[CALCITE-6794] Site Gemfile contains vulnerable ruby libraries

[hughpearse]

Automated scans are failing of the repo blocking corporate process for library approval due to CVE vulnerability findings. Very minor change to site gemfile required to pass the scans.

Scanning tool is Trivy, and issue does not appear in owasp dependency-check.

Scan of https://github.com/apache/calcite* on *Jan 17, 2025
Repo Tag Scanned: calcite-1.38.0
Vulnerabilities --
HIGH | rexml | 3.2.5 | >= 3.3.9 | GHSA-2rxp-v6pw-ch6m | https://avd.aquasec.com/nvd/cve-2024-49761
HIGH | webrick | 1.7.0 | >= 1.8.2 | GHSA-6f62-3596-g6w7 | https://avd.aquasec.com/nvd/cve-2024-47220
MEDIUM | nokogiri | 1.14.3 | 1.15.6, 1.16.2 | GHSA-vcc3-rw6f-jv97 | GHSA-vcc3-rw6f-jv97
MEDIUM | nokogiri | 1.14.3 | ~> 1.15.6, >= 1.16.2 | GHSA-xc9x-jj77-9p9j | GHSA-xc9x-jj77-9p9j
MEDIUM | rexml | 3.2.5 | >= 3.2.7 | GHSA-vg3r-rm7w-2xgh | https://avd.aquasec.com/nvd/cve-2024-35176
MEDIUM | rexml | 3.2.5 | >= 3.3.2 | GHSA-4xqq-m2hx-25v8 | https://avd.aquasec.com/nvd/cve-2024-39908
MEDIUM | rexml | 3.2.5 | >= 3.3.3 | GHSA-r55c-59qm-vjw6 | https://avd.aquasec.com/nvd/cve-2024-41123
MEDIUM | rexml | 3.2.5 | >= 3.3.3 | GHSA-5866-49gr-22v4 | https://avd.aquasec.com/nvd/cve-2024-41946
MEDIUM | rexml | 3.2.5 | >= 3.3.6 | GHSA-vmwr-mc7x-5vc3 | https://avd.aquasec.com/nvd/cve-2024-43398

Solution is to update the site Gemfile

See following Jira ticket
CALCITE-6794

Related to PR#4159

[hughpearse]

Runs locally

foo@bar$ sudo docker run -t -i -p 4000:4000 --entrypoint /bin/bash ruby:3.3.7-slim-bullseye
foo@bar$ apt update
foo@bar$ apt install build-essential libssl-dev zlib1g-dev git ruby-dev vim
foo@bar$ git clone https://github.com/hughpearse/calcite.git
foo@bar$ cd calcite/site
foo@bar$ gem install bundler
foo@bar$ bundle install
foo@bar$ bundle exec jekyll serve --host=0.0.0.0

http://localhost:4000/

Trivy scan completed on my fork

Approved Libraries
Libraries within this report have passed our security review and can be given to Technology Governance for next steps.

Scan of https://github.com/hughpearse/calcite on Jan 23, 2025
Version Scanned: latest
Commit in the last 730 days: True
Reviewers found: 478, of required: 2 reviewers. Pass: True
This library has no Critical, High, or Medium vulnerabilities

and unit tests are now passing at core/src/test/java/org/apache/calcite/test/org.apache.calcite.test.LintTest

[zabetak]

The instructions to build the site using docker no longer work after this PR

docker compose run --service-ports dev
...
ruby 3.1.1p18 (2022-02-18 revision 53f5fc4236) [x86_64-linux-musl]
/usr/gem/gems/sass-embedded-1.83.4/ext/sass/embedded_sass_pb.rb:11: [BUG] Segmentation fault at 0x0000000000004410
ruby 3.1.1p18 (2022-02-18 revision 53f5fc4236) [x86_64-linux-musl]

-- Control frame information -----------------------------------------------
c:0023 p:---- s:0092 e:000091 CFUNC  :add_serialized_file
c:0022 p:0037 s:0087 e:000086 TOP    /usr/gem/gems/sass-embedded-1.83.4/ext/sass/embedded_sass_pb.rb:11 [FINISH]
c:0021 p:---- s:0082 e:000081 CFUNC  :require_relative
c:0020 p:0005 s:0077 e:000076 CLASS  /usr/gem/gems/sass-embedded-1.83.4/lib/sass/embedded_protocol.rb:6
c:0019 p:0007 s:0074 e:000073 CLASS  /usr/gem/gems/sass-embedded-1.83.4/lib/sass/embedded_protocol.rb:5
c:0018 p:0007 s:0071 e:000070 TOP    /usr/gem/gems/sass-embedded-1.83.4/lib/sass/embedded_protocol.rb:3 [FINISH]
c:0017 p:---- s:0068 e:000067 CFUNC  :require_relative
c:0016 p:0053 s:0063 e:000062 TOP    /usr/gem/gems/sass-embedded-1.83.4/lib/sass/compiler.rb:11 [FINISH]

I always used docker to build the site so not sure we can merge this unless we resolve this problems.

[zabetak]

Note that also the automatic site deployment action relies on the fact that docker works so this PR cannot be merged as such.

