You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by "massakam (via GitHub)" <gi...@apache.org> on 2023/03/07 07:35:05 UTC

[GitHub] [pulsar] massakam opened a new pull request, #19736: [fix][sec] Bump snakeyaml to 2.0

massakam opened a new pull request, #19736:
URL: https://github.com/apache/pulsar/pull/19736

   ### Motivation
   
   There was an unfixed security vulnerability [CVE-2022-1471](https://www.cve.org/CVERecord?id=CVE-2022-1471) in snakeyaml v1.x, and version 2.0 was recently released with this fix.
   
   ### Modifications
   
   Upgraded snakeyaml from 1.32 to 2.0. This is a major version upgrade, and according to [the snakeyaml's changelog](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes), 2.0 contains some backwards incompatible changes. However, there is no Java code that uses snakeyaml directly in this repository, and there is no code to change.
   
   ### Verifying this change
   
   - [ ] Make sure that the change passes the CI checks.
   
   ### Documentation
   
   <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
   
   - [ ] `doc` <!-- Your PR contains doc changes. -->
   - [ ] `doc-required` <!-- Your PR changes impact docs and you will update later -->
   - [ ] `doc-not-needed` <!-- Your PR changes do not impact docs -->
   - [ ] `doc-complete` <!-- Docs have been already added -->


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] massakam commented on pull request #19736: [fix][sec] Bump snakeyaml to 2.0

Posted by "massakam (via GitHub)" <gi...@apache.org>.

massakam commented on PR #19736:
URL: https://github.com/apache/pulsar/pull/19736#issuecomment-1457715199

   Some tests failed. It seems impossible to upgrade snakeyaml at least until jackson-dataformat-yaml is fixed.
   ```
     Error:  Tests run: 8, Failures: 1, Errors: 0, Skipped: 3, Time elapsed: 4.55 s <<< FAILURE! - in org.apache.pulsar.io.alluxio.sink.AlluxioSinkConfigTest
     Error:  loadFromYamlFileTest(org.apache.pulsar.io.alluxio.sink.AlluxioSinkConfigTest)  Time elapsed: 0.012 s  <<< FAILURE!
     java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
     	at com.fasterxml.jackson.dataformat.yaml.YAMLParser.<init>(YAMLParser.java:178)
     	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory._createParser(YAMLFactory.java:466)
     	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:354)
     	at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:15)
     	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3494)
     	at org.apache.pulsar.io.alluxio.sink.AlluxioSinkConfig.load(AlluxioSinkConfig.java:97)
     	at org.apache.pulsar.io.alluxio.sink.AlluxioSinkConfigTest.loadFromYamlFileTest(AlluxioSinkConfigTest.java:41)
     	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
     	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
     	at org.testng.internal.invokers.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:139)
     	at org.testng.internal.invokers.InvokeMethodRunnable.runOne(InvokeMethodRunnable.java:47)
     	at org.testng.internal.invokers.InvokeMethodRunnable.call(InvokeMethodRunnable.java:76)
     	at org.testng.internal.invokers.InvokeMethodRunnable.call(InvokeMethodRunnable.java:11)
     	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
     	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
     	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
     	at java.base/java.lang.Thread.run(Thread.java:833)
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] massakam closed pull request #19736: [fix][sec] Bump snakeyaml to 2.0

Posted by "massakam (via GitHub)" <gi...@apache.org>.

massakam closed pull request #19736: [fix][sec] Bump snakeyaml to 2.0
URL: https://github.com/apache/pulsar/pull/19736


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org