You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@beam.apache.org by "bvolpato (via GitHub)" <gi...@apache.org> on 2023/04/25 04:10:11 UTC
[GitHub] [beam] bvolpato opened a new pull request, #26410: Bump Jackson dependency due to CVE-2022-1471
bvolpato opened a new pull request, #26410:
URL: https://github.com/apache/beam/pull/26410
[jackson-dataformat-yaml:2.14.1](https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.14.1) included SnakeYAML 1.33, which is within [CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471)'s range.
[jackson-dataformat-yaml:2.15.0](https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.0) updated to SnakeYAML 2.0, which has fixed vulnerabilities.
There was some discussion about the dependency on the dev mailing list (https://lists.apache.org/thread/jcwvgttjsmxyqkc01rwzhd8zjxjk99h4), but https://github.com/apache/beam/pull/25350 was abandoned because it's not exploitable.
Even though SnakeYAML has a statement about it (https://github.com/snakeyaml/snakeyaml#cve), it is nice to be on a version range that is considered safe.
------------------------
To check the build health, please visit [https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md](https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md)
GitHub Actions Tests Status (on master branch)
------------------------------------------------------------------------------------------------
[](https://github.com/apache/beam/actions?query=workflow%3A%22Build+python+source+distribution+and+wheels%22+branch%3Amaster+event%3Aschedule)
[](https://github.com/apache/beam/actions?query=workflow%3A%22Python+Tests%22+branch%3Amaster+event%3Aschedule)
[](https://github.com/apache/beam/actions?query=workflow%3A%22Java+Tests%22+branch%3Amaster+event%3Aschedule)
[](https://github.com/apache/beam/actions?query=workflow%3A%22Go+tests%22+branch%3Amaster+event%3Aschedule)
See [CI.md](https://github.com/apache/beam/blob/master/CI.md) for more information about GitHub Actions CI.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521690290
Run Java_hadoop_IO_Direct PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521690105
Run Java_GCP_IO_Direct PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521689926
Run GoPortable PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521157996
Run Java_PVR_Flink_Docker PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] Abacn commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "Abacn (via GitHub)" <gi...@apache.org>.
Abacn commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521935226
looks like cradle picking up different transitive dependency and breaks cassandra:
```
java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.Constructor.<init>(Ljava/lang/Class;)V
at org.apache.cassandra.config.YamlConfigurationLoader$CustomConstructor.<init>(YamlConfigurationLoader.java:139)
at org.apache.cassandra.config.YamlConfigurationLoader.loadConfig(YamlConfigurationLoader.java:120)
at org.apache.cassandra.config.YamlConfigurationLoader.loadConfig(YamlConfigurationLoader.java:101)
at org.apache.cassandra.config.DatabaseDescriptor.loadConfig(DatabaseDescriptor.java:276)
at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:152)
at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:137)
at org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:673)
at org.apache.cassandra.service.EmbeddedCassandraService.start(EmbeddedCassandraService.java:50)
at org.apache.beam.sdk.io.hadoop.format.HadoopFormatIOCassandraTest.beforeClass(HadoopFormatIOCassandraTest.java:189)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] github-actions[bot] commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1606070350
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 1 week if no further activity occurs. If you think that’s incorrect or this pull request requires a review, please simply write any comment. If closed, you can revive the PR at any time and @mention a reviewer or discuss it on the dev@beam.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521690223
Run Java_PVR_Flink_Docker PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] Bump Jackson dependency due to CVE-2022-1471 [beam]
Posted by "hpvd (via GitHub)" <gi...@apache.org>.
hpvd commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-2074761978
added this to [Parent issue] Support for Apache Pulsar #31078
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521158052
Run Java_Pulsar_IO_Direct PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521158094
Run Java_hadoop_IO_Direct PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521157681
Run GoPortable PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1522009573
Yes, thanks @Abacn.
`cassandra-all` is using a very old version of SnakeYAML, even in their recent releases (3.11.8 uses SnakeYAML 1.11, their recent patch 3.11.14 is at SnakeYAML 1.26). There are major updates but I wouldn't go that far.
It is a `testImplementation "org.apache.cassandra:cassandra-all:3.11.8"` though, so I'll see what can be done. Perhaps pinning old SnakeYAML at `sdks/java/io/hadoop-format`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] github-actions[bot] commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1618195001
This pull request has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521157778
Run Java_PVR_Flink_Batch PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521158151
Run Python_PVR_Flink PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521690371
Run Python_PVR_Flink PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] bvolpato commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "bvolpato (via GitHub)" <gi...@apache.org>.
bvolpato commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521690028
Run Java PreCommit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] codecov[bot] commented on pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "codecov[bot] (via GitHub)" <gi...@apache.org>.
codecov[bot] commented on PR #26410:
URL: https://github.com/apache/beam/pull/26410#issuecomment-1521141213
## [Codecov](https://codecov.io/gh/apache/beam/pull/26410?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#26410](https://codecov.io/gh/apache/beam/pull/26410?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (3925f94) into [master](https://codecov.io/gh/apache/beam/commit/85d4276016a1e4388cc9dd431e8f0684eb09fd95?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (85d4276) will **decrease** coverage by `0.01%`.
> The diff coverage is `n/a`.
```diff
@@ Coverage Diff @@
## master #26410 +/- ##
==========================================
- Coverage 81.08% 81.07% -0.01%
==========================================
Files 469 469
Lines 67199 67199
==========================================
- Hits 54487 54483 -4
- Misses 12712 12716 +4
```
| Flag | Coverage Δ | |
|---|---|---|
| python | `81.07% <ø> (-0.01%)` | :arrow_down: |
Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#carryforward-flags-in-the-pull-request-comment) to find out more.
[see 5 files with indirect coverage changes](https://codecov.io/gh/apache/beam/pull/26410/indirect-changes?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] github-actions[bot] closed pull request #26410: Bump Jackson dependency due to CVE-2022-1471
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed pull request #26410: Bump Jackson dependency due to CVE-2022-1471
URL: https://github.com/apache/beam/pull/26410
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org