Merge pull request #3122 from liuliaozhong/3.6.x_issue_2865

feat: 修复第三方组件安全漏洞 #2865
TencentBlueKing · Jul 16, 2024 · 99fb891 · 99fb891
2 parents fc243b7 + 53071ed
commit 99fb891
Show file tree

Hide file tree

Showing 40 changed files with 308 additions and 325 deletions.
diff --git a/src/backend/build.gradle b/src/backend/build.gradle
@@ -127,6 +127,30 @@ ext {
     // Fix Spring Cloud Function Spel表达式注入漏洞(CVE-2022-22963)
     // Fix Spring Cloud Function 拒绝服务漏洞(CVE-2022-22979)
     set('spring-cloud-function.version', "3.2.8")
+
+    // Fix CVE-2021-3711,CVE-2023-22102
+    set('mysql.version', "8.0.28")
+    // Fix CVE-2022-22978,CVE-2022-22976,CVE-2021-22119
+    set('spring-security.version', "5.5.7")
+    // Fix CVE-2022-42004,CVE-2022-42003,CVE-2021-46877,CVE-2020-36518
+    set('jackson-bom.version', "2.12.7.20221012")
+    // Fix CVE-2021-37137,CVE-2021-37136
+    set('netty.version', "4.1.68.Final")
+    // Fix CVE-2022-25647
+    set('gson.version', "2.8.9")
+    // Fix CVE-2023-44487
+    set('tomcat.version', "9.0.90")
+    // Fix CVE-2022-22965
+    set('spring-framework.version', "5.3.23")
+
+    // Fix CVE-2022-22980
+    set('springDataMongodbVersion', "3.3.5")
+    // Fix CVE-2022-3510,CVE-2022-3509,CVE-2022-3171
+    set('protobufJavaVersion', "3.16.3")
+    // Fix CVE-2019-10086,CVE-2014-0114
+    set('commonsBeanutilsVersion', "1.9.4")
+    // Fix CVE-2021-22044
+    set('openfeignCoreVersion', "3.0.5")
 }
 
 group "com.tencent.bk.job"
@@ -280,6 +304,8 @@ subprojects {
                 entry "hibernate-validator"
             }
             dependency "com.beust:jcommander:$jcommanderVersion"
+            dependency "commons-beanutils:commons-beanutils:$commonsBeanutilsVersion"
+            dependency "org.springframework.cloud:spring-cloud-openfeign-core:$openfeignCoreVersion"
         }
     }
     dependencies {

diff --git a/src/backend/commons/build.gradle b/src/backend/commons/build.gradle
@@ -36,7 +36,7 @@ subprojects {
     version "${jobCommonVersion}"
     dependencies {
         compileOnly 'javax.servlet:javax.servlet-api:3.1.0'
-        compileOnly 'ch.qos.logback:logback-classic:1.1.11'
+        compileOnly 'ch.qos.logback:logback-classic:1.3.14'
         compileOnly 'org.projectlombok:lombok'
         annotationProcessor 'org.projectlombok:lombok'
         testImplementation 'org.junit.jupiter:junit-jupiter'

diff --git a/src/backend/job-analysis/boot-job-analysis/build.gradle b/src/backend/job-analysis/boot-job-analysis/build.gradle
@@ -33,6 +33,7 @@ dependencies {
     implementation 'org.springframework:spring-webmvc'
     implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis')
     runtimeOnly('mysql:mysql-connector-java')
+    runtimeOnly("com.google.protobuf:protobuf-java:$protobufJavaVersion")
 
     testImplementation("com.h2database:h2")
 }

diff --git a/src/backend/job-backup/boot-job-backup/build.gradle b/src/backend/job-backup/boot-job-backup/build.gradle
@@ -34,6 +34,7 @@ dependencies {
     implementation 'org.springframework:spring-webmvc'
     implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis')
     runtimeOnly('mysql:mysql-connector-java')
+    runtimeOnly("com.google.protobuf:protobuf-java:$protobufJavaVersion")
 
