT: ec8e589 VERSION : version=1.0.1
Workflow is pending manual review.
URL: https://github.com/opensearch-project/spring-data-opensearch/actions/runs/4448786843
Required approvers: [dblock dlvenable]
Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.
I was trying to turn off the sniffer functionality but found it impossible.
I was trying to extend the configuration or import only those I wanted but for some reason OpenSearchRestClientConfigurations is not public which make it difficult/impossible to extend or even import if you want to use only some of the configurations.
please make this classes public so that it would be easy to extend.
Maybe make the auto configuration more configurable but even then I'd think that this class should be public.
I would like to use the org.springframework.data.elasticsearch.core.query.SearchTemplateQuery
but I get this error when I try to use it:
java.lang.IllegalArgumentException: unhandled Query implementation org.springframework.data.elasticsearch.core.query.SearchTemplateQuery
at org.opensearch.data.client.orhlc.RequestFactory.getQuery(RequestFactory.java:1174) ~[spring-data-opensearch-1.2.0.jar:na]
at org.opensearch.data.client.orhlc.RequestFactory.searchRequest(RequestFactory.java:752) ~[spring-data-opensearch-1.2.0.jar:na]
at org.opensearch.data.client.orhlc.OpenSearchRestTemplate.search(OpenSearchRestTemplate.java:375) ~[spring-data-opensearch-1.2.0.jar:na]
at org.springframework.data.elasticsearch.core.AbstractElasticsearchTemplate.search(AbstractElasticsearchTemplate.java:492) ~[spring-data-elasticsearch-5.1.2.jar:5.1.2]
Support org.springframework.data.elasticsearch.core.query.SearchTemplateQuery
in
Search Templates are way to move the query logic to OpenSearch and make the code cleaner in the microservice side. Moreover this queries are more efficient since they are precompiled.
Example of use of query templates can be seen here: https://github.com/spring-projects/spring-data-elasticsearch/blob/main/src/main/antora/modules/ROOT/pages/elasticsearch/misc.adoc
public class PersonCustomRepositoryImpl implements PersonCustomRepository {
private final ElasticsearchOperations operations;
public PersonCustomRepositoryImpl(ElasticsearchOperations operations) {
this.operations = operations;
}
@Override
public SearchPage<Person> findByFirstNameWithSearchTemplate(String firstName, Pageable pageable) {
var query = SearchTemplateQuery.builder() (1)
.withId("person-firstname") (2)
.withParams(
Map.of( (3)
"firstName", firstName,
"from", pageable.getOffset(),
"size", pageable.getPageSize()
)
)
.build();
SearchHits<Person> searchHits = operations.search(query, Person.class); (4)
return SearchHitSupport.searchPageFor(searchHits, pageable);
}
}
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.8.0/49b64e09d81c0cc84b267edd0c2fd7df5a64c78c/okio-jvm-2.8.0.jar
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
CVE | Severity | CVSS | Dependency | Type | Fixed in (hoverfly-java-junit5 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-3635 | High | 7.5 | okio-2.8.0.jar | Transitive | N/A* | ❌ |
CVE-2022-24329 | Medium | 5.3 | kotlin-stdlib-1.4.10.jar | Transitive | N/A* | ❌ |
CVE-2020-29582 | Medium | 5.3 | kotlin-stdlib-1.4.10.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A modern I/O API for Java
Library home page: https://github.com/square/okio/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.8.0/49b64e09d81c0cc84b267edd0c2fd7df5a64c78c/okio-jvm-2.8.0.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Publish Date: 2023-07-12
URL: CVE-2023-3635
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635
Release Date: 2023-07-12
Fix Resolution: com.squareup.okio:okio-jvm:3.4.0
Kotlin Standard Library for JVM
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0
Kotlin Standard Library for JVM
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
Publish Date: 2021-02-03
URL: CVE-2020-29582
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cqj8-47ch-rvvq
Release Date: 2021-02-03
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.4.21
It would be great to have quick starter examples for showcasing usage spring-data-opensearch
w/o Spring Boot.
The reasoning behind it to help people get started as quickly as possible.
The examples should serve as sufficient starting point to integrate spring-data-opensearch
into application and service w/o Spring Boot.
N/A
N/A
N/A
N/A
Please approve or deny the release of spring-data-opensearch TAG: 1.1.0 COMMIT: 56c4803 VERSION : version=1.1.0
Workflow is pending manual review.
URL: https://github.com/opensearch-project/spring-data-opensearch/actions/runs/4938915225
Required approvers: [dblock dlvenable]
Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.
spring-data-opensearch
should also add support for spring-boot 2.7. As per the README now spring-boot is compatible only with 3.0 and above.
Upgrading to spring-boot 3.0 has to go through 2.7 as mentioned here. So adding support for spring-boot 2.7 also in spring-data-opensearch
will cause earlier adoption.
