You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/09/21 09:22:39 UTC
[GitHub] [pulsar] Jason918 opened a new pull request, #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Jason918 opened a new pull request, #17765:
URL: https://github.com/apache/pulsar/pull/17765
### Motivation
Currently owasp ci check fails on branch-2.10.
See https://github.com/Jason918/pulsar/actions/runs/3088190603/jobs/4994380011#step:8:53
```
Error: Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project distribution:
Error:
Error: One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
Error:
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: aether-connector-asynchttpclient-1.13.1.jar: CVE-2017-14063(7.5), CVE-2021-43138(7.8)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: async-http-client-1.6.5.jar: CVE-2021-43138(7.8)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: grpc-netty-1.45.1.jar: CVE-2019-16869(7.5), CVE-2015-2156(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: logback-core-1.2.3.jar: CVE-2021-42[55](https://github.com/Jason918/pulsar/actions/runs/3088190603/jobs/4994380011#step:8:56)0(6.6)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-compat-3.0.5.jar: CVE-2021-26291(9.1)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-core-3.0.5.jar: CVE-2021-26291(9.1)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: maven-settings-3.0.5.jar: CVE-2021-26291(9.1)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: netty-3.10.6.Final.jar: CVE-2019-16869(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: okhttp-3.14.9.jar: CVE-2021-0341(7.5)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: plexus-utils-2.0.6.jar: CVE-2017-1000487(9.8)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: presto-cli-332.jar: CVE-2020-15087(8.8)
Error: pulsar-presto-distribution.tar.gz: pulsar-presto-distribution.tar: presto-spi-332.jar: CVE-2020-15087(8.8)
```
### Modifications
Exclude distribution and distribution/server from owasp check.
### Verifying this change
- [ ] Make sure that the change passes the CI checks.
### Does this pull request potentially affect one of the following parts:
*If the box was checked, please highlight the changes*
- [ ] Dependencies (add or upgrade a dependency)
- [ ] The public API
- [ ] The schema
- [ ] The default values of configurations
- [ ] The binary protocol
- [ ] The REST endpoints
- [ ] The admin CLI options
- [ ] Anything that affects deployment
### Documentation
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
- [ ] `doc-required`
(Your PR needs to update docs and you will update later)
- [x] `doc-not-needed`
bug fix
- [ ] `doc`
(Your PR contains doc changes)
- [ ] `doc-complete`
(Docs have been already added)
### Matching PR in forked repository
PR in forked repository: https://github.com/Jason918/pulsar/pull/6
<!-- ENTER URL HERE
After opening this PR, the build in apache/pulsar will fail and instructions will
be provided for opening a PR in the PR author's forked repository.
apache/pulsar pull requests should be first tested in your own fork since the
apache/pulsar CI based on GitHub Actions has constrained resources and quota.
GitHub Actions provides separate quota for pull requests that are executed in
a forked repository.
The tests will be run in the forked repository until all PR review comments have
been handled, the tests pass and the PR is approved by a reviewer.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Jason918 commented on a diff in pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
Jason918 commented on code in PR #17765:
URL: https://github.com/apache/pulsar/pull/17765#discussion_r978241311
##########
.github/workflows/ci-owasp-dep-check.yaml:
##########
@@ -84,9 +84,9 @@ jobs:
df -h
# Projects dependent on flume, hdfs, hbase, and presto currently excluded from the scan.
- - name: run "clean install verify" to trigger dependency check
+ - name: run "clean verify" to trigger dependency check
if: ${{ steps.changes.outputs.poms == 'true' }}
- run: mvn -q -B -ntp clean install verify -PskipDocker,owasp-dependency-check -DskipTests -pl '!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs'
+ run: mvn -q -B -ntp clean verify -PskipDocker,owasp-dependency-check -DskipTests -pl '!pulsar-sql,!distribution,!distribution/server,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs'
Review Comment:
Good point.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Jason918 commented on pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
Jason918 commented on PR #17765:
URL: https://github.com/apache/pulsar/pull/17765#issuecomment-1256143139
Current OWASP Dependency Check fails because of "CVE-2022-25857" which is fixed in https://github.com/apache/pulsar/pull/17779.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Jason918 commented on pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
Jason918 commented on PR #17765:
URL: https://github.com/apache/pulsar/pull/17765#issuecomment-1253530543
@lhotari @nicoloboschi @dlg99 PTAL
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] eolivelli commented on pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
eolivelli commented on PR #17765:
URL: https://github.com/apache/pulsar/pull/17765#issuecomment-1253772284
why do we do this only on this branch ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Jason918 merged pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
Jason918 merged PR #17765:
URL: https://github.com/apache/pulsar/pull/17765
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Jason918 commented on pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
Jason918 commented on PR #17765:
URL: https://github.com/apache/pulsar/pull/17765#issuecomment-1255766091
@nicoloboschi @lhotari
After a deeper look, it turns out that the problem is that the file name "pulsar-presto-distribution.tar.gz" dismatched the previous supression rule in the supression file. It's a simple fix now and it's validated in my fork. see https://github.com/Jason918/pulsar/actions/runs/3110052763/jobs/5040852313
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Jason918 commented on pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
Jason918 commented on PR #17765:
URL: https://github.com/apache/pulsar/pull/17765#issuecomment-1254426047
> why do we do this only on this branch ?
@eolivelli
This occurs after I triggered the last CI for release 2.10.2 in my fork https://github.com/Jason918/pulsar/pull/6.
The master branch won't have this issue as presto is upgraded in #16683.
As for other released branches, I will cherry-pick this if they have the same issue.
I am not sure when this owasp check starts failing. But I think we missed a step to trigger a full CI before cutting a release candidate. Currently owasp check will be skipped if there are no modifications on "pom" files. I will put some updates to the release process after this release.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #17765: [fix][ci][branch-2.10] Fix owasp ci failure on branch-2.10
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on code in PR #17765:
URL: https://github.com/apache/pulsar/pull/17765#discussion_r977461932
##########
.github/workflows/ci-owasp-dep-check.yaml:
##########
@@ -84,9 +84,9 @@ jobs:
df -h
# Projects dependent on flume, hdfs, hbase, and presto currently excluded from the scan.
- - name: run "clean install verify" to trigger dependency check
+ - name: run "clean verify" to trigger dependency check
if: ${{ steps.changes.outputs.poms == 'true' }}
- run: mvn -q -B -ntp clean install verify -PskipDocker,owasp-dependency-check -DskipTests -pl '!pulsar-sql,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs'
+ run: mvn -q -B -ntp clean verify -PskipDocker,owasp-dependency-check -DskipTests -pl '!pulsar-sql,!distribution,!distribution/server,!distribution/io,!distribution/offloaders,!tiered-storage/file-system,!pulsar-io/flume,!pulsar-io/hbase,!pulsar-io/hdfs2,!pulsar-io/hdfs3,!pulsar-io/docs'
Review Comment:
in this way we are removing the whole scan for the main distro!
we need to add suppressions for the presto dependencies if we cannot upgrade them
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org