Need help with upgrading dependency versions for apache atlas release-2.1.0-rc3

[Gaurav Saini <GS...@humana.com>]

Hello there.

We are working on the apache atlas code and started developing over  https://github.com/apache/atlas/tree/release-2.1.0-rc3.
Upon scanning using twistlock, we found 180+ vulnerabilities. PFA, the twistlock-image scanning results.

Out of these, Jackson-databind and netty_netty-all were the most occurring ones. So, we tried upgrading the versions, but integration tests in atlas-webapp module start failing saying "org.eclipse.jetty.utils: Multi exception".
We have upgraded the version of jetty-server to 9.4.x but atlas server fails to start and throws 503: service unavailable error.

The same thing is happening while upgrading versions of any other dependencies in atlas module. The application breaks for any other dependency which we are trying to upgrade. For example, Hadoop-hdfs uses Jackson-databind as transitive dependency, hence I am unable to update version.

I do not see any open issue on the github channel too.
Have you experienced any such scenario while upgrading earlier too?
Is there a way for me to move ahead to remove vulnerabilities in the current versions.


Regards,
Gaurav Saini

The information transmitted is intended only for the person or entity to which it is addressed
and may contain CONFIDENTIAL material.  If you receive this material/information in error,
please contact the sender and delete or destroy the material/information.

Humana Inc. and its subsidiaries comply with applicable Federal civil rights laws and
do not discriminate on the basis of race, color, national origin, ancestry, age, disability, sex,
marital status, gender, sexual orientation, gender identity, or religion. Humana Inc. and its subsidiaries do not
exclude people or treat them differently because of race, color, national origin, ancestry, age,
disability, sex, marital status, gender, sexual orientation, gender identity, or religion.

English: ATTENTION: If you do not speak English, language assistance services, free
of charge, are available to you. Call 1‐877‐320‐1235 (TTY: 711).

Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios
gratuitos de asistencia lingüística. Llame al 1‐877‐320‐1235 (TTY: 711).

繁體中文(Chinese):注意:如果您使用繁體中文,您可以免費獲得語言援助
服務。請致電 1‐877‐320‐1235 (TTY: 711)。

Kreyòl Ayisyen (Haitian Creole): ATANSION: Si w pale Kreyòl Ayisyen, gen sèvis èd
pou lang ki disponib gratis pou ou. Rele 1‐877‐320‐1235 (TTY: 711).

Polski (Polish): UWAGA: Jeżeli mówisz po polsku, możesz skorzystać z bezpłatnej
pomocy językowej. Zadzwoń pod numer 1‐877‐320‐1235 (TTY: 711).

한국어 (Korean): 주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로
이용하실 수 있습니다. 1‐877‐320‐1235 (TTY: 711)번으로 전화해 주십시오.

RE: Need help with upgrading dependency versions for apache atlas release-2.1.0-rc3

[Gaurav Saini <GS...@humana.com>]

Hello

I have sent previous mail on this mail thread by mistake from office ID.
Could you please unpublished this mail thread from https://lists.apache.org/list.html?dev@atlas.apache.org:2020-8.
I will send the mail from my personal email ID.

Thanks and Regards
Gaurav Saini

From: Gaurav Saini
Sent: Tuesday, August 25, 2020 1:30 PM
To: dev@atlas.apache.org
Cc: Vishal Baghla <VB...@humana.com>; Rahul Nandi <RN...@humana.com>; Bhawna Singla <BS...@humana.com>
Subject: Need help with upgrading dependency versions for apache atlas release-2.1.0-rc3


Hello there.

We are working on the apache atlas code and started developing over  https://github.com/apache/atlas/tree/release-2.1.0-rc3.
Upon scanning using twistlock, we found 180+ vulnerabilities. PFA, the twistlock-image scanning results.

Out of these, Jackson-databind and netty_netty-all were the most occurring ones. So, we tried upgrading the versions, but integration tests in atlas-webapp module start failing saying "org.eclipse.jetty.utils: Multi exception".
We have upgraded the version of jetty-server to 9.4.x but atlas server fails to start and throws 503: service unavailable error.

The same thing is happening while upgrading versions of any other dependencies in atlas module. The application breaks for any other dependency which we are trying to upgrade. For example, Hadoop-hdfs uses Jackson-databind as transitive dependency, hence I am unable to update version.
I do not see any open issue on the github channel too.
Have you experienced any such scenario while upgrading earlier too?
Is there a way for me to move ahead to remove vulnerabilities in the current versions.


Regards,
Gaurav Saini

The information transmitted is intended only for the person or entity to which it is addressed
and may contain CONFIDENTIAL material.  If you receive this material/information in error,
please contact the sender and delete or destroy the material/information.

Humana Inc. and its subsidiaries comply with applicable Federal civil rights laws and
do not discriminate on the basis of race, color, national origin, ancestry, age, disability, sex,
marital status, gender, sexual orientation, gender identity, or religion. Humana Inc. and its subsidiaries do not
exclude people or treat them differently because of race, color, national origin, ancestry, age,
disability, sex, marital status, gender, sexual orientation, gender identity, or religion.

English: ATTENTION: If you do not speak English, language assistance services, free
of charge, are available to you. Call 1‐877‐320‐1235 (TTY: 711).

Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios
gratuitos de asistencia lingüística. Llame al 1‐877‐320‐1235 (TTY: 711).

繁體中文(Chinese):注意:如果您使用繁體中文,您可以免費獲得語言援助
服務。請致電 1‐877‐320‐1235 (TTY: 711)。

Kreyòl Ayisyen (Haitian Creole): ATANSION: Si w pale Kreyòl Ayisyen, gen sèvis èd
pou lang ki disponib gratis pou ou. Rele 1‐877‐320‐1235 (TTY: 711).

Polski (Polish): UWAGA: Jeżeli mówisz po polsku, możesz skorzystać z bezpłatnej
pomocy językowej. Zadzwoń pod numer 1‐877‐320‐1235 (TTY: 711).

한국어 (Korean): 주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로
이용하실 수 있습니다. 1‐877‐320‐1235 (TTY: 711)번으로 전화해 주십시오.