CodeQL failed in https://github.com/opensearch-project/spring-data-opensearch/actions/runs/3220279221/jobs/5266779787
Provide an AutoConfiguration for spring opensearch library like it is done for elastisearch
Currently the RestClient has to be build from every user and every user has to define its own properties.
This can unified and simplified with this configuration.
This should ease the start of other spring developers with this library.
No, even if done correctly some basic security configurations can be made here.
Came out of #64, we could not make @DataElasticsearchTest to work seamlessly with OpenSearch (the changes have to be done in Spring Boot and had been rejected previously).
Introduce @DataOpenSearchTest
annotation to simplify wiring up wiring up OpenSearch configurations in tests
Keep adding annotations manually
See please #64
The Sniffer
seems to use a different client than the one that I defined in my bean.
The Sniffer
now fails with the error because it doesn't use the HttpRequestInterceptor
I defined (see code below)
2023-02-13T16:04:57.755+01:00 ERROR 47226 --- [nt_sniffer[T#1]] org.opensearch.client.sniff.Sniffer : error while sniffing nodes
org.opensearch.client.ResponseException: method [GET], host [https://xxx.amazonaws.com], URI [/_nodes/http?timeout=1000ms], status line [HTTP/1.1 403 Forbidden]
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet because no resource-based policy allows the es:ESHttpGet action"}
But queries with the OpenSearchRestTemplate
are working
RestHighLevelClient
Bean with an Aws4Signer
and an HttpRequestInteceptor
My configuraiton:
@Configuration
@RequiredArgsConstructor
public class OpenSearchConfig extends AbstractOpenSearchConfiguration {
private static final String SERVICE_NAME = "es";
@Value("${opensearch.uris}")
private String endpoint;
@Value("${aws.region}")
private String region;
private final AwsCredentialsProvider credentialsProvider;
@Override
@Bean
public RestHighLevelClient opensearchClient() {
Aws4Signer signer = Aws4Signer.create();
HttpRequestInterceptor interceptor = new AwsRequestSigningApacheInterceptor(SERVICE_NAME, signer,
credentialsProvider, region);
RestClientBuilder restClientBuilder = RestClient.builder(HttpHost.create(endpoint))
.setHttpClientConfigCallback(hacb -> hacb.addInterceptorLast(interceptor));
return new RestHighLevelClient(restClientBuilder);
}
@Bean
public OpenSearchRestTemplate openSearchRestTemplate(RestHighLevelClient client) {
return new OpenSearchRestTemplate(client);
}
}
Maven dependency:
<dependency>
<groupId>org.opensearch.client</groupId>
<artifactId>spring-data-opensearch-starter</artifactId>
<version>1.0.0</version>
</dependency>
A web service test double for all occasions
Library home page: http://wiremock.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8/2.35.1/d113bd22219a3c8670d7d190dd7d454a8ec603b0/wiremock-jre8-2.35.1.jar
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
CVE | Severity | CVSS | Dependency | Type | Fixed in (wiremock-jre8 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-39967 | Critical | 10.0 | wiremock-jre8-2.35.1.jar | Direct | N/A | ❌ |
CVE-2023-1370 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2023-24998 | High | 7.5 | commons-fileupload-1.4.jar | Transitive | N/A* | ❌ |
CVE-2023-2976 | High | 7.1 | guava-31.1-jre.jar | Transitive | N/A* | ❌ |
CVE-2023-26049 | Medium | 5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2023-26048 | Medium | 5.3 | jetty-server-9.4.49.v20220914.jar | Transitive | N/A* | ❌ |
WS-2023-0236 | Low | 3.9 | jetty-xml-9.4.49.v20220914.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A web service test double for all occasions
Library home page: http://wiremock.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8/2.35.1/d113bd22219a3c8670d7d190dd7d454a8ec603b0/wiremock-jre8-2.35.1.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
WireMock is a tool for mocking HTTP services. When certain request URLs like “@127.0.0.1:1234" are used in WireMock Studio configuration fields, the request might be forwarded to an arbitrary service reachable from WireMock’s instance. There are 3 identified potential attack vectors: via “TestRequester” functionality, webhooks and the proxy mode. As we can control HTTP Method, HTTP Headers, HTTP Data, it allows sending requests with the default level of credentials for the WireMock instance. The vendor has discontinued the affected Wiremock studio product and there will be no fix. Users are advised to find alternatives.
