You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@inlong.apache.org by "CVEDetect (via GitHub)" <gi...@apache.org> on 2023/03/01 11:57:23 UTC

[GitHub] [inlong] CVEDetect opened a new pull request, #7481: [INLONG-7480][Component] Fix CVE dependency issue

CVEDetect opened a new pull request, #7481:
URL: https://github.com/apache/inlong/pull/7481

   ### Prepare a Pull Request
   *(Change the title refer to the following example)*
   
   - Title Example: [INLONG-XYZ][Component] Title of the pull request
   
   *(The following *XYZ* should be replaced by the actual [GitHub Issue](https://github.com/apache/inlong/issues) number)*
   
   - Fix issue #7480   by update dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.63 @dockerzhang 
   - 
   ### Motivation
   
   *Explain here the context, and why you're making that change. What is the problem you're trying to solve?*
   
   ### Modifications
   
   *Describe the modifications you've done.*
   
   ### Verifying this change
   
   *(Please pick either of the following options)*
   
   - [ ] This change is a trivial rework/code cleanup without any test coverage.
   
   - [ ] This change is already covered by existing tests, such as:
     *(please describe tests)*
   
   - [ ] This change added tests and can be verified as follows:
   
     *(example:)*
     - *Added integration tests for end-to-end deployment with large payloads (10MB)*
     - *Extended integration test for recovery after broker failure*
   
   ### Documentation
   
     - Does this pull request introduce a new feature? (yes / no)
     - If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)
     - If a feature is not applicable for documentation, explain why?
     - If a feature is not documented yet in this PR, please create a follow-up issue for adding the documentation
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] dockerzhang merged pull request #7481: [INLONG-7480][CVE] Add a specified tomcat-embed-core dependency for fixing the CVE problem

Posted by "dockerzhang (via GitHub)" <gi...@apache.org>.

dockerzhang merged PR #7481:
URL: https://github.com/apache/inlong/pull/7481


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] dockerzhang commented on a diff in pull request #7481: [INLONG-7480][Component] Fix CVE dependency issue

Posted by "dockerzhang (via GitHub)" <gi...@apache.org>.

dockerzhang commented on code in PR #7481:
URL: https://github.com/apache/inlong/pull/7481#discussion_r1122518034


##########
pom.xml:
##########
@@ -215,6 +215,11 @@
                 <artifactId>flume-ng-core</artifactId>
                 <version>${flume.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>8.5.63</version>

Review Comment:
   please add the version definition to the root `pom`, it will help keep the same version for other using scenes.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] dockerzhang commented on pull request #7481: [INLONG-7480][CVE] Add a specified tomcat-embed-core dependency for fixing the CVE problem

Posted by "dockerzhang (via GitHub)" <gi...@apache.org>.

dockerzhang commented on PR #7481:
URL: https://github.com/apache/inlong/pull/7481#issuecomment-1451154553

   @CVEDetect thanks for your contribution, please update by referring to the comment.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] dockerzhang commented on a diff in pull request #7481: [INLONG-7480][CVE] Add a specified tomcat-embed-core dependency for fixing the CVE problem

Posted by "dockerzhang (via GitHub)" <gi...@apache.org>.

dockerzhang commented on code in PR #7481:
URL: https://github.com/apache/inlong/pull/7481#discussion_r1122518034


##########
pom.xml:
##########
@@ -215,6 +215,11 @@
                 <artifactId>flume-ng-core</artifactId>
                 <version>${flume.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>8.5.63</version>

Review Comment:
   please add the version definition to the root `pom.xml/properties`, it will help keep the same version for other using scenes.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] CVEDetect commented on pull request #7481: [INLONG-7480][CVE] Add a specified tomcat-embed-core dependency for fixing the CVE problem

Posted by "CVEDetect (via GitHub)" <gi...@apache.org>.

CVEDetect commented on PR #7481:
URL: https://github.com/apache/inlong/pull/7481#issuecomment-1451414995

   > @CVEDetect thanks for your contribution, please update by referring to the comment.
   
   
   
   > @CVEDetect thanks for your contribution, please update by referring to the comment.
   
   The first commit is not suitable, because there are two tomcat versions 8.5.46 and 9.0.60 in root pom.xml, and the vulnerability exists in inlong-dataproxy, so choose the tomcat version in inlong-dataproxy/pom.xml modified


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] dockerzhang commented on pull request #7481: [INLONG-7480][CVE] Add a specified tomcat-embed-core dependency for fixing the CVE problem

Posted by "dockerzhang (via GitHub)" <gi...@apache.org>.

dockerzhang commented on PR #7481:
URL: https://github.com/apache/inlong/pull/7481#issuecomment-1451424146

   @CVEDetect the `Code Format Check` workflow failed, please run `mvn spotless:apply` to fix it and re-push, thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org