You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2022/06/19 07:23:20 UTC

[GitHub] [bookkeeper] hangc0276 opened a new pull request, #3346: upgrade groovy from 2.5.8 to 3.0.11 to fix CVE-2019-11358(7.5)

hangc0276 opened a new pull request, #3346:
URL: https://github.com/apache/bookkeeper/pull/3346

   ### Motivation
   There is a CVE in testing, which was introduced by groovy.
   
   ```
   Error:  Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project bookkeeper: 
   Error: 
   Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
   Error: 
   Error:  testng-6.13.1.jar: CVE-2019-[11](https://github.com/apache/bookkeeper/runs/6953376087?check_suite_focus=true#step:6:12)358(7.5)
   Error: 
   Error:  See the dependency-check report for more details.
   Error:  -> [Help 1]
   Error: 
   Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
   Error:  Re-run Maven using the -X switch to enable full debug logging.
   Error: 
   Error:  For more information about the errors and possible solutions, please read the following articles:
   Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
   Error: Process completed with exit code 1.
   ```
   
   ### Changes
   Upgrade groovy version from 2.5.8 to 3.0.11


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] Shoothzj commented on pull request #3346: upgrade groovy from 2.5.8 to 3.0.11 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

Shoothzj commented on PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#issuecomment-1159682579

   Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html
   Maybe we should update to Groovy2 latest version?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] hangc0276 commented on pull request #3346: upgrade groovy from 2.5.8 to 3.5.17 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#issuecomment-1159685884

   > Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?
   
   done


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] hangc0276 commented on a diff in pull request #3346: upgrade groovy from 2.5.8 to 3.0.11 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on code in PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#discussion_r901078014


##########
pom.xml:
##########
@@ -1138,6 +1138,7 @@
               <mixAuditAnalyzerEnabled>false</mixAuditAnalyzerEnabled>
               <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
               <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+              <skipSystemScope>true</skipSystemScope>

Review Comment:
   It will be failed in jdk8.
   https://github.com/apache/bookkeeper/runs/6953541383?check_suite_focus=true



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] hangc0276 commented on pull request #3346: upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#issuecomment-1163112463

   > > Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?
   > 
   > @Shoothzj so we upgraded to groovy 3 but the JDK8 check passed, so I'm a bit confused now
   
   @nicoloboschi  I have added the `<skipSystemScope>true</skipSystemScope>` configuration to skip the SystemScope ckeck.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] hangc0276 commented on pull request #3346: upgrade groovy from 2.5.8 to 3.5.17 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#issuecomment-1159982207

   rerun failure checks


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] eolivelli merged pull request #3346: upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

eolivelli merged PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] Shoothzj commented on a diff in pull request #3346: upgrade groovy from 2.5.8 to 3.0.11 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

Shoothzj commented on code in PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#discussion_r901077765


##########
pom.xml:
##########
@@ -1138,6 +1138,7 @@
               <mixAuditAnalyzerEnabled>false</mixAuditAnalyzerEnabled>
               <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
               <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+              <skipSystemScope>true</skipSystemScope>

Review Comment:
   I have searched the project. we don't have `<scope>system<scope>` import. Why need this config?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] hangc0276 commented on pull request #3346: upgrade groovy from 2.5.8 to 3.5.17 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

hangc0276 commented on PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#issuecomment-1159691087

   > > Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?
   > 
   > done
   
   @Shoothzj  It doesn't work on 2.5.17, due to the groovy-testng dependent on testng 6.13.1, which has CVE issues.
   https://github.com/apache/bookkeeper/runs/6954538682?check_suite_focus=true


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [bookkeeper] nicoloboschi commented on pull request #3346: upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5)

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on PR #3346:
URL: https://github.com/apache/bookkeeper/pull/3346#issuecomment-1163081763

   > Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?
   
   @Shoothzj so we upgraded to groovy 3 but the JDK8 check passed, so I'm a bit confused now


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org