Publish Date: 2023-09-06
URL: CVE-2023-39967
Base Score Metrics:
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: https://urielch.github.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar
Dependency Hierarchy:
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: https://urielch.github.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.7/8d7f4c1530c07c54930935f3da85f48b83b3c109/json-smart-2.4.7.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Json-smart is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Publish Date: 2023-03-22
URL: CVE-2023-1370
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-03-22
Fix Resolution: net.minidev:json-smart:2.4.9
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.4/f95188e3d372e20e7328706c37ef366e5d7859b0/commons-fileupload-1.4.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
Base Score Metrics:
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution: commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat.embed:tomcat-embed-core:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-util:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-catalina:8.5.85,9.0.71,10.1.5,11.0.0-M3
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Use of Java's default temporary directory for file creation in FileBackedOutputStream
in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.49.v20220914/ef1e3bde212115eb4bb0740aaf79029b624d4e30/jetty-http-9.4.49.v20220914.jar
Dependency Hierarchy:
The core jetty server artifact.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.49.v20220914/502f99eed028139e71a4afebefa291ace12b9c1c/jetty-server-9.4.49.v20220914.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with "
(double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"
will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2023-04-18
URL: CVE-2023-26049
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p26g-97m4-6q7c
Release Date: 2023-04-18
Fix Resolution: org.eclipse.jetty:jetty-http:9.4.51.v20230217,10.0.14,11.0.14, org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14, org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14
The core jetty server artifact.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.49.v20220914/502f99eed028139e71a4afebefa291ace12b9c1c/jetty-server-9.4.49.v20220914.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig
) that call HttpServletRequest.getParameter()
or HttpServletRequest.getParts()
may cause OutOfMemoryError
when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0
which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError
. However, the server may be able to recover after the OutOfMemoryError
and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize
which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
Publish Date: 2023-04-18
URL: CVE-2023-26048
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qw69-rqj8-6qw8
Release Date: 2023-04-18
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14;org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14
The jetty xml utilities.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-xml/9.4.49.v20220914/34e602eae6dd2fe54a00ec77fc98c5e77737906b/jetty-xml-9.4.49.v20220914.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
XmlParser is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the WAR includes a malicious web.xml. The vulnerability is patched in versions 10.0.16, 11.0.16, and 12.0.0.
Publish Date: 2023-07-10
URL: WS-2023-0236
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-58qw-p7qm-5rvh
Release Date: 2023-07-10
Fix Resolution: org.eclipse.jetty:jetty-xml:10.0.16,11.0.16,12.0.0
The project currently is using Apache Maven as a build tool (due to the fact that the original project https://github.com/spring-projects/spring-data-elasticsearch is also based on Apache Maven), but the OpenSearch project porfolio is using Gradle.
Migrate from Apache Maven to Gradle as a build tool
Keep Apache Maven
N/A
all users were so far stuck on spring-data-elasticsearch (incompatible with OpenSearch 2.x) and will now want to switch to spring-data-opensearch (once available).
please provide a clear step-by-step migration guide on how to migrate an existing project from spring-data-elasticsearch to spring-data-opensearch.
if it is supported (cf. also #12) also mention how a project can support both Elasticsearch and OpenSearch in parallel (only ES 7.10.2 & older; maybe even all 7.x and maybe there's even a way for a project to support OpenSearch & ES 8.x in parallel, e.g. by picking the library at runtime?)
everyone can figure it out on their own, leading to greater variation in how it's implemented and lots of questions around it.
n/a
The latest release branch of Opensearch (2.4.x) introduced support for point-in-time search.
Implement the point in time API to be in line with the latest features provided by Opensearch
Only support the Scroll API
None
Path to dependency file: /spring-data-opensearch-examples/spring-boot-gradle/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.10/7423236b34aa78d6f36592b2aa294d7c8469f219/tomcat-embed-core-10.1.10.jar
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-boot-starter-web version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-41080 | Medium | 6.1 | tomcat-embed-core-10.1.10.jar | Transitive | 3.1.4 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /spring-data-opensearch-examples/spring-boot-gradle/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.10/7423236b34aa78d6f36592b2aa294d7c8469f219/tomcat-embed-core-10.1.10.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
The vulnerability is limited to the ROOT (default) web application.
Publish Date: 2023-08-25
URL: CVE-2023-41080
Base Score Metrics:
Type: Upgrade version
Origin: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
Release Date: 2023-08-25
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.13
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.4
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Coming from #1 (comment), restart version from 0.1.0.
In #1 we started version at 5.x to continue the spring-data-elasticsearch release train. I'd prefer it if we started with semver with possibly 0.1.0 until we get a stable 1.0. This is because upstream dependencies are different (Elasticsearch vs. OpenSearch) and we will need to be potentially breaking backwards compatibility separately, thus will want to major version increment independently from spring-data-elasticsearch.
Independent semver for spring-data-opensearch.
Please approve or deny the release of spring-data-opensearch TAG: 1.1.0 COMMIT: 56c4803 VERSION : version=1.1.0
Workflow is pending manual review.
URL: https://github.com/opensearch-project/spring-data-opensearch/actions/runs/4929560104
Required approvers: [dblock dlvenable]
Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.
