You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by Istvan Toth <st...@apache.org> on 2022/10/20 08:04:36 UTC
icu4j / i18n-util upgrade
Hi!
Our icu4j version has CVEs.
It is pulled in via com.salesforce.i18n:i18n-util
*[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] | +-
commons-lang:commons-lang:jar:2.6:compile[INFO] | +-
com.ibm.icu:icu4j:jar:60.2:compile[INFO] | +-
com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] | \-
com.ibm.icu:icu4j-charset:jar:60.2:compile*
https://github.com/salesforce/i18n-util is marked as archived, and the
committer names are not familiar to me.
Do you think that it is possible to have a new release with a recent icu4j
version ?
If not, should we
A.) Dependencymanage icu4j (haven't tested if it works yet)
B.) Copy the necessary i18n-util code directly to the Phoenix codebase, and
drop the dependency (it's small)
?
regards
Istvan
Re: icu4j / i18n-util upgrade
Posted by Istvan Toth <st...@cloudera.com.INVALID>.
Thanks Andrew, I accepted the OWASP report at face value.
The sad reality today is that it is easier to do a needless version bump
than to get
users to understand and accept that a static code analysis tool gives false
positives.
Anyway, keeping dependencies up-to-date even without CVEs is generally a
good thing.
Opened https://issues.apache.org/jira/browse/PHOENIX-6818 to track this.
Istvan
On Thu, Oct 20, 2022 at 5:42 PM Andrew Purtell <an...@gmail.com>
wrote:
> The CVE is for the c++ icu library not icu4j but <shrug>?
>
> We did A where I work and it did what you’d expect and shut up the vuln
> scanner.
>
> +1 for B. The code is compatibly licensed and not that much. Other options
> carry functionality loss risks or dev work. Dropping it in place is low
> risk and low effort. Longer term you may decide to go in a different
> direction, which is fine, it would be in tree and modifyable.
>
> > On Oct 20, 2022, at 1:05 AM, Istvan Toth <st...@apache.org> wrote:
> >
> > Hi!
> >
> > Our icu4j version has CVEs.
> > It is pulled in via com.salesforce.i18n:i18n-util
> >
> >
> >
> >
> >
> > *[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] | +-
> > commons-lang:commons-lang:jar:2.6:compile[INFO] | +-
> > com.ibm.icu:icu4j:jar:60.2:compile[INFO] | +-
> > com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] | \-
> > com.ibm.icu:icu4j-charset:jar:60.2:compile*
> >
> >
> > https://github.com/salesforce/i18n-util is marked as archived, and the
> > committer names are not familiar to me.
> >
> > Do you think that it is possible to have a new release with a recent
> icu4j
> > version ?
> >
> > If not, should we
> >
> > A.) Dependencymanage icu4j (haven't tested if it works yet)
> > B.) Copy the necessary i18n-util code directly to the Phoenix codebase,
> and
> > drop the dependency (it's small)
> > ?
> >
> > regards
> > Istvan
>
--
*István Tóth* | Sr. Staff Software Engineer
*Email*: stoty@cloudera.com
cloudera.com <https://www.cloudera.com>
[image: Cloudera] <https://www.cloudera.com/>
[image: Cloudera on Twitter] <https://twitter.com/cloudera> [image:
Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera
on LinkedIn] <https://www.linkedin.com/company/cloudera>
------------------------------
------------------------------
Re: icu4j / i18n-util upgrade
Posted by Andrew Purtell <an...@gmail.com>.
The CVE is for the c++ icu library not icu4j but <shrug>?
We did A where I work and it did what you’d expect and shut up the vuln scanner.
+1 for B. The code is compatibly licensed and not that much. Other options carry functionality loss risks or dev work. Dropping it in place is low risk and low effort. Longer term you may decide to go in a different direction, which is fine, it would be in tree and modifyable.
> On Oct 20, 2022, at 1:05 AM, Istvan Toth <st...@apache.org> wrote:
>
> Hi!
>
> Our icu4j version has CVEs.
> It is pulled in via com.salesforce.i18n:i18n-util
>
>
>
>
>
> *[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] | +-
> commons-lang:commons-lang:jar:2.6:compile[INFO] | +-
> com.ibm.icu:icu4j:jar:60.2:compile[INFO] | +-
> com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] | \-
> com.ibm.icu:icu4j-charset:jar:60.2:compile*
>
>
> https://github.com/salesforce/i18n-util is marked as archived, and the
> committer names are not familiar to me.
>
> Do you think that it is possible to have a new release with a recent icu4j
> version ?
>
> If not, should we
>
> A.) Dependencymanage icu4j (haven't tested if it works yet)
> B.) Copy the necessary i18n-util code directly to the Phoenix codebase, and
> drop the dependency (it's small)
> ?
>
> regards
> Istvan