[hughpearse]

these are now working:

foor@bar$ sudo docker-compose run --service-ports dev
foor@bar$ sudo docker-compose run build-site

[F21]

docker-compose run --service-ports dev doesn't seem to work for me. I get ERR_EMPTY_RESPONSE when visiting https://localhost:4000

[hughpearse]

docker-compose run --service-ports dev doesn't seem to work for me. I get ERR_EMPTY_RESPONSE when visiting https://localhost:4000

It might have been related to binding on loopback interface inside the container instead of all interfaces. I've added --host=0.0.0.0
Kindly please check if it is resolved for you

Also not sure if httpS if supported, documentation says http

[F21]

Confirming that dev mode using docker compose works.

Can you also fix these 2 warnings?

csv was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.
You can add csv to your Gemfile or gemspec to silence this warning.
/usr/local/bundle/gems/safe_yaml-1.0.5/lib/safe_yaml/load.rb:22: warning: base64 was loaded from the standard library, but will no longer be part of the default gems starting from Ruby 3.4.0.
You can add base64 to your Gemfile or gemspec to silence this warning.

Another thing, as @zabetak metioned is that we use docker to build the site automatically:

• https://github.com/apache/calcite/blob/main/.github/workflows/publish-non-release-website-updates.yml
• https://github.com/apache/calcite/blob/main/.github/workflows/publish-website-on-release.yml

I remember there were some permissions issues with GH actions, so we had to set the GID of the Jekyll user: https://github.com/apache/calcite/blob/main/.github/workflows/publish-website-on-release.yml#L47

I think the uid and gid of the generated files needs to be set to the id -u and id -g of the GH actions runner for it to work correctly.

[hughpearse]

resolved warnings for csv and base64

Installing jekyll-sass-converter 3.0.0
Fetching jekyll 4.3.4
Installing jekyll 4.3.4
Fetching jekyll-redirect-from 0.16.0
Installing jekyll-redirect-from 0.16.0
Bundle complete! 6 Gemfile dependencies, 37 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
Configuration file: /root/_config.yml
            Source: /root
       Destination: /root/target
 Incremental build: disabled. Enable with --incremental
      Generating...
                    done in 5.888 seconds.
 Auto-regeneration: enabled for '/root'
    Server address: http://127.0.0.1:4000
  Server running... press ctrl-c to stop.

[hughpearse]

I think the uid and gid of the generated files needs to be set to the id -u and id -g of the GH actions runner for it to work correctly.

In the original docker build it runs as root
https://github.com/apache/calcite/blob/main/site/docker-compose.yml#L26C1-L28C26

foo@host$ sudo docker run -t -i --entrypoint /bin/bash jekyll/jekyll:4
bash-5.1# whoami
root
bash-5.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

In the new docker build, it also runs as root, same as before.

foo@host$ sudo docker run -t -i --entrypoint /bin/bash ruby:3.3.7-slim-bullseye
root@154758938c85:/# whoami
root
root@154758938c85:/# id
uid=0(root) gid=0(root) groups=0(root)

I think the jekyll userid and groupid is determined by the host, not the docker guest, so it should continue to work - what are your thoughts @F21

[F21]

In our GH actions workflows, we set the JEKYLL_UID and JEKYLL_GID environment variables, see:

• https://github.com/apache/calcite/blob/main/.github/workflows/publish-non-release-website-updates.yml#L59
• https://github.com/apache/calcite/blob/main/.github/workflows/publish-website-on-release.yml#L47

This is so that the files generated by the docker service is owned by the correct user (GH actions runner) and not root.

[hughpearse]

@F21 I have not used github actions before - may I ask please what is the change you suggest, I can implement it

[F21]

Basically, docker will set root as the owner and group of the files it generates. With the jekyll/jekyll:4 image, one can set JEKYLL_UID and JEKYLL_GID, so that the files generated are owned by the correct uid and gid.

Since you have changed the image to ruby:3.3.7-slim-bullseye, we need to replicate the same result: files generated by running docker should be owned by the uid and gid of the GitHub Actions runner (see the 2 links in my previous comment). Our automation works with the fiiles generated and does some work on them to commit them to the calcite-site repository, so if the permissions are wrong, then the commit might fail.

[hughpearse]

Looks like uid and gid is set to 1000 on the old jekyll image

foo@host$ sudo docker run -t -i --entrypoint /bin/bash jekyll/jekyll:4
bash-5.1# id jekyll
uid=1000(jekyll) gid=1000(jekyll) groups=1000(jekyll),1000(jekyll)

When I build, the files from the mounted volume on the host now have matching uid and gid

foo@host$ ls -lah
drwxr-xr-x  3    1000    1000   19 Jan 24 06:23 .bundle
-rw-r--r--  1    1000    1000 3.7K Jan 24 06:23 Gemfile.lock
drwxr-xr-x  3    1000    1000   38 Jan 24 06:23 .jekyll-cache
drwxr-xr-x 10    1000    1000 4.0K Jan 24 06:24 target

I hope this resolves the issue

[hughpearse]

Is this considered complete now?

[F21]

Please address the comment and squash your commits, then I think we're good to go.

[F21]

Can you rebase your commit on top of main? For Calcite, we don't use merge commits.

[F21]

Please squash your commits @hughpearse

[hughpearse]

done :) sorry for the confusion, git commit management is not my strength

[F21]

@hughpearse Looks like this broke our automated site publishing due to permissions issues: https://github.com/apache/calcite/actions/runs/12972791903/job/36180649311

Can you please open a pr to fix this?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[hughpearse]

new ticket created

CALCITE-6803