You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/07/06 08:11:03 UTC
[GitHub] [pulsar] tisonkun opened a new pull request, #16415: [improve][security] CVE-2022-33915 is false positive
tisonkun opened a new pull request, #16415:
URL: https://github.com/apache/pulsar/pull/16415
Signed-off-by: tison <wa...@gmail.com>
<!--
### Contribution Checklist
- PR title format should be *[type][component] summary*. For details, see *[Guideline - Pulsar PR Naming Convention](https://docs.google.com/document/d/1d8Pw6ZbWk-_pCKdOmdvx9rnhPiyuxwq60_TrD68d7BA/edit#heading=h.trs9rsex3xom)*.
- Fill out the template below to describe the changes contributed by the pull request. That will give reviewers the context they need to do the review.
- Each pull request should address only one issue, not mix up code from multiple issues.
- Each commit in the pull request has a meaningful commit message
- Once all items of the checklist are addressed, remove the above text and this checklist, leaving only the filled out template below.
**(The sections below can be removed for hotfixes of typos)**
-->
*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)*
Fixes #<xyz>
*(or if this PR is one task of a github issue, please add `Master Issue: #<xyz>` to link to the master issue.)*
Master Issue: #<xyz>
### Motivation
*Explain here the context, and why you're making that change. What is the problem you're trying to solve.*
### Modifications
*Describe the modifications you've done.*
### Verifying this change
- [ ] Make sure that the change passes the CI checks.
*(Please pick either of the following options)*
This change is a trivial rework / code cleanup without any test coverage.
*(or)*
This change is already covered by existing tests, such as *(please describe tests)*.
*(or)*
This change added tests and can be verified as follows:
*(example:)*
- *Added integration tests for end-to-end deployment with large payloads (10MB)*
- *Extended integration test for recovery after broker failure*
### Does this pull request potentially affect one of the following parts:
*If `yes` was chosen, please highlight the changes*
- Dependencies (does it add or upgrade a dependency): (yes / no)
- The public API: (yes / no)
- The schema: (yes / no / don't know)
- The default values of configurations: (yes / no)
- The wire protocol: (yes / no)
- The rest endpoints: (yes / no)
- The admin cli options: (yes / no)
- Anything that affects deployment: (yes / no / don't know)
### Documentation
Check the box below or label this PR directly.
Need to update docs?
- [ ] `doc-required`
(Your PR needs to update docs and you will update later)
- [x] `doc-not-needed`
(Please explain why)
- [ ] `doc`
(Your PR contains doc changes)
- [ ] `doc-complete`
(Docs have been already added)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] RobertIndie commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
RobertIndie commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1177598760
> whether this CI status is valid to move forward?
@tisonkun The CI is broken by `CI - Unit - Brokers - Broker Group 1 `.
I have reported the flaky tests: https://github.com/apache/pulsar/issues/16427 , https://github.com/apache/pulsar/issues/16444 . And a suspected CI-related issue: https://github.com/apache/pulsar/issues/16445
I'm trying to rerun the CI checks again.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on code in PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#discussion_r914558452
##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -129,6 +129,15 @@
<cve>CVE-2021-23214</cve>
</suppress>
+ <!-- CVE-2022-33915 is about Amazon AWS hotpatch -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-core-1.27.1.jar
Review Comment:
it should be log4j-core-2.17.1.jar ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1177714267
@RobertIndie Thank you! However, it seems "Pulsar CI / CI - Unit - Brokers - Broker Group 1" still failed. I don't think we have to rerun until it passes since it's obvious unrelated to this patch. I agree that we should reduce flaky tests, though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on code in PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#discussion_r914559500
##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -129,6 +129,15 @@
<cve>CVE-2021-23214</cve>
</suppress>
+ <!-- CVE-2022-33915 is about Amazon AWS hotpatch -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-core-1.27.1.jar
Review Comment:
this is a failure: https://github.com/apache/pulsar/runs/7193981226?check_suite_focus=true
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on a diff in pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on code in PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#discussion_r914559319
##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -129,6 +129,15 @@
<cve>CVE-2021-23214</cve>
</suppress>
+ <!-- CVE-2022-33915 is about Amazon AWS hotpatch -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-core-1.27.1.jar
Review Comment:
```suggestion
file name: log4j-core-2.27.1.jar
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on a diff in pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on code in PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#discussion_r914575101
##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -129,6 +129,15 @@
<cve>CVE-2021-23214</cve>
</suppress>
+ <!-- CVE-2022-33915 is about Amazon AWS hotpatch -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-core-2.27.1.jar
Review Comment:
```suggestion
file name: log4j-core-2.17.1.jar
```
😂
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Shoothzj commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
Shoothzj commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1175929817
can we remove the log4j1 dependency?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1175932211
@Shoothzj sorry I make a wrong version number, this is about log4j-core-2.17.1.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1178482452
It seems OWASP fixes this false positive report. Pending to close...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nicoloboschi commented on a diff in pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
nicoloboschi commented on code in PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#discussion_r914567228
##########
src/owasp-dependency-check-false-positives.xml:
##########
@@ -129,6 +129,15 @@
<cve>CVE-2021-23214</cve>
</suppress>
+ <!-- CVE-2022-33915 is about Amazon AWS hotpatch -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-core-2.27.1.jar
Review Comment:
it's still wrong, it's log4j-core-2.17.1.jar
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] RobertIndie commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
RobertIndie commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1176943135
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1177338939
ping @nicoloboschi whether this CI status is valid to move forward?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1176987177
/pulsarbot run-failure-checks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun closed pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun closed pull request #16415: [improve][security] CVE-2022-33915 is false positive
URL: https://github.com/apache/pulsar/pull/16415
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on pull request #16415: [improve][security] CVE-2022-33915 is false positive
Posted by GitBox <gi...@apache.org>.
tisonkun commented on PR #16415:
URL: https://github.com/apache/pulsar/pull/16415#issuecomment-1176048939
@nicoloboschi @Shoothzj tests failed on flaky cases. You may merge this patch since "CI - Misc - OWASP Dependency Check / owasp-dep-check" passed or help re-trigger the failed jobs :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org