You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@kyuubi.apache.org by "bowenliang123 (via GitHub)" <gi...@apache.org> on 2023/02/07 15:59:38 UTC
[GitHub] [kyuubi] bowenliang123 opened a new pull request, #4266: add actions/dependency-review-action to dep workflow
bowenliang123 opened a new pull request, #4266:
URL: https://github.com/apache/kyuubi/pull/4266
<!--
Thanks for sending a pull request!
Here are some tips for you:
1. If this is your first time, please read our contributor guidelines: https://kyuubi.readthedocs.io/en/latest/community/CONTRIBUTING.html
2. If the PR is related to an issue in https://github.com/apache/kyuubi/issues, add '[KYUUBI #XXXX]' in your PR title, e.g., '[KYUUBI #XXXX] Your PR title ...'.
3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][KYUUBI #XXXX] Your PR title ...'.
-->
### _Why are the changes needed?_
<!--
Please clarify why the changes are needed. For instance,
1. If you add a feature, you can talk about the use case of it.
2. If you fix a bug, you can clarify why it is a bug.
-->
- add actions/dependency-review-action to dep workflow, https://github.com/actions/dependency-review-action
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 closed pull request #4266: add dependency review step to dependency workflow
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 closed pull request #4266: add dependency review step to dependency workflow
URL: https://github.com/apache/kyuubi/pull/4266
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on a diff in pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on code in PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#discussion_r1100940848
##########
.github/workflows/dep.yml:
##########
@@ -25,6 +25,7 @@ on:
paths:
# dependency check happens only pom changes
- '**/pom.xml'
+ - '.github/workflows/dep.yml'
Review Comment:
Is this necessary?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] codecov-commenter commented on pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "codecov-commenter (via GitHub)" <gi...@apache.org>.
codecov-commenter commented on PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#issuecomment-1423677718
# [Codecov](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#4266](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (e11fad0) into [master](https://codecov.io/gh/apache/kyuubi/commit/95318d578289249e1380140ec9b19c46c2543235?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (95318d5) will **increase** coverage by `0.01%`.
> The diff coverage is `n/a`.
> :exclamation: Current head e11fad0 differs from pull request most recent head 67f7f7a. Consider uploading reports for the commit 67f7f7a to get more accurate results
```diff
@@ Coverage Diff @@
## master #4266 +/- ##
============================================
+ Coverage 53.38% 53.40% +0.01%
Complexity 13 13
============================================
Files 560 560
Lines 30562 30562
Branches 4139 4139
============================================
+ Hits 16315 16321 +6
+ Misses 12711 12708 -3
+ Partials 1536 1533 -3
```
| [Impacted Files](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [.../engine/spark/session/SparkSQLSessionManager.scala](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZXJuYWxzL2t5dXViaS1zcGFyay1zcWwtZW5naW5lL3NyYy9tYWluL3NjYWxhL29yZy9hcGFjaGUva3l1dWJpL2VuZ2luZS9zcGFyay9zZXNzaW9uL1NwYXJrU1FMU2Vzc2lvbk1hbmFnZXIuc2NhbGE=) | `78.48% <0.00%> (-1.27%)` | :arrow_down: |
| [...apache/kyuubi/engine/JpsApplicationOperation.scala](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXNlcnZlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9lbmdpbmUvSnBzQXBwbGljYXRpb25PcGVyYXRpb24uc2NhbGE=) | `77.41% <0.00%> (ø)` | |
| [...rc/main/scala/org/apache/spark/ui/EnginePage.scala](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZXJuYWxzL2t5dXViaS1zcGFyay1zcWwtZW5naW5lL3NyYy9tYWluL3NjYWxhL29yZy9hcGFjaGUvc3BhcmsvdWkvRW5naW5lUGFnZS5zY2FsYQ==) | `79.26% <0.00%> (+0.28%)` | :arrow_up: |
| [...n/scala/org/apache/kyuubi/engine/ProcBuilder.scala](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXNlcnZlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9lbmdpbmUvUHJvY0J1aWxkZXIuc2NhbGE=) | `79.01% <0.00%> (+0.61%)` | :arrow_up: |
| [...mon/src/main/scala/org/apache/kyuubi/Logging.scala](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLWNvbW1vbi9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9Mb2dnaW5nLnNjYWxh) | `42.50% <0.00%> (+1.25%)` | :arrow_up: |
