You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ni...@apache.org on 2022/05/13 15:56:24 UTC
[pulsar] branch branch-2.10 updated (50d1b6f7a84 -> b9210b96be2)
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a change to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
from 50d1b6f7a84 [improve][test] Replace @BeforeTest with @BeforeClass in ProducerBuilderImplTest (#15566)
new d7ffe4f6610 [fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 (#14884)
new de9c718c6d3 [owasp] suppress debezium-connector-postgres CVE-2021-23214 false positive (#14802)
new 8263a110f3a [owasp] Suppress MariaDB false positives (#15243)
new 70b484a6749 [fix][security] Upgrade Spring Context in Pulsar IO batch-data-generator to get rid of CVE-2022-22965 (#14975)
new 08fa2cf5be2 [fix][security] Upgrade MySQL connector to 8.0.28 to get rid of CVE-2021-3711 (#14998)
new b9210b96be2 Remove --illegal-access errors resulting from Google Guice - Pulsar IO, Offloaders and Pulsar SQL - Bump Guice to 5.1.0 (#14300)
The 6 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.github/workflows/ci-owasp-dep-check.yaml | 2 ++
pom.xml | 21 +++++++++++++++----
pulsar-client-auth-athenz/pom.xml | 2 +-
pulsar-io/data-generator/pom.xml | 12 -----------
pulsar-io/debezium/mysql/pom.xml | 10 +++++++++
pulsar-sql/presto-distribution/LICENSE | 3 +--
pulsar-sql/presto-distribution/pom.xml | 12 ++++-------
src/owasp-dependency-check-false-positives.xml | 29 ++++++++++++++++++++++++++
tiered-storage/jcloud/pom.xml | 13 ------------
9 files changed, 64 insertions(+), 40 deletions(-)
[pulsar] 01/06: [fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 (#14884)
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit d7ffe4f6610739a61808430f1e08e1c0594f4ff4
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Tue Mar 29 09:13:47 2022 +0200
[fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 (#14884)
(cherry picked from commit cffe28a69379cc4641bac0dd2f03cd9b40779aec)
---
pom.xml | 4 ++--
pulsar-client-auth-athenz/pom.xml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/pom.xml b/pom.xml
index fe7526f5781..e17ce0a1c38 100644
--- a/pom.xml
+++ b/pom.xml
@@ -115,7 +115,7 @@ flexible messaging model and an intuitive client API.</description>
<jetty.version>9.4.44.v20210927</jetty.version>
<conscrypt.version>2.5.2</conscrypt.version>
<jersey.version>2.34</jersey.version>
- <athenz.version>1.10.9</athenz.version>
+ <athenz.version>1.10.50</athenz.version>
<prometheus.version>0.5.0</prometheus.version>
<vertx.version>3.9.8</vertx.version>
<rocksdb.version>6.10.2</rocksdb.version>
@@ -807,7 +807,7 @@ flexible messaging model and an intuitive client API.</description>
<dependency>
<groupId>com.yahoo.athenz</groupId>
- <artifactId>athenz-zts-java-client</artifactId>
+ <artifactId>athenz-zts-java-client-core</artifactId>
<version>${athenz.version}</version>
</dependency>
diff --git a/pulsar-client-auth-athenz/pom.xml b/pulsar-client-auth-athenz/pom.xml
index 81a58f48575..ac112c812d9 100644
--- a/pulsar-client-auth-athenz/pom.xml
+++ b/pulsar-client-auth-athenz/pom.xml
@@ -44,7 +44,7 @@
<dependency>
<groupId>com.yahoo.athenz</groupId>
- <artifactId>athenz-zts-java-client</artifactId>
+ <artifactId>athenz-zts-java-client-core</artifactId>
</dependency>
<dependency>
[pulsar] 02/06: [owasp] suppress debezium-connector-postgres CVE-2021-23214 false positive (#14802)
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit de9c718c6d36a39f77de69ef3dc03fd41c5db489
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Mon Mar 28 18:16:38 2022 +0200