Hi OpenSearch Team,
I see that Reactive classes from Spring Data Elasticsearch are missing, like DefaultReactiveElasticsearchClient:
https://github.com/spring-projects/spring-data-elasticsearch/tree/main/src/main/java/org/springframework/data/elasticsearch/client/erhlc
How can I use Spring WebFlux with OpenSearch?
Thanks.
The README.md does not explain whether it is possible or how to connect with Amazon Managed Service or Serverless. This may not work today.
Modify the README to clarify whether the client can connect to Amazon Managed Service or Serverless. If it is not possible, open another issue to track that work.
Connection to those services works in the opensearch-java client. This issue proposes swapping out the high-level rest client for the opensearch-java client: #19
Please approve or deny the release of spring-data-opensearch TAG: v1.2.0 COMMIT: 425d179 VERSION : version=1.2.0
Workflow is pending manual review.
URL: https://github.com/opensearch-project/spring-data-opensearch/actions/runs/5381789898
Required approvers: [dblock dlvenable]
Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.
I need to add a filter to my settings with a long list of synonyms. Ideally, I would like to store this in a separate synonyms.txt file, and reference it like this:
"synonym_filter": { "type": "synonym", "synonyms_path": "synonyms.txt" }
But then I get this error:
{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"IOException while reading synonyms_path_path: /usr/share/opensearch/config/synonyms.txt"}],"type":"illegal_argument_exception","reason":"IOException while reading synonyms_path_path: /usr/share/opensearch/config/synonyms.txt","caused_by":{"type":"no_such_file_exception","reason":"/usr/share/opensearch/config/synonyms.txt"}},"status":400}
Look for the referenced synonyms.txt file in my resources folder, and not in /usr/share/opensearch/config.
The alternative is to have the list of synonyms directly in the filter definition, but this will bloat my settings.json substantially.
We document the following compatibility matrix, https://github.com/opensearch-project/spring-data-opensearch#compatibility-matrix. But does it really work?
Add integration tests that boot OpenSearch containers and test this project against it.
Use a Gradle build for this project.
As a developer in the OpenSearch project, I'm familiar with Gradle builds.
Make it easier for developers from OpenSearch to start contributing.
I wonder if is there any release / snapshot that can be testes?
I checked here but did not find anything https://aws.oss.sonatype.org/content/repositories/snapshots/org/opensearch/client/
Import fails:
implementation("org.opensearch:spring-data-opensearch-starter")
create kotlin-gradle project and add:
implementation("org.opensearch:spring-data-opensearch-starter")
But i get same issue with pom
A clear and concise description of what you expected to happen.
Operating system, version.
If applicable, add screenshots to help explain your problem.
Add any other context about the problem.
Publish -SNAPSHOTs to maven.
Everyone who wants to test drive daily builds.
Please approve or deny the release of spring-data-opensearch TAG: 1.1.0 COMMIT: 56c4803 VERSION : version=1.1.0
Workflow is pending manual review.
URL: https://github.com/opensearch-project/spring-data-opensearch/actions/runs/4938915225
Required approvers: [dblock dlvenable]
Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.
Got the following errors in SpringBoot startup when using it with SpringBoot 2.7.X
2023-01-30 10:28:10.782 INFO 30405 --- [ main] c.e.o.OpenSearchClientPocApplication : No active profile set, falling back to 1 default profile: "default"
2023-01-30 10:28:11.240 INFO 30405 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data Elasticsearch repositories in DEFAULT mode.
2023-01-30 10:28:11.329 ERROR 30405 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
APPLICATION FAILED TO START
Description:
An attempt was made to call a method that does not exist. The attempt was made from the following location:
org.springframework.data.elasticsearch.repository.config.ElasticsearchRepositoryConfigExtension.getModulePrefix(ElasticsearchRepositoryConfigExtension.java:64)
The following method did not exist:
'java.lang.String org.springframework.data.elasticsearch.repository.config.ElasticsearchRepositoryConfigExtension.getModuleIdentifier()'
The calling method's class, org.springframework.data.elasticsearch.repository.config.ElasticsearchRepositoryConfigExtension, was loaded from the following location:
jar:file:/Users/kewei/.gradle/caches/modules-2/files-2.1/org.springframework.data/spring-data-elasticsearch/5.0.0/86f7d0d3ac9be7d3dfef1b37a0850852c8c1d9e8/spring-data-elasticsearch-5.0.0.jar!/org/springframework/data/elasticsearch/repository/config/ElasticsearchRepositoryConfigExtension.class
The called method's class, org.springframework.data.elasticsearch.repository.config.ElasticsearchRepositoryConfigExtension, is available from the following locations:
jar:file:/Users/kewei/.gradle/caches/modules-2/files-2.1/org.springframework.data/spring-data-elasticsearch/5.0.0/86f7d0d3ac9be7d3dfef1b37a0850852c8c1d9e8/spring-data-elasticsearch-5.0.0.jar!/org/springframework/data/elasticsearch/repository/config/ElasticsearchRepositoryConfigExtension.class
The called method's class hierarchy was loaded from the following locations:
org.springframework.data.elasticsearch.repository.config.ElasticsearchRepositoryConfigExtension: file:/Users/kewei/.gradle/caches/modules-2/files-2.1/org.springframework.data/spring-data-elasticsearch/5.0.0/86f7d0d3ac9be7d3dfef1b37a0850852c8c1d9e8/spring-data-elasticsearch-5.0.0.jar
org.springframework.data.repository.config.RepositoryConfigurationExtensionSupport: file:/Users/kewei/.gradle/caches/modules-2/files-2.1/org.springframework.data/spring-data-commons/2.7.2/9547d1234cb380234066aef60129bb2ddfdc6347/spring-data-commons-2.7.2.jar
Action:
Correct the classpath of your application so that it contains a single, compatible version of org.springframework.data.elasticsearch.repository.config.ElasticsearchRepositoryConfigExtension
Process finished with exit code 1
Steps to reproduce the behavior.