     testImplementation("com.h2database:h2")
 }

diff --git a/...ob-crontab/src/main/java/com/tencent/bk/job/crontab/api/inner/ServiceCronJobResource.java b/...ob-crontab/src/main/java/com/tencent/bk/job/crontab/api/inner/ServiceCronJobResource.java
@@ -38,7 +38,6 @@
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -49,7 +48,6 @@
  * @since 20/2/2020 19:54
  */
 @Api(tags = {"Cron_Job"})
-@RequestMapping("/service/app/{appId}/cron/job")
 @RestController
 @InternalAPI
 public interface ServiceCronJobResource {
@@ -61,7 +59,7 @@ public interface ServiceCronJobResource {
      * @param enable 定时任务状态
      * @return 定时任务列表
      */
-    @GetMapping("/")
+    @GetMapping("/service/app/{appId}/cron/job")
     InternalResponse<List<ServiceCronJobDTO>> listCronJobs(
         @ApiParam(value = "业务 ID", required = true, example = "2") @PathVariable("appId") Long appId,
         @ApiParam(value = "是否开启", required = false, example = "true") @RequestParam("enable") Boolean enable
@@ -76,7 +74,7 @@ InternalResponse<List<ServiceCronJobDTO>> listCronJobs(
      * @param cronJobCreateUpdateReq 定时任务新建、更新请求
      * @return 定时任务 ID
      */
-    @PutMapping("/{cronJobId}")
+    @PutMapping("/service/app/{appId}/cron/job/{cronJobId}")
     InternalResponse<Long> saveCronJob(
         @ApiParam(value = "用户名，网关自动传入") @RequestHeader("username") String username,
         @ApiParam(value = "业务 ID", required = true, example = "2") @PathVariable("appId") Long appId,
@@ -93,7 +91,7 @@ InternalResponse<Long> saveCronJob(
      * @param status    定时任务状态
      * @return 是否更新成功
      */
-    @PostMapping("/{cronJobId}/status")
+    @PostMapping("/service/app/{appId}/cron/job/{cronJobId}/status")
     InternalResponse<Boolean> updateCronJobStatus(
         @ApiParam(value = "业务 ID", required = true, example = "2")
         @PathVariable("appId")
@@ -113,7 +111,7 @@ InternalResponse<Boolean> updateCronJobStatus(
      * @param planIdList 执行方案 ID 列表
      * @return 执行方案与定时任务列表对应表
      */
-    @GetMapping("/plan")
+    @GetMapping("/service/app/{appId}/cron/job/plan")
     InternalResponse<Map<Long, List<CronJobVO>>> batchListCronJobByPlanIds(
         @ApiParam(value = "业务 ID", required = true, example = "2") @PathVariable("appId") Long appId,
         @ApiParam(value = "执行方案 ID 列表", required = true) @RequestParam(value = "planId") List<Long> planIdList
@@ -131,7 +129,7 @@ InternalResponse<Map<Long, List<CronJobVO>>> batchListCronJobByPlanIds(
      * @param cronJobCreateUpdateReq 定时任务创建请求
      * @return 定时任务 ID
      */
-    @PutMapping("/{cronJobId}/saveCronJobWithId")
+    @PutMapping("/service/app/{appId}/cron/job/{cronJobId}/saveCronJobWithId")
     InternalResponse<Long> saveCronJobWithId(
         @ApiParam(value = "用户名，网关自动传入") @RequestHeader("username") String username,
         @ApiParam(value = "业务 ID", required = true, example = "2") @PathVariable("appId") Long appId,

diff --git a/...rontab/src/main/java/com/tencent/bk/job/crontab/api/inner/ServiceCronMetricsResource.java b/...rontab/src/main/java/com/tencent/bk/job/crontab/api/inner/ServiceCronMetricsResource.java
@@ -30,18 +30,16 @@
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 @Api(tags = {"job-crontab:Service:Metrics"})
-@RequestMapping("/service/metrics")
 @RestController
 @EsbAPI
 public interface ServiceCronMetricsResource {
 
