You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@arrow.apache.org by GitBox <gi...@apache.org> on 2022/04/18 15:34:49 UTC

[GitHub] [arrow] davisusanibar opened a new pull request, #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

davisusanibar opened a new pull request, #12912:
URL: https://github.com/apache/arrow/pull/12912

   Move jackson dependencies to depend on jackon bill of materials jackson-bom


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] lidavidm commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

lidavidm commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852297830


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   Looks like this was all my misunderstanding. Thanks for explaining!



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] lidavidm commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

lidavidm commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852236333


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   Er, doesn't this let the version float? Is that what we want?
   
   Could we instead depend on jackson-bom here? Since I think that includes all of these four dependencies anyways



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] lidavidm closed pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

lidavidm closed pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
URL: https://github.com/apache/arrow/pull/12912


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] davisusanibar commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

davisusanibar commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852296455


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   Just a second, it was part of dependencyManagement all the time.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] davisusanibar commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

davisusanibar commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852294298


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   Yes, this is the second way to use that. Just moved to this section to make more sense.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] lidavidm commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

lidavidm commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852297530


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   …I'm sorry, I totally missed that



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] lidavidm commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

lidavidm commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852271821


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   Ah, okay then. 
   
   In that case shouldn't jackson-bom be under `<dependencyManagement>` in the root pom



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] ursabot commented on pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

ursabot commented on PR #12912:
URL: https://github.com/apache/arrow/pull/12912#issuecomment-1110309649

   ['Python', 'R'] benchmarks have high level of regressions.
   [ursa-i9-9960x](https://conbench.ursa.dev/compare/runs/3f026a2fc3f34e21b8586018dc4adba0...dd43a3bb124a4d33a5d4f9d0b1f56263/)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] github-actions[bot] commented on pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #12912:
URL: https://github.com/apache/arrow/pull/12912#issuecomment-1101515898

   https://issues.apache.org/jira/browse/ARROW-16143


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] davisusanibar commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

davisusanibar commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852263028


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   
   Jackson BOM define dependency and version used for: core, data format, data types, and an others. For that reason modules only need to add the dependency and the `version` is injected by the jackson bom. In this case jackson-bom add this version for [jackson-dataformat-yaml](https://github.com/FasterXML/jackson-bom/blob/jackson-bom-2.13.2.20220328/pom.xml#L142:L145).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] lidavidm commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

lidavidm commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852295384


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   This looks exactly the same if I'm not mistaken
   
   But as long as maven resolves the proper version then I think this is ok, thank you



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] davisusanibar commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

davisusanibar commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852269371


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   That will be the opposite about what jackson-bom was created.
   
   If the doubt is about what jackson dependencies version the project is using could be an option to create jackson variables on the parent for any jackson dependencies needed to make it clear.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] lidavidm commented on a diff in pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

lidavidm commented on code in PR #12912:
URL: https://github.com/apache/arrow/pull/12912#discussion_r852264143


##########
java/adapter/jdbc/pom.xml:
##########
@@ -61,28 +61,24 @@
         <dependency>
             <groupId>com.fasterxml.jackson.dataformat</groupId>
             <artifactId>jackson-dataformat-yaml</artifactId>

Review Comment:
   I just mean I would prefer to replace these four dependencies with an explicitly pinned dependency on jackson-bom to make it clear where the version comes from.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [arrow] ursabot commented on pull request #12912: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518

Posted by GitBox <gi...@apache.org>.

ursabot commented on PR #12912:
URL: https://github.com/apache/arrow/pull/12912#issuecomment-1101858811

   Benchmark runs are scheduled for baseline = 5644c9a45ad25f2739d414d2fcc222452f9c1576 and contender = 5b2c0a0f2a9a8eeca86abaaaeb16b3e2b73e313d. 5b2c0a0f2a9a8eeca86abaaaeb16b3e2b73e313d is a master commit associated with this PR. Results will be available as each benchmark for each run completes.
   Conbench compare runs links:
   [Finished :arrow_down:0.0% :arrow_up:0.0%] [ec2-t3-xlarge-us-east-2](https://conbench.ursa.dev/compare/runs/3242464945394583baeb8f6e1abbefc4...f90df501d5e84a7fb6c52cb38baf6216/)
   [Failed :arrow_down:0.46% :arrow_up:0.17%] [test-mac-arm](https://conbench.ursa.dev/compare/runs/51f705fc680345b9a2cf620814688d84...095a8d9ec13f4d37ad63c9290f178054/)
   [Failed :arrow_down:0.75% :arrow_up:0.0%] [ursa-i9-9960x](https://conbench.ursa.dev/compare/runs/3f026a2fc3f34e21b8586018dc4adba0...dd43a3bb124a4d33a5d4f9d0b1f56263/)
   [Finished :arrow_down:0.47% :arrow_up:0.04%] [ursa-thinkcentre-m75q](https://conbench.ursa.dev/compare/runs/ab8d016f972c4d149921126ea671c585...f377f882db0c4a54ab3c892559bae0f7/)
   Buildkite builds:
   [Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ec2-t3-xlarge-us-east-2/builds/527| `5b2c0a0f` ec2-t3-xlarge-us-east-2>
   [Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-test-mac-arm/builds/514| `5b2c0a0f` test-mac-arm>
   [Failed] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-i9-9960x/builds/513| `5b2c0a0f` ursa-i9-9960x>
   [Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-thinkcentre-m75q/builds/524| `5b2c0a0f` ursa-thinkcentre-m75q>
   [Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ec2-t3-xlarge-us-east-2/builds/526| `5644c9a4` ec2-t3-xlarge-us-east-2>
   [Failed] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-test-mac-arm/builds/513| `5644c9a4` test-mac-arm>
   [Failed] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-i9-9960x/builds/512| `5644c9a4` ursa-i9-9960x>
   [Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-thinkcentre-m75q/builds/523| `5644c9a4` ursa-thinkcentre-m75q>
   Supported benchmarks:
   ec2-t3-xlarge-us-east-2: Supported benchmark langs: Python, R. Runs only benchmarks with cloud = True
   test-mac-arm: Supported benchmark langs: C++, Python, R
   ursa-i9-9960x: Supported benchmark langs: Python, R, JavaScript
   ursa-thinkcentre-m75q: Supported benchmark langs: C++, Java
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org