Use the following build.gradle
plugins {
id 'java'
id 'org.springframework.boot' version '2.7.2'
id 'io.spring.dependency-management' version '1.1.0'
}
group = 'com.example'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '17'
repositories {
mavenCentral()
}
dependencies {
implementation("org.springframework.boot:spring-boot-starter-jetty")
implementation("org.springframework.boot:spring-boot-starter-web")
implementation 'org.springframework.boot:spring-boot-starter'
implementation "org.opensearch.client:spring-data-opensearch:0.1.0"
implementation 'org.springframework.data:spring-data-elasticsearch:5.0.0'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
}
tasks.named('test') {
useJUnitPlatform()
}
A clear and concise description of what you expected to happen.
The SpringBoot app should start without any errors.
Operating system, version.
MacOs Monterey version 12.6
If applicable, add screenshots to help explain your problem.
No
Add any other context about the problem.
It works well with SpringBoot version 3.0.0
Release v1.
All users that want OpenSearch integration for spring-data.
Please add your +1 if you're interested in a release.
When upgrading our Spring Boot Projects to Spring Boot 3.1.0 there occurred an IllegalAccessException in
spring-data-opensearch/src/main/java/org/opensearch/data/client/orhlc/NativeSearchQueryBuilder.java
on field indicesOptions. This is because in spring-data-elasticsearch 5.1.0 this field became private in the base class BaseQueryBuilder.
spring-data-opensearch itself depends on spring-data-elasticsearch 5.0.5, where the problem does not occur yet. But when a Spring Boot app includes spring-data-opensearch as dependency, then Spring Boot's spring-boot-dependencies parent declares spring-data-elasticsearch 5.1.0 as managed dependency, overriding the dependency version:
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/3.1.0/spring-boot-dependencies-3.1.0.pom
The only valid workaround that works for us is explicitly declaring spring-data-elasticsearch 5.0.5 as dependency in every project (which is pretty cumbersome).
Here is an article about the general problem we have and several possible workarounds: https://spring.io/blog/2016/04/13/overriding-dependency-versions-with-spring-boot
The long term solution would probably be to change the Code of NativeSearchQueryBuilder to avoid the IllegalAccessException.
We have a ton of Elasticsearch references in code, https://github.com/opensearch-project/spring-data-opensearch/search?q=Elasticsearch. What's the plan to deprecate those in favor of OpenSearch?
All "elasticsearch" becomes "opensearch".
The only supported client at the moment is RHLC, we should also add opensearch-java support.
Support opensearch-java
Keep only RHLC
N/A
Path to dependency file: /spring-data-opensearch-examples/spring-boot-gradle/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
CVE | Severity | CVSS | Dependency | Type | Fixed in (testcontainers version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-42503 | Medium | 5.5 | commons-compress-1.22.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.
Users are recommended to upgrade to version 1.24.0, which fixes the issue.
A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.
In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 1). The format for the PAX extended headers carrying this data consists of two numbers separated by a period 2, indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.
Parsing of these numbers uses the BigDecimal 3 class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 4). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 5.
Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.