     @ApiOperation(value = "定时任务总量", produces = "application/json")
-    @GetMapping("/count")
+    @GetMapping("/service/metrics/count")
     InternalResponse<Integer> countCronJob(
         @ApiParam(value = "业务Id")
         @RequestParam(value = "appId", required = false)

diff --git a/...ontab/src/main/java/com/tencent/bk/job/crontab/api/inner/ServiceInnerCronJobResource.java b/...ontab/src/main/java/com/tencent/bk/job/crontab/api/inner/ServiceInnerCronJobResource.java
@@ -34,7 +34,6 @@
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
@@ -43,7 +42,6 @@
  * @since 18/2/2020 15:11
  */
 @Api(tags = {"Inner_Cron_Job"})
-@RequestMapping("/service/inner/cron/job")
 @RestController
 @EsbAPI
 public interface ServiceInnerCronJobResource {
@@ -56,7 +54,7 @@ public interface ServiceInnerCronJobResource {
      * @param request  作业详情
      * @return 是否创建成功
      */
-    @PutMapping("/{systemId}/{jobKey}")
+    @PutMapping("/service/inner/cron/job/{systemId}/{jobKey}")
     InternalResponse<Boolean> addNewCronJob(
         @PathVariable("systemId") String systemId,
         @PathVariable("jobKey") String jobKey, @RequestBody ServiceAddInnerCronJobRequestDTO request
@@ -69,7 +67,7 @@ InternalResponse<Boolean> addNewCronJob(
      * @param jobKey   任务 Key
      * @return 定时任务详情
      */
-    @GetMapping("/{systemId}/{jobKey}")
+    @GetMapping("/service/inner/cron/job/{systemId}/{jobKey}")
     InternalResponse<ServiceInnerCronJobInfoDTO> getCronJobInfoByKey(
         @PathVariable("systemId") String systemId,
         @PathVariable("jobKey") String jobKey
@@ -82,7 +80,7 @@ InternalResponse<ServiceInnerCronJobInfoDTO> getCronJobInfoByKey(
      * @param jobKey   任务 Key
      * @return 删除是否成功
      */
-    @DeleteMapping("/{systemId}/{jobKey}")
+    @DeleteMapping("/service/inner/cron/job/{systemId}/{jobKey}")
     InternalResponse<Boolean> deleteCronJob(
         @PathVariable("systemId") String systemId,
         @PathVariable("jobKey") String jobKey
@@ -94,7 +92,7 @@ InternalResponse<Boolean> deleteCronJob(
      * @param systemId 系统 ID
      * @return 定时任务列表
      */
-    @GetMapping("/{systemId}")
+    @GetMapping("/service/inner/cron/job/{systemId}")
     InternalResponse<List<ServiceInnerCronJobInfoDTO>> listCronJobs(@PathVariable("systemId") String systemId);
 
 }
diff --git a/src/backend/job-crontab/boot-job-crontab/build.gradle b/src/backend/job-crontab/boot-job-crontab/build.gradle
@@ -33,6 +33,7 @@ dependencies {
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
     implementation 'org.springframework:spring-webmvc'
     runtimeOnly 'mysql:mysql-connector-java'
+    runtimeOnly("com.google.protobuf:protobuf-java:$protobufJavaVersion")
 
     testImplementation("com.h2database:h2")
 }

diff --git a/...xecute/src/main/java/com/tencent/bk/job/execute/api/inner/ServiceExecuteTaskResource.java b/...xecute/src/main/java/com/tencent/bk/job/execute/api/inner/ServiceExecuteTaskResource.java
@@ -32,7 +32,6 @@
 import io.swagger.annotations.Api;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 /**
@@ -41,13 +40,12 @@
  * @date 2019/09/18
  */
 @Api(tags = {"Task_Execute"})
-@RequestMapping("/service/execution")
 @RestController
 @InternalAPI
 public interface ServiceExecuteTaskResource {
-    @PostMapping("/task-execution/task")
+    @PostMapping("/service/execution/task-execution/task")
     InternalResponse<ServiceTaskExecuteResult> executeTask(@RequestBody ServiceTaskExecuteRequest request);
 