[owasp] suppress debezium-connector-postgres CVE-2021-23214 false positive (#14802)
Let's get this in and unblock flaky tests
(cherry picked from commit d03e2d32064d2d52b437c7700078f4a7a4dca2e7)
---
.github/workflows/ci-owasp-dep-check.yaml | 2 ++
src/owasp-dependency-check-false-positives.xml | 9 +++++++++
2 files changed, 11 insertions(+)
diff --git a/.github/workflows/ci-owasp-dep-check.yaml b/.github/workflows/ci-owasp-dep-check.yaml
index 150156b30ec..bcce2b78368 100644
--- a/.github/workflows/ci-owasp-dep-check.yaml
+++ b/.github/workflows/ci-owasp-dep-check.yaml
@@ -51,6 +51,8 @@ jobs:
poms:
- 'pom.xml'
- '**/pom.xml'
+ - 'src/owasp-dependency-check-false-positives.xml'
+ - 'src/owasp-dependency-check-suppressions.xml'
- name: Cache local Maven repository
if: ${{ steps.changes.outputs.poms == 'true' }}
diff --git a/src/owasp-dependency-check-false-positives.xml b/src/owasp-dependency-check-false-positives.xml
index 7b945a2bbc9..191f9d6b02f 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -59,4 +59,13 @@
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl>
<cpe>cpe:/a:netty:netty</cpe>
</suppress>
+
+ <!-- CVE-2021-23214 is about PostGre server -->
+ <suppress>
+ <notes><![CDATA[
+ file name: debezium-connector-postgres-1.7.2.Final.jar
+ ]]></notes>
+ <sha1>69c1edfa7d89531af511fcd07e8516fa450f746a</sha1>
+ <cve>CVE-2021-23214</cve>
+ </suppress>
</suppressions>
\ No newline at end of file
[pulsar] 03/06: [owasp] Suppress MariaDB false positives (#15243)
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 8263a110f3ab01fdea170ac04b478c80447feadf
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Fri Apr 22 16:53:31 2022 +0200
[owasp] Suppress MariaDB false positives (#15243)
* [owasp] Suppress MariaDB false positives
* group suppressions
(cherry picked from commit 22c0d94c67345a0011f618c2c8faeeda1a1b0418)
---
src/owasp-dependency-check-false-positives.xml | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/owasp-dependency-check-false-positives.xml b/src/owasp-dependency-check-false-positives.xml
index 191f9d6b02f..cd5de474562 100644
--- a/src/owasp-dependency-check-false-positives.xml
+++ b/src/owasp-dependency-check-false-positives.xml
@@ -68,4 +68,24 @@
<sha1>69c1edfa7d89531af511fcd07e8516fa450f746a</sha1>
<cve>CVE-2021-23214</cve>
</suppress>
+
+<!-- MariaDB client is being confused with MariaDB server-->
+ <suppress>
+ <notes><![CDATA[
+ file name: mariadb-java-client-2.7.5.jar
+ ]]></notes>
+ <sha1>9dd29797ecabe7d2e7fa892ec6713a5552cfcc59</sha1>
+ <cve>CVE-2022-27376</cve>
+ <cve>CVE-2022-27377</cve>
+ <cve>CVE-2022-27378</cve>
+ <cve>CVE-2022-27379</cve>
+ <cve>CVE-2022-27380</cve>
+ <cve>CVE-2022-27381</cve>
+ <cve>CVE-2022-27382</cve>
+ <cve>CVE-2022-27383</cve>
+ <cve>CVE-2022-27384</cve>
+ <cve>CVE-2022-27385</cve>
+ <cve>CVE-2022-27386</cve>
+ <cve>CVE-2022-27387</cve>
+ </suppress>
</suppressions>
\ No newline at end of file
[pulsar] 04/06: [fix][security] Upgrade Spring Context in Pulsar IO batch-data-generator to get rid of CVE-2022-22965 (#14975)
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 70b484a6749135ebcbab3f85ebfb9d70b0293f48
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Thu Mar 31 23:16:19 2022 +0200
[fix][security] Upgrade Spring Context in Pulsar IO batch-data-generator to get rid of CVE-2022-22965 (#14975)
(cherry picked from commit 63c5a62cb672ab6b00ad2a231618374c9be0121f)
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index e17ce0a1c38..f5b51f269da 100644
--- a/pom.xml
+++ b/pom.xml