Publish Date: 2023-09-14
URL: CVE-2023-42503
Base Score Metrics:
Type: Upgrade version
Origin: https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c
Release Date: 2023-09-14
Fix Resolution: org.apache.commons:commons-compress:1.24.0
A web service test double for all occasions
Library home page: http://wiremock.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8/2.35.0/b48db2f8b752359ce6017a0251c49bcf378b7b62/wiremock-jre8-2.35.0.jar
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
CVE | Severity | CVSS | Dependency | Type | Fixed in (wiremock-jre8 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-39967 | Critical | 10.0 | wiremock-jre8-2.35.0.jar | Direct | N/A | ❌ |
CVE-2023-1370 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2023-24998 | High | 7.5 | commons-fileupload-1.4.jar | Transitive | N/A* | ❌ |
CVE-2023-2976 | High | 7.1 | guava-31.1-jre.jar | Transitive | N/A* | ❌ |
CVE-2023-41329 | Medium | 6.6 | wiremock-jre8-2.35.0.jar | Direct | 2.35.1 | ✅ |
CVE-2023-26049 | Medium | 5.3 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2023-26048 | Medium | 5.3 | jetty-server-9.4.49.v20220914.jar | Transitive | N/A* | ❌ |
WS-2023-0236 | Low | 3.9 | jetty-xml-9.4.49.v20220914.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A web service test double for all occasions
Library home page: http://wiremock.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8/2.35.0/b48db2f8b752359ce6017a0251c49bcf378b7b62/wiremock-jre8-2.35.0.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
WireMock is a tool for mocking HTTP services. When certain request URLs like “@127.0.0.1:1234" are used in WireMock Studio configuration fields, the request might be forwarded to an arbitrary service reachable from WireMock’s instance. There are 3 identified potential attack vectors: via “TestRequester” functionality, webhooks and the proxy mode. As we can control HTTP Method, HTTP Headers, HTTP Data, it allows sending requests with the default level of credentials for the WireMock instance. The vendor has discontinued the affected Wiremock studio product and there will be no fix. Users are advised to find alternatives.
Publish Date: 2023-09-06
URL: CVE-2023-39967
Base Score Metrics:
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: https://urielch.github.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar
Dependency Hierarchy:
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: https://urielch.github.io/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.7/8d7f4c1530c07c54930935f3da85f48b83b3c109/json-smart-2.4.7.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Json-smart is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Publish Date: 2023-03-22
URL: CVE-2023-1370
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-03-22
Fix Resolution: net.minidev:json-smart:2.4.9
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.4/f95188e3d372e20e7328706c37ef366e5d7859b0/commons-fileupload-1.4.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
Base Score Metrics:
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution: commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat.embed:tomcat-embed-core:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-util:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-catalina:8.5.85,9.0.71,10.1.5,11.0.0-M3
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Use of Java's default temporary directory for file creation in FileBackedOutputStream
in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
A web service test double for all occasions
Library home page: http://wiremock.org
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8/2.35.0/b48db2f8b752359ce6017a0251c49bcf378b7b62/wiremock-jre8-2.35.0.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.
Publish Date: 2023-09-06
URL: CVE-2023-41329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-pmxq-pj47-j8j4
Release Date: 2023-09-06
Fix Resolution: 2.35.1
⛑️ Automatic Remediation will be attempted for this issue.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.49.v20220914/ef1e3bde212115eb4bb0740aaf79029b624d4e30/jetty-http-9.4.49.v20220914.jar
Dependency Hierarchy:
The core jetty server artifact.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.49.v20220914/502f99eed028139e71a4afebefa291ace12b9c1c/jetty-server-9.4.49.v20220914.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with "
(double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"
will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2023-04-18
URL: CVE-2023-26049
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p26g-97m4-6q7c
Release Date: 2023-04-18
Fix Resolution: org.eclipse.jetty:jetty-http:9.4.51.v20230217,10.0.14,11.0.14, org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14, org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14
The core jetty server artifact.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.49.v20220914/502f99eed028139e71a4afebefa291ace12b9c1c/jetty-server-9.4.49.v20220914.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig
) that call HttpServletRequest.getParameter()
or HttpServletRequest.getParts()
may cause OutOfMemoryError
when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0
which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError
. However, the server may be able to recover after the OutOfMemoryError
and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize
which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
Publish Date: 2023-04-18
URL: CVE-2023-26048
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qw69-rqj8-6qw8
Release Date: 2023-04-18
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14;org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14
The jetty xml utilities.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-xml/9.4.49.v20220914/34e602eae6dd2fe54a00ec77fc98c5e77737906b/jetty-xml-9.4.49.v20220914.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
XmlParser is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the WAR includes a malicious web.xml. The vulnerability is patched in versions 10.0.16, 11.0.16, and 12.0.0.
Publish Date: 2023-07-10
URL: WS-2023-0236
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-58qw-p7qm-5rvh
Release Date: 2023-07-10
Fix Resolution: org.eclipse.jetty:jetty-xml:10.0.16,11.0.16,12.0.0
⛑️Automatic Remediation will be attempted for this issue.
I am trying to add dependency to my app and it doesnt work. Also i don;t see any versions released anywhere.
add implementation ("org.opensearch:spring-data-opensearch") to your gradle.build
ERROR: backend:test: Could not find org.opensearch:spring-data-opensearch:.
Required by:
project :
how can i use this library?
