You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2021/12/08 11:52:35 UTC

[GitHub] [kafka] dongjinleekr opened a new pull request #11579: KAFKA-13518: Update gson and netty-codec in 3.0.0

dongjinleekr opened a new pull request #11579:
URL: https://github.com/apache/kafka/pull/11579


   Here is the fix. Since [spotbugs 4.5.1 was released just 12 hours ago](https://github.com/spotbugs/spotbugs/releases/tag/4.5.1), it would take a little bit to be synched with maven central.
   
   ### Committer Checklist (excluded from commit message)
   - [ ] Verify design and implementation 
   - [ ] Verify test coverage and CI build status
   - [ ] Verify documentation (including upgrade notes)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1038916242


   @ijuma
   
   > Do you know if they intend to fix those?
   
   Oh yes, as you can see in the updated PR, I updated spotbugs to 4.5.3 following the gradle plugin 5.0.5, and rebased onto the latest trunk. It seems like there are a bunch of false positives in the recent version of spotbugs (below) but, I verified that none of them are affecting.
   
   ![20220214-191747](https://user-images.githubusercontent.com/2375128/153845590-2e90571a-6eaa-46d0-aa9f-43d76dbe0193.png)
   
   +1. They also have not fixed the issues I commented on in `spotbugs-exclude.xml` yet. I will follow up and apply them as soon as they fix them.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1039726499


   @ijuma If you don't mind [CVE WS-2021-0419](https://github.com/protocolbuffers/protobuf/issues/9457) introduced by gson 2.8.6. This PR is to fix it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1000996249


   retest this please.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1000995588


   @showuon Sorry for bothering. Here is the update. There were some updates on spotbugs between 4.2.2 and 4.5.2:
   
   - In 4.3.0, spotbugs improved their detection logic to detect : 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] ijuma commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

ijuma commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1039130031


   Should we wait until they fix these issues in spotBugs? It doesn't look like the cost/benefit in upgrading here isn't favorable.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1000996220


   @showuon Sorry for bothering you. Here is the update. There were some [updates on spotbugs between 4.2.2 and 4.5.2](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md) and some previously-unfound problems are now detected:
   
   - In 4.3.0, spotbugs improved their detection logic for `MS_EXPOSE_REP`: 
   
     > `MS_EXPOSE_REP` and `EI_EXPOSE_REP` are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable)
   
   - In 4.4.2, spotbugs fixed some false positives for `DMI_RANDOM_USED_ONLY_ONCE` and started to detect some unfound problems:
   
     > `DMI_RANDOM_USED_ONLY_ONCE` false positive
   
   After the update, it works like a charm:
   ![20211225-180841](https://user-images.githubusercontent.com/2375128/147381814-079dc200-6322-43bd-a349-e8bb9907385e.png)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] ijuma commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

ijuma commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1030531381


   Thanks for the PR. Seems like the new version has more false positives. Do you know if they intend to fix those?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr removed a comment on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr removed a comment on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1000996249


   retest this please.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr removed a comment on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr removed a comment on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1000995588


   @showuon Sorry for bothering. Here is the update. There were some updates on spotbugs between 4.2.2 and 4.5.2:
   
   - In 4.3.0, spotbugs improved their detection logic to detect : 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1000985229


   Hi @showuon,
   
   Here it is. I just updated the issue title more clearly and updated the spotbugs dependency into 4.5.2.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1039726499


   @ijuma If you don't mind [CVE WS-2021-0419](https://github.com/protocolbuffers/protobuf/issues/9457) introduced by gson 2.8.6. This PR is to fix it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1070139215


   Rebased onto the latest trunk. cc/ @ijuma


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [kafka] dongjinleekr commented on pull request #11579: KAFKA-13518: Update gson dependency

Posted by GitBox <gi...@apache.org>.

dongjinleekr commented on pull request #11579:
URL: https://github.com/apache/kafka/pull/11579#issuecomment-1001590586


   @showuon My bad. I found several other false-positives from other modules with spotbugs; They are now fixed. (Please see the comments.) :bow: 
   ![20211227-231700](https://user-images.githubusercontent.com/2375128/147480055-1561b67e-c68f-432d-9cd2-4e95b7b97d5d.png)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org