| [...ache/kyuubi/operation/KyuubiOperationManager.scala](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-a3l1dWJpLXNlcnZlci9zcmMvbWFpbi9zY2FsYS9vcmcvYXBhY2hlL2t5dXViaS9vcGVyYXRpb24vS3l1dWJpT3BlcmF0aW9uTWFuYWdlci5zY2FsYQ==) | `82.66% <0.00%> (+2.66%)` | :arrow_up: |
| [...uubi/engine/spark/events/SparkOperationEvent.scala](https://codecov.io/gh/apache/kyuubi/pull/4266?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZXh0ZXJuYWxzL2t5dXViaS1zcGFyay1zcWwtZW5naW5lL3NyYy9tYWluL3NjYWxhL29yZy9hcGFjaGUva3l1dWJpL2VuZ2luZS9zcGFyay9ldmVudHMvU3BhcmtPcGVyYXRpb25FdmVudC5zY2FsYQ==) | `94.44% <0.00%> (+5.55%)` | :arrow_up: |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#discussion_r1100945685
##########
.github/workflows/dep.yml:
##########
@@ -57,3 +58,7 @@ jobs:
-pl kyuubi-ctl,kyuubi-server,kyuubi-assembly -am
- name: Check dependency list
run: build/dependency.sh
+ - name: Dependency Review
+ uses: actions/dependency-review-action@v3
+ with:
+ fail-on-severity: low
Review Comment:
The docs of action does not clarify how it classify the level of severity, so I prefer to keep it in `low` the same as the default value. We could lower this level if necessary in future, as it only affects future PRs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on a diff in pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on code in PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#discussion_r1100940524
##########
.github/workflows/dep.yml:
##########
@@ -57,3 +58,7 @@ jobs:
-pl kyuubi-ctl,kyuubi-server,kyuubi-assembly -am
- name: Check dependency list
run: build/dependency.sh
+ - name: Dependency Review
+ uses: actions/dependency-review-action@v3
+ with:
+ fail-on-severity: low
Review Comment:
Is `low` too strict? Use moderate?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#discussion_r1101007257
##########
.github/workflows/dep.yml:
##########
@@ -57,3 +58,7 @@ jobs:
-pl kyuubi-ctl,kyuubi-server,kyuubi-assembly -am
- name: Check dependency list
run: build/dependency.sh
+ - name: Dependency Review
+ uses: actions/dependency-review-action@v3
+ with:
+ fail-on-severity: low
Review Comment:
OK, changed to `moderate`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] yaooqinn commented on a diff in pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "yaooqinn (via GitHub)" <gi...@apache.org>.
yaooqinn commented on code in PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#discussion_r1100968854
##########
.github/workflows/dep.yml:
##########
@@ -57,3 +58,7 @@ jobs:
-pl kyuubi-ctl,kyuubi-server,kyuubi-assembly -am
- name: Check dependency list
run: build/dependency.sh
+ - name: Dependency Review
+ uses: actions/dependency-review-action@v3
+ with:
+ fail-on-severity: low
Review Comment:
The risk for vulnerability is determined by the CVSS score. If you go to check the mvn central or NVD, it's common to see an artifact have some low-level vulnerabilities. I guess it is not practical for us to add such a critical rule that blocks PRs frequently
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 closed pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 closed pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
URL: https://github.com/apache/kyuubi/pull/4266
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#issuecomment-1423693697
Thanks, merged to master.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org
[GitHub] [kyuubi] bowenliang123 commented on a diff in pull request #4266: [INFRA] Add Dependency Review step to prevent introducing vulnerable dependencies
Posted by "bowenliang123 (via GitHub)" <gi...@apache.org>.
bowenliang123 commented on code in PR #4266:
URL: https://github.com/apache/kyuubi/pull/4266#discussion_r1100946315
##########
.github/workflows/dep.yml:
##########
@@ -25,6 +25,7 @@ on:
paths:
# dependency check happens only pom changes
- '**/pom.xml'
+ - '.github/workflows/dep.yml'
Review Comment:
`dep.yml` is designed to check and verify dependencies although doesn't bring changes in dependencies, I think it's good to leave it in paths. As for this PR, this is add to trigger the Dependency Check job.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@kyuubi.apache.org
For additional commands, e-mail: notifications-help@kyuubi.apache.org