I upgraded to Springboot 3.1.0 from 3.0.5 with Opensearch client 1.0.1 and now it results in the following error:
java.lang.NoSuchMethodError: 'org.springframework.data.elasticsearch.core.IndexedObjectInformation org.springframework.data.elasticsearch.core.IndexedObjectInformation.of(java.lang.String, java.lang.Long, java.lang.Long, java.lang.Long)'
at org.opensearch.data.client.orhlc.OpenSearchRestTemplate.lambda$checkForBulkOperationFailure$12(OpenSearchRestTemplate.java:337)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
at org.opensearch.data.client.orhlc.OpenSearchRestTemplate.checkForBulkOperationFailure(OpenSearchRestTemplate.java:346)
at org.opensearch.data.client.orhlc.OpenSearchRestTemplate.doBulkOperation(OpenSearchRestTemplate.java:291)
at org.springframework.data.elasticsearch.core.AbstractElasticsearchTemplate.bulkOperation(AbstractElasticsearchTemplate.java:356)
at org.springframework.data.elasticsearch.core.AbstractElasticsearchTemplate.bulkIndex(AbstractElasticsearchTemplate.java:340)
at org.springframework.data.elasticsearch.core.DocumentOperations.bulkIndex(DocumentOperations.java:185)
at org.springframework.data.elasticsearch.core.AbstractElasticsearchTemplate.save(AbstractElasticsearchTemplate.java:237)
I am using spring-data-opensearch-starter:1.0.1
I use a ElasticsearchRepository and call saveAll
This is fine with Spring boot 3.0.5
Hi there, and apologies if it is too early/it's not on your roadmap/ has already been discussed elsewhere and I have missed it.
First of all thanks for all the hard work, I have been eagerly following your work on spring-data-opensearch and already started looking into how this library evolves. We are currently using an older version of Opensearch (1.2.4) alongside the spring-data-elasticsearch library. While playing around with the the merged code, I noticed that there are no equivalents of the reactive versions of the client/configuration. Is this something that you plan to add?
Support reactive version of the clients
N/A
N/A
XContent namespace refactor from common -> core is going to be merged to opensearch/2.x which will break the 2.x build. This issue is for refactoring XContent imports from the common
to core
namespace after the core namespace change is merged.
Depends on opensearch-project/OpenSearch#6470
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.8.0/49b64e09d81c0cc84b267edd0c2fd7df5a64c78c/okio-jvm-2.8.0.jar
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
CVE | Severity | CVSS | Dependency | Type | Fixed in (hoverfly-java-junit5 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-3635 | High | 7.5 | okio-2.8.0.jar | Transitive | N/A* | ❌ |
CVE-2022-24329 | Medium | 5.3 | kotlin-stdlib-1.4.10.jar | Transitive | N/A* | ❌ |
CVE-2020-29582 | Medium | 5.3 | kotlin-stdlib-1.4.10.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A modern I/O API for Java
Library home page: https://github.com/square/okio/
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.8.0/49b64e09d81c0cc84b267edd0c2fd7df5a64c78c/okio-jvm-2.8.0.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Publish Date: 2023-07-12
URL: CVE-2023-3635
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635
Release Date: 2023-07-12
Fix Resolution: com.squareup.okio:okio-jvm:3.4.0
Kotlin Standard Library for JVM
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0
Kotlin Standard Library for JVM
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar
Dependency Hierarchy:
Found in HEAD commit: 93f238407acbaff2e9420d809abd20c002226565
Found in base branch: main
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
Publish Date: 2021-02-03
URL: CVE-2020-29582
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cqj8-47ch-rvvq
Release Date: 2021-02-03
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.4.21
As far as I can tell, the spring-data-opensearch library currently only supports the deprecated _template
api. It would be great to be able to integrate with the new _index_template
api, which also has support for composable index templates, instead of having to use a deprecated api.
Implement methods which use the new _index_template
api.
org.opensearch.client.sniff.Sniffer : error while sniffing nodes
java.net.ConnectException: Connection refused
at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:953) ~[opensearch-rest-client-2.6.0.jar:2.6.0]
at org.opensearch.client.RestClient.performRequest(RestClient.java:332) ~[opensearch-rest-client-2.6.0.jar:2.6.0]
at org.opensearch.client.RestClient.performRequest(RestClient.java:320) ~[opensearch-rest-client-2.6.0.jar:2.6.0]
at org.opensearch.client.sniff.OpenSearchNodesSniffer.sniff(OpenSearchNodesSniffer.java:121) ~[opensearch-rest-client-sniffer-2.5.0.jar:2.5.0]
at org.opensearch.client.sniff.Sniffer.sniff(Sniffer.java:223) ~[opensearch-rest-client-sniffer-2.5.0.jar:2.5.0]
at org.opensearch.client.sniff.Sniffer$Task.run(Sniffer.java:154) ~[opensearch-rest-client-sniffer-2.5.0.jar:2.5.0]
Spring Data 1.0.1 brings in the opensearch-rest-client-sniffer-2.5.0 dependency and the above error is reported repeatedly.