-    @PostMapping("/task-execution/task/auth")
+    @PostMapping("/service/execution/task-execution/task/auth")
     InternalResponse<AuthResultDTO> authExecuteTask(@RequestBody ServiceTaskExecuteRequest request);
 }
diff --git a/...ob-execute/src/main/java/com/tencent/bk/job/execute/api/inner/ServiceMetricsResource.java b/...ob-execute/src/main/java/com/tencent/bk/job/execute/api/inner/ServiceMetricsResource.java
@@ -38,24 +38,22 @@
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
 
 @Api(tags = {"job-execute:service:Metrics"})
-@RequestMapping("/service/metrics")
 @RestController
 @InternalAPI
 public interface ServiceMetricsResource {
 
     @ApiOperation(value = "接入（执行过一次任务）的业务Id列表", produces = "application/json")
-    @GetMapping("/app/joined")
+    @GetMapping("/service/metrics/app/joined")
     InternalResponse<List<Long>> getJoinedAppIdList();
 
     @ApiOperation(value = "是否有执行记录", produces = "application/json")
-    @GetMapping("/app/hasExecuteHistory")
+    @GetMapping("/service/metrics/app/hasExecuteHistory")
     InternalResponse<Boolean> hasExecuteHistory(
         @ApiParam(value = "业务Id", required = false)
         @RequestParam(value = "appId", required = false) Long appId,
@@ -72,7 +70,7 @@ InternalResponse<Boolean> hasExecuteHistory(
      */
     @Deprecated
     @ApiOperation(value = "快速文件分发统计", produces = "application/json")
-    @GetMapping("/fastPushFile/count")
+    @GetMapping("/service/metrics/fastPushFile/count")
     InternalResponse<Integer> countFastPushFile(
         @ApiParam(value = "业务Id", required = false)
         @RequestParam(value = "appId", required = false) Long appId,
@@ -93,7 +91,7 @@ InternalResponse<Integer> countFastPushFile(
      */
     @Deprecated
     @ApiOperation(value = "步骤执行统计", produces = "application/json")
-    @GetMapping("/stepInstances/count")
+    @GetMapping("/service/metrics/stepInstances/count")
     InternalResponse<Integer> countStepInstances(
         @ApiParam(value = "业务Id", required = false)
         @RequestParam(value = "appId", required = false) Long appId,
@@ -116,7 +114,7 @@ InternalResponse<Integer> countStepInstances(
      */
     @Deprecated
     @ApiOperation(value = "任务（含快速/作业）执行统计", produces = "application/json")
-    @GetMapping("/taskInstances/count")
+    @GetMapping("/service/metrics/taskInstances/count")
     InternalResponse<Integer> countTaskInstances(
         @ApiParam(value = "业务Id", required = false)
         @RequestParam(value = "appId", required = false) Long appId,
@@ -137,7 +135,7 @@ InternalResponse<Integer> countTaskInstances(
     );
 
     @ApiOperation(value = "获取统计数据", produces = "application/json")
-    @GetMapping("/statistics")
+    @GetMapping("/service/metrics/statistics")
     InternalResponse<StatisticsDTO> getStatistics(
         @ApiParam(value = "业务Id", required = true)
         @RequestParam(value = "appId", required = true) Long appId,
@@ -152,7 +150,7 @@ InternalResponse<StatisticsDTO> getStatistics(
     );
 
     @ApiOperation(value = "获取统计数据", produces = "application/json")
-    @GetMapping("/statistics/list")
+    @GetMapping("/service/metrics/statistics/list")
     InternalResponse<List<StatisticsDTO>> listStatistics(
         @ApiParam(value = "业务Id", required = false)
         @RequestParam(value = "appId", required = false) Long appId,
@@ -167,7 +165,7 @@ InternalResponse<List<StatisticsDTO>> listStatistics(
     );
 
     @ApiOperation(value = "触发指定时间的数据统计", produces = "application/json")
-    @PostMapping("/statistics/trigger")
+    @PostMapping("/service/metrics/statistics/trigger")
     InternalResponse<Boolean> triggerStatistics(
         @ApiParam(value = "统计日期(yyyy-MM-dd)", required = false)
         @RequestBody ServiceTriggerStatisticsRequest request

diff --git a/.../src/main/java/com/tencent/bk/job/execute/api/inner/ServiceTaskExecuteResultResource.java b/.../src/main/java/com/tencent/bk/job/execute/api/inner/ServiceTaskExecuteResultResource.java
@@ -37,7 +37,6 @@
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -47,7 +46,6 @@
  * 作业执行结果API-服务内部调用
  */
 @Api(tags = {"job-execute:service:Task_Execution_Result"})
-@RequestMapping("/service/execution")
 @RestController
 @InternalAPI
 public interface ServiceTaskExecuteResultResource {
@@ -56,12 +54,12 @@ public interface ServiceTaskExecuteResultResource {
      * @return Map<定时任务ID, 统计信息>
      */
     @ApiOperation(value = "获取定时作业执行结果统计", produces = "application/json")
-    @PostMapping("/task-execution-history/execute-result-statistics/cron")
+    @PostMapping("/service/execution/task-execution-history/execute-result-statistics/cron")
     InternalResponse<Map<Long, ServiceCronTaskExecuteResultStatistics>> getCronTaskExecuteResultStatistics(
         @ApiParam("获取定时作业执行结果统计") @RequestBody ServiceGetCronTaskExecuteStatisticsRequest request);
 
     @ApiOperation(value = "获取作业执行历史列表", produces = "application/json")
-    @GetMapping("/app/{appId}/task-execution-history/list")
+    @GetMapping("/service/execution/app/{appId}/task-execution-history/list")
     InternalResponse<PageData<ServiceTaskInstanceDTO>> getTaskExecuteResult(
         @ApiParam(value = "业务ID", required = true, example = "1") @PathVariable("appId") Long appId,
         @ApiParam(value = "任务名称", name = "taskName", required = false) @RequestParam(value = "taskName",

diff --git a/src/backend/job-execute/boot-job-execute/build.gradle b/src/backend/job-execute/boot-job-execute/build.gradle
@@ -31,6 +31,7 @@ dependencies {
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
     implementation 'org.springframework.cloud:spring-cloud-starter-stream-rabbit'
     runtimeOnly 'mysql:mysql-connector-java'
+    runtimeOnly("com.google.protobuf:protobuf-java:$protobufJavaVersion")
 
     testImplementation("com.h2database:h2")
 }

diff --git a/...ay/src/main/java/com/tencent/bk/job/file_gateway/api/inner/ServiceFileSourceResource.java b/...ay/src/main/java/com/tencent/bk/job/file_gateway/api/inner/ServiceFileSourceResource.java
@@ -31,17 +31,15 @@
 import io.swagger.annotations.ApiParam;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 @Api(tags = {"job-file-gateway:service:FileSource"})
-@RequestMapping("/service/fileSource/")
 @RestController
 @InternalAPI
 public interface ServiceFileSourceResource {
 
     @ApiOperation(value = "获取文件源ID", produces = "application/json")
-    @GetMapping("getFileSourceIdByCode/codes/{code}")
+    @GetMapping("/service/fileSource/getFileSourceIdByCode/codes/{code}")
     InternalResponse<Integer> getFileSourceIdByCode(
         @ApiParam(value = "文件源标识", required = true) @PathVariable("code") String code);
 }