@@ -203,7 +203,7 @@ flexible messaging model and an intuitive client API.</description>
<kotlin-stdlib.version>1.4.32</kotlin-stdlib.version>
<nsq-client.version>1.0</nsq-client.version>
<cron-utils.version>9.1.6</cron-utils.version>
- <spring-context.version>5.3.15</spring-context.version>
+ <spring-context.version>5.3.18</spring-context.version>
<apache-http-client.version>4.5.13</apache-http-client.version>
<jetcd.version>0.5.11</jetcd.version>
<snakeyaml.version>1.30</snakeyaml.version>
[pulsar] 05/06: [fix][security] Upgrade MySQL connector to 8.0.28 to get rid of CVE-2021-3711 (#14998)
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 08fa2cf5be292080882966c4551d7a6a5872be13
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Wed Apr 6 12:04:06 2022 +0200
[fix][security] Upgrade MySQL connector to 8.0.28 to get rid of CVE-2021-3711 (#14998)
(cherry picked from commit 1df46db634ac360b10db0a7cad6fada321031477)
---
pom.xml | 1 +
pulsar-io/debezium/mysql/pom.xml | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/pom.xml b/pom.xml
index f5b51f269da..d99277c0797 100644
--- a/pom.xml
+++ b/pom.xml
@@ -162,6 +162,7 @@ flexible messaging model and an intuitive client API.</description>
<scala-library.version>2.13.6</scala-library.version>
<debezium.version>1.7.2.Final</debezium.version>
<debezium.postgresql.version>42.2.25</debezium.postgresql.version>
+ <debezium.mysql.version>8.0.28</debezium.mysql.version>
<jsonwebtoken.version>0.11.1</jsonwebtoken.version>
<opencensus.version>0.28.0</opencensus.version>
<hbase.version>2.4.9</hbase.version>
diff --git a/pulsar-io/debezium/mysql/pom.xml b/pulsar-io/debezium/mysql/pom.xml
index 779bebf48d4..2c87b35388e 100644
--- a/pulsar-io/debezium/mysql/pom.xml
+++ b/pulsar-io/debezium/mysql/pom.xml
@@ -46,6 +46,16 @@
</dependencies>
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>mysql</groupId>
+ <artifactId>mysql-connector-java</artifactId>
+ <version>${debezium.mysql.version}</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
<build>
<plugins>
[pulsar] 06/06: Remove --illegal-access errors resulting from Google Guice - Pulsar IO, Offloaders and Pulsar SQL - Bump Guice to 5.1.0 (#14300)
Posted by ni...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
nicoloboschi pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit b9210b96be226c2c09c27756556918ab3be8c081
Author: Nicolò Boschi <bo...@gmail.com>
AuthorDate: Thu Feb 17 13:37:27 2022 +0100
Remove --illegal-access errors resulting from Google Guice - Pulsar IO, Offloaders and Pulsar SQL - Bump Guice to 5.1.0 (#14300)
* Remove --illegal-access errors resulting from Google Guice - Batch Data Generator connector
* and jcloud-shaded
* use dependencyManagement
* fix pulsar-sql
(cherry picked from commit 332eca8279bb145b3b272d93806f4c89f8a8923f)
---
pom.xml | 14 +++++++++++++-
pulsar-io/data-generator/pom.xml | 12 ------------
pulsar-sql/presto-distribution/LICENSE | 3 +--
pulsar-sql/presto-distribution/pom.xml | 12 ++++--------
tiered-storage/jcloud/pom.xml | 13 -------------
5 files changed, 18 insertions(+), 36 deletions(-)
diff --git a/pom.xml b/pom.xml
index d99277c0797..17847d9d613 100644
--- a/pom.xml
+++ b/pom.xml
@@ -148,7 +148,7 @@ flexible messaging model and an intuitive client API.</description>
<avro.version>1.10.2</avro.version>
<joda.version>2.10.5</joda.version>
<jclouds.version>2.4.0</jclouds.version>
- <guice.version>5.0.1</guice.version>
+ <guice.version>5.1.0</guice.version>
<sqlite-jdbc.version>3.8.11.2</sqlite-jdbc.version>