Tried to disable sniffer as explained in https://stackoverflow.com/questions/73056569/how-do-i-stop-hibernate-search-from-sniffing-the-nodes-of-a-non-existent-local-e
Added exclusion for OpenSearchRestHighLevelClientAutoConfiguration and OpenSearchDataAutoConfiguration
None of the above helped and the exception is repeated.
The config is connecting to a cluster of 3 nodes. (All functionality is working. Able to connect to OpenSearch, persist and retrieve records.)
Redhat 8
Java 17
Spring Data OpenSearch - 1.0.1
Connecting to OpenSearch 2.6.0 cluster.
I'm not sure if this should be a feature request for this project or the spring boot actuator project since the elasticsearch indicator is provided by that project. Raising here since the spring-data-elasticsearch project is a spring project, whereas spring-data-opensearch is not, hopefully this is the right place!
If our application is unable to connect to opensearch then we can see lots of errors in the logs such as
2023-05-17 13:16:26.135 ERROR 1862 --- [nt_sniffer[T#1]] org.opensearch.client.sniff.Sniffer : error while sniffing nodes |
however the application does start up and the /actuator/health
endpoint shows that all is healthy status
is UP
. This is incorrect since the application is certainly not healthy if it can't connect to opensearch.
It would therefore be good to have a health indicator that is automatically included to indicate whether we can connect to opensearch. Note that the elasticsearch health indicator actually calls the /_cluster/health
endpoint, which goes beyond checking whether we can connect to the cluster and actually lets us know the state of the cluster. If this is a relatively cheap operation then this sounds fine, otherwise some sort of ping
would normally be preferable.
We could write our own health indicator, but it feels like there should be something out of the box.
We are currently trying to migrate the spring boot application from elasticsearch to opensearch and using the dependency of "spring-data-opensearch".
We are getting an error regarding the VersionType class when we run the application.
This is caused from the entity classes that has @document defined in them which uses the org.springframework.data.elasticsearch.annotations.Document which is internally using VersionType class from "org.elasticsearch.index.VersionType". Which is the root cause of the issue as 'index' folder is not found in the elasticsearch dependency.
Use the spring boot parent version 2.5.13 and java version 11.
With maven dependency of "spring-data-opensearch" / 'spring-data-opensearch-starter".
Your application should have a entity file with @document annotation. When you run the application you will see the error with VersionType class
Migration from elasticsearch to opensearch should not cause any issues and the transaction must be seemless
_macOSVentura 13.2.1
_This issue is caused when migrating the elasticsearch to opensearch
Since version 5.1 of spring-data-elasticsearch, various methods from IndexOperation
interface have been added and a few other have been marked as deprecated. For instance to check if a template exist, deprecated method is existsTemplate
while methods existsComponentTemplate
and existsIndexTemplate
have been added.
Unfortunately when trying to remove any deprecated call from my project code relying on this, I got a UnsupportedOperationException
. Indeed inside RestIndexTemplate
(from spring-data-opensearch) there are 8 methods throwing UnsupportedOperationException("not implemented")
; all related to index and component template CRUD.
I'd like that the new component and index template related methods were implemented so that I can use them and not relying on deprecated API in my project (which triggers warning in my CI that I can't solve yet).
I keep relying on the deprecated API, but then when spring-data-elasticsearch will remove the deprecated methods from the interface (in 5.2 for instance).
The elastic search specific implementation from spring-data-elasticsearch is (in release 5.1.4) at the same status, methods not implemented.
Follow opensearch-project/.github#125 to baseline MAINTAINERS, CODEOWNERS, and external collaborator permissions.
Close this issue when:
If this repo's permissions was already baselined, please confirm the above when closing this issue.
The groupId is currently set to org.opensearch
which is the top-level for OpenSearch. I suggest we have a sub-groupId. I'd probably recommend org.opensearch.client
to have it sit with other Java clients. But, perhaps org.opensearch.spring
is appropriate.
The client used in org.opensearch.data.client.orhlc.OpenSearchRestTemplate
, org.opensearch.client.RestHighLevelClient
, has been deprecated in Elasticsearch since v7.15. The OpenSearch documentation also considers it deprecated.
The OpenSearchRestTemplate
should use the Java client org.opensearch.client.opensearch.OpenSearchClient
instead.
Continuing to use the deprecated client runs the risk of breakage through its removal.
No
Add CHANGELOG enforced with a GHA.
I'd like every PR to come with an entry in CHANGELOG so we know what's changing with every release without having to manually collect release notes. See opensearch-project/OpenSearch#1868 for more details.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.