You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "yangjf2019 (via GitHub)" <gi...@apache.org> on 2023/04/16 13:02:45 UTC
[GitHub] [flink-kubernetes-operator] yangjf2019 opened a new pull request, #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
yangjf2019 opened a new pull request, #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567
<!--
*Thank you very much for contributing to the Apache Flink Kubernetes Operator - we are happy that you want to help us improve the project. To help the community review your contribution in the best possible way, please go through the checklist below, which will get the contribution into a shape in which it can be best reviewed.*
## Contribution Checklist
- Make sure that the pull request corresponds to a [JIRA issue](https://issues.apache.org/jira/projects/FLINK/issues). Exceptions are made for typos in JavaDoc or documentation files, which need no JIRA issue.
- Name the pull request in the form "[FLINK-XXXX] [component] Title of the pull request", where *FLINK-XXXX* should be replaced by the actual issue number. Skip *component* if you are unsure about which is the best component.
Typo fixes that have no associated JIRA issue should be named following this pattern: `[hotfix][docs] Fix typo in event time introduction` or `[hotfix][javadocs] Expand JavaDoc for PuncuatedWatermarkGenerator`.
- Fill out the template below to describe the changes contributed by the pull request. That will give reviewers the context they need to do the review.
- Make sure that the change passes the automated tests, i.e., `mvn clean verify` passes. You can read more on how we use GitHub Actions for CI [here](https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/development/guide/#cicd).
- Each pull request should address only one issue, not mix up code from multiple issues.
- Each commit in the pull request has a meaningful commit message (including the JIRA id)
- Once all items of the checklist are addressed, remove the above text and this checklist, leaving only the filled out template below.
**(The sections below can be removed for hotfixes of typos)**
-->
## What is the purpose of the change
*Upgrade the SnakeYaml Maven dependency from 1.33 to 2.0 to fix the container vulnerability [CVE-2022-1471](https://github.com/advisories/GHSA-mjmj-j48q-9wg2)*
## Brief change log
*I modified some files in the project.*
## Verifying this change
<!--
Please make sure both new and modified tests in this PR follows the conventions defined in our code quality guide: https://flink.apache.org/contributing/code-style-and-quality-common.html#testing
-->
*I built the project locally and ran all the tests.*
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): (yes)
- The public API, i.e., is any changes to the `CustomResourceDescriptors`: (no)
- Core observer or reconciler logic that is regularly executed: (no)
## Documentation
- Does this pull request introduce a new feature? (no)
Hi, @gyfora please take a look in your free time,thank you very much!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1515657414
The following exception was found in the error log and looks like a conflict with the snakeyaml package in `org.apache.flink:flink-kubernetes`.
<img width="1271" alt="image" src="https://user-images.githubusercontent.com/54518670/233249833-fde6dff9-7f6e-4c6e-84f7-f37b896befa8.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 closed pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 closed pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
URL: https://github.com/apache/flink-kubernetes-operator/pull/567
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1515659259
I understand that although I was able to compile the project locally, the CI was running with the lower version of the `org.yaml:snakeyaml:1.33` dependency in preference.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1517823027
I found that the exception is generated when I commit `e2e-tests/data/flinkdep-cr.yaml` and run `default/flink-example-statemachine`, do we need to upgrade the flink version first?
https://github.com/apache/flink-kubernetes-operator/blob/main/e2e-tests/data/flinkdep-cr.yaml#L50
https://github.com/apache/flink-kubernetes-operator/blob/main/e2e-tests/data/multi-sessionjob.yaml#L131-L145
https://github.com/apache/flink-kubernetes-operator/blob/main/e2e-tests/data/sessionjob-cr.yaml#L79
https://github.com/apache/flink-kubernetes-operator/actions/runs/4750576429/jobs/8439813076
<img width="1586" alt="image" src="https://user-images.githubusercontent.com/54518670/233643419-140478bc-b92d-4d2d-b7e8-9c3225423de6.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] mbalassi commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "mbalassi (via GitHub)" <gi...@apache.org>.
mbalassi commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1514696875
Hi @yangjf2019!
Running the e2es for hours is certainly unintended, we might be running out of CI instance quota on the Apache github account. 😞 However in your case the test that was in question has already failed again:
https://github.com/apache/flink-kubernetes-operator/actions/runs/4713456354/jobs/8417515967?pr=567
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1515584808
Well ,thank you,maybe i should check the unit tests.But when I run the mvn command locally, I can compile the project normally.
<img width="671" alt="image" src="https://user-images.githubusercontent.com/54518670/233234193-29055fde-0883-4819-ad20-6a4b205589aa.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1526847015
Okay, I'll fix it, thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] gyfora commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "gyfora (via GitHub)" <gi...@apache.org>.
gyfora commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1522982917
Can you please also update the [NOTICE](https://github.com/apache/flink-kubernetes-operator/blob/main/flink-kubernetes-operator/src/main/resources/META-INF/NOTICE) file accordingly?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1514677539
Hello @mbalassi , may I ask why flink e2e tests will run for more than 5 hours? And I can't see the run log.
<img width="1374" alt="image" src="https://user-images.githubusercontent.com/54518670/233078950-0eea1a9f-db61-40c6-92b6-03f672291ef1.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] mbalassi commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "mbalassi (via GitHub)" <gi...@apache.org>.
mbalassi commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1514314207
The CI field on the second attemp with the following:
```
Error: Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 63.246 s <<< FAILURE! - in org.apache.flink.kubernetes.operator.FlinkOperatorITCase
Error: org.apache.flink.kubernetes.operator.FlinkOperatorITCase.test Time elapsed: 62.766 s <<< ERROR!
org.awaitility.core.ConditionTimeoutException:
Assertion condition defined as a org.apache.flink.kubernetes.operator.FlinkOperatorITCase
Expected: is <true>
but: was <false> within 1 minutes.
at flink.kubernetes.operator@1.5-SNAPSHOT/org.apache.flink.kubernetes.operator.FlinkOperatorITCase.test(FlinkOperatorITCase.java:95)
Caused by: java.lang.AssertionError:
Expected: is <true>
but: was <false>
at flink.kubernetes.operator@1.5-SNAPSHOT/org.apache.flink.kubernetes.operator.FlinkOperatorITCase.lambda$test$1(FlinkOperatorITCase.java:97)
```
Given this could possibly be a timout issue I retriggered the run.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] gyfora commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "gyfora (via GitHub)" <gi...@apache.org>.
gyfora commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1524742789
I can't run the CI until you resolve the merge conflict
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink-kubernetes-operator] yangjf2019 commented on pull request #567: [FLINK-31815] Fixing the container vulnerability by upgrade the SnakeYaml Maven dependency
Posted by "yangjf2019 (via GitHub)" <gi...@apache.org>.
yangjf2019 commented on PR #567:
URL: https://github.com/apache/flink-kubernetes-operator/pull/567#issuecomment-1524470721
Ok, I've updated this file, please take a look, thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org