shardingsphere H2database snyk issue about shardingsphere HOT 21 OPEN

• To add support for Postgres, TiDB or other databases, you need to add files like https://github.com/apache/shardingsphere/tree/master/mode%2Ftype%2Fstandalone%2Frepository%2Fprovider%2Fjdbc%2Fsrc%2Fmain%2Fresources%2Fsql to the /sql/ folder of the project's classpath. These xml files define how ShardingSphere CRUDs the database to save metadata. These files do not take into account SPI.

• Or you can use cluster mode, in which case the metadata is in zoookeeper etc.

• IMHO, the original CVE description is Illogical, as h2database V2 does not allow access to the web console by default. This CVE is for the com.datomic:datomic-free dependency. For this CVE, the maintainer has requested to revoke the CVE, and you can see that the CVE has been marked as disputed.

from shardingsphere.

• I tend to think this is a false positive from a low-quality security platform, since CVE-2018-10054 as pointed out by https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685 , and com.h2database:h2 almost doesn't matter. This CVE comes from com.datomic:datomic-free, which org.apache.shardingsphere:shardingsphere-jdbc does not depend on. Refer to GHSA-9pf8-qqhm-7w64 .

• I recommend you check further with Synk.

from shardingsphere.

I don't think this is a false positive from Snyk, here are the details I provided：

As you can see from the report, the current issue comes from shardingsphere-jdbc-core->shardingsphere-standalone-model-repository-jdbc->h2

from shardingsphere.

I found from the documentation that when I use Mode: Standalone I have to use H2 or MySQL to load my metadata，But we did not use the above database. Is there any way to remove h2database from source code?

from shardingsphere.

• Snyk only reported CVE-2018-10054, which is not specific to h2database. You need to check the original report of CVE.

• You can set the place to keep Metadata to other JDBC URL, whether it is MySQL or PostgreSQL.

from shardingsphere.

Snyk reported https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-2331071 please double check this high issue
h2database import from shardingsphere 5.4.1

To be honest,Metadata only keep in storage in H2 or MySQL ,that is not good idea,as you konw ,sometime we have not any choice，at this moment we just only use MSSQL ,but Snyk reported SNYK-JAVA-COMH2DATABASE-2331071 for Metadata in H2,Is it true that we have to build other MySQL for Metadata ,I think that is very funny！

from shardingsphere.

• You can set the place to keep Metadata to other JDBC URL, whether it is MySQL or PostgreSQL.

If I don't use h2datbase and mysql to save my metadata, what should I do? Is there any corresponding documentation? Because I found in the documentation that Database Repository only supports H2 and Mysql

from shardingsphere.

thank your suggestion，let us try it

from shardingsphere.

• It's hard to say what the significance of this issue is, because the h2database team does not think this CVE is meaningful. Unless someone plans to provide the ShardingSphere Standalone mode implementation for org.hsqldb:hsqldb:2.7.2 or org.apache.derby:derby:10.17.1.0, two of the alternatives to h2database.

from shardingsphere.

I have other question for encrypt password for DB in shardingsphere 5.4.1
Could you provide suggestion for encrypt password for DB?

from shardingsphere.

• If you’re referring to encrypting a metadata entry in the Zookeeper or H2database Metadata Repository that stores a database password, this requires a separate mode SPI implementation.

• And considering the US export controls and China export controls that come with the concept of encryption algorithms, which also involve Apache LICENSE conflicts with regulatory approaches, you’ll want to consider a closed source implementation of your own.

• If you just need to encrypt a local YAML configuration file, you can do this in a separate org.apache.shardingsphere.infra.url.ShardingSphereURLLoader implementation, such as MD5 salted with a private key. Refer to https://shardingsphere.apache.org/document/current/en/user-manual/shardingsphere-jdbc/yaml-config/jdbc-driver/known-implementation/ .

• IMHO, this topic has gone beyond the current issue description, and I fully recommend opening a new issue.

from shardingsphere.

I have checked shardingsphere 5.4.1,https://github.com/apache/shardingsphere/tree/5.4.1/infra/executor/src
there is not any class org.apache.shardingsphere.infra.url.ShardingSphereURLLoader.

org.apache.shardingsphere
shardingsphere-infra-url
5.4.2-SNAPSHOT

just need to encrypt a local YAML configuration file

from shardingsphere.

• @20001931 I remember another PMC and I refactored the related SPI design to support potential file transformations at the 5.5.0 milestone, so you need to manually compile the master branch at this stage.

• As for when 5.5.0 will be released, this is not a question that can be discussed on github.com, you need to go to the shardingsphere mailing list to discuss it.

from shardingsphere.

I have other question for decrypt password for DB in shardingsphere 5.4.1
As you konw i have encrypted password for DB in classpath yaml
But where i intercept code shardingsphere read classpath yaml?
url: jdbc:shardingsphere:classpath:sharding-dev.yaml?placeholder-type=system_props
password: $${fixture.config.driver.password::}
I konw can use URLArgumentLineRender to replace $${} But where i intercept code shardingsphere initiative read classpath yaml

from shardingsphere.

• I'm not sure what you are talking about. A custom implementation of org.apache.shardingsphere.infra.url.ShardingSphereURLLoader can place the key of a certain private key inside. When such an implementation exists, you can directly reference the YAML file containing the encryption information. I assume that the string returned by your implementation of getType() is classpath-with-encrypt.

jdbc:shardingsphere:classpath-with-encrypt:config.yaml

• org.apache.shardingsphere.infra.url.ShardingSphereURLLoader can also read JDBCURL parameters, it depends on whether you need to pass in the public key for verification.
• This is completely beyond what the issue describes. I don't think there's any way to handle a PR without opening a new issue.

from shardingsphere.

you did not get my point ,i konw to use ShardingSphereURLLoader reading YAML file,But i need to intercept code jdbcRepositoryProps.getValue(JDBCRepositoryPropertyKey.PASSWORD))
The password which i have encrypted in YAML file
I need to decrypt this password and retuen the ShardingSphere dataSource
you can not intercept the ShardingSphere dataSource if you just custom implementation ShardingSphereURLLoader
May i konw how to intercept props in JDBCRepositoryProperties jdbcRepositoryProps = new JDBCRepositoryProperties(props);
I need to change props before JDBCRepository init

from shardingsphere.

• The easiest way to do this is to implement a custom Mode, which is a repeatable operation.

from shardingsphere.

Could you share more detail? Where i can refer to code template?
Do you mean use SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository point to custom implementation class?

from shardingsphere.

• The answer is yes. See https://shardingsphere.apache.org/document/current/en/dev-manual/mode/. I still don't think that encrypting entries within a YAML file requires a reimplementation of Mode, as you said earlier, only encrypting local files.

• It's hard to say what the reference template is, since under normal circumstances, JDBC implementations cover most scenarios. Just refer to the processing of normal unit tests.

from shardingsphere.

I got you point ,you mean i need change SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository to custom implementation class for example (JDBCRepositoryAli.class ) ,so i will control dataSource init ,that is right?

from shardingsphere.

I got you point ,you mean i need change SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository to custom implementation class for example (JDBCRepositoryAli.class ) ,so i will control dataSource init ,that is right?

• Yes.

from shardingsphere.