<mysql-jdbc.version>8.0.11</mysql-jdbc.version>
<postgresql-jdbc.version>42.2.25</postgresql-jdbc.version>
@@ -625,6 +625,18 @@ flexible messaging model and an intuitive client API.</description>
<version>${guava.version}</version>
</dependency>
+ <dependency>
+ <groupId>com.google.inject</groupId>
+ <artifactId>guice</artifactId>
+ <version>${guice.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>com.google.inject.extensions</groupId>
+ <artifactId>guice-assistedinject</artifactId>
+ <version>${guice.version}</version>
+ </dependency>
+
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
diff --git a/pulsar-io/data-generator/pom.xml b/pulsar-io/data-generator/pom.xml
index a92ea914a43..9286fe6ba56 100644
--- a/pulsar-io/data-generator/pom.xml
+++ b/pulsar-io/data-generator/pom.xml
@@ -49,18 +49,6 @@
<artifactId>jfairy</artifactId>
<version>0.5.9</version>
</dependency>
- <dependency>
- <groupId>com.google.inject</groupId>
- <artifactId>guice</artifactId>
- <version>${guice.version}</version>
- <scope>runtime</scope>
- </dependency>
- <dependency>
- <groupId>com.google.inject.extensions</groupId>
- <artifactId>guice-assistedinject</artifactId>
- <version>${guice.version}</version>
- <scope>runtime</scope>
- </dependency>
<dependency>
<groupId>org.apache.avro</groupId>
diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
index 9ba14376164..3829cf15a98 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -225,8 +225,7 @@ The Apache Software License, Version 2.0
- listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
- failureaccess-1.0.1.jar
* Google Guice
- - guice-4.2.3.jar
- - guice-multibindings-4.2.0.jar
+ - guice-5.1.0.jar
* Apache Commons
- commons-math3-3.6.1.jar
- commons-compress-1.21.jar
diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml
index 23ce147b4db..578ec7aaa33 100644
--- a/pulsar-sql/presto-distribution/pom.xml
+++ b/pulsar-sql/presto-distribution/pom.xml
@@ -38,7 +38,6 @@
<airlift.version>0.170</airlift.version>
<objenesis.version>2.6</objenesis.version>
<objectsize.version>0.0.12</objectsize.version>
- <guice.version>4.2.0</guice.version>
<jackson.version>2.13.2</jackson.version>
<!--fix Security Vulnerabilities-->
<!--https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html-->
@@ -100,6 +99,10 @@
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>com.google.inject.extensions</groupId>
+ <artifactId>guice-multibindings</artifactId>
+ </exclusion>
</exclusions>
</dependency>
@@ -137,13 +140,6 @@
<version>${objectsize.version}</version>
</dependency>
- <!-- make sure guice is set to the correct version -->
- <dependency>
- <groupId>com.google.inject.extensions</groupId>
- <artifactId>guice-multibindings</artifactId>
- <version>${guice.version}</version>
- </dependency>
-
<!-- jackson dependencies -->
<dependency>
diff --git a/tiered-storage/jcloud/pom.xml b/tiered-storage/jcloud/pom.xml
index b58551697ba..87ebcd7493c 100644
--- a/tiered-storage/jcloud/pom.xml
+++ b/tiered-storage/jcloud/pom.xml
@@ -99,19 +99,6 @@
<version>${jclouds.version}</version>
<scope>provided</scope>
</dependency>
- <!-- https://github.com/apache/jclouds/pull/123/files-->
- <dependency>
- <groupId>com.google.inject</groupId>
- <artifactId>guice</artifactId>
- <version>${guice.version}</version>
- <scope>runtime</scope>
- </dependency>
- <dependency>
- <groupId>com.google.inject.extensions</groupId>
- <artifactId>guice-assistedinject</artifactId>
- <version>${guice.version}</version>
- <scope>runtime</scope>
- </dependency>
<dependency>
<groupId>javax.xml.bind</groupId>