You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@eventmesh.apache.org by GitBox <gi...@apache.org> on 2022/05/05 07:59:13 UTC
[GitHub] [incubator-eventmesh] misselvexu opened a new pull request, #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
misselvexu opened a new pull request, #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849
### Contribution Checklist
Fixes ISSUE #822 .
Fixes ISSUE #823 .
### Motivation
- Upgrade `spring libs` because current version brings in jars with CVEs.
- Upgrade `jackson-databind` because current version brings the CVEs
### Modifications
Edit `build.gradle` file.
```
// Jackson Dependency
dependency "com.fasterxml.jackson.core:jackson-databind:2.13.0"
dependency "com.fasterxml.jackson.core:jackson-core:2.13.0"
dependency "com.fasterxml.jackson.core:jackson-annotations:2.13.0"
// Spring Boot Web Dependency
dependency "org.springframework.boot:spring-boot-starter-web:2.6.7"
```
### Documentation
none.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] ruanwenjun commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
ruanwenjun commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866748594
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
Currently, the check license script will only check the third-part libs in distribution. If we didn't add the example module in distribution, we can't add `spring-boot-starter-web-2.6.7.jar ` in this file, otherwise the license check will fail.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] misselvexu commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
misselvexu commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866672726
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
So ? You decide .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] xwm1992 commented on pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
xwm1992 commented on PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#issuecomment-1119203150
please update the upgrade dependencies version in these files.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] misselvexu commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
misselvexu commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866792910
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
Already removed temporarily .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] ruanwenjun commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
ruanwenjun commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866871237
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
In this PR, we don't need to add `pring-boot-starter-web-2.6.7.jar` into `known-dependencies.txt `. We can add another PR to add example module into distribution.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] misselvexu commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
misselvexu commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866748177
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
Got it, fixed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] ruanwenjun commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
ruanwenjun commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866666012
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
Right now, the example module will not be packaged into distribution, so we may don't need to add license of `spring-boot-starter-web-2.6.7`? Actually, I suggest we add example into our distribution. cc @xwm1992
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] misselvexu commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
misselvexu commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866873992
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
okay. I will submit another PR to fix it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] xwm1992 merged pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
xwm1992 merged PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] misselvexu commented on pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
misselvexu commented on PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#issuecomment-1119404630
>  please update the upgrade dependencies version in these files.
Got it .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] xwm1992 commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
xwm1992 commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866742682
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
> Right now, the example module will not be packaged into distribution, so we may don't need to add license of `spring-boot-starter-web-2.6.7`? Actually, I suggest we add example into our distribution. cc @xwm1992
not only for distribution, theses modules are all upload to the maven repository. https://mvnrepository.com/artifact/org.apache.eventmesh
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] xwm1992 commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
xwm1992 commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866742682
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
> Right now, the example module will not be packaged into distribution, so we may don't need to add license of `spring-boot-starter-web-2.6.7`? Actually, I suggest we add example into our distribution. cc @xwm1992
not only for distribution, theses modules are all upload to the maven repository.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] xwm1992 commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
xwm1992 commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866759942
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
> Currently, the check license script will only check the third-part libs in distribution. If we didn't add the example module in distribution, we can't add `spring-boot-starter-web-2.6.7.jar ` in this file, otherwise the license check will fail.
Ok, I get what you mean, we either only upgrade the `spring-boot-starter-web-2.6.7.jar` version and not add this to the file `known-dependencies.txt`, or add the `example moudule` into the distribution ? I prefer the former, not add `spring-boot-starter-web-2.6.7.jar` to the files, because the `example` don't need to be used in distributions. @misselvexu @ruanwenjun what's your opinion?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org
[GitHub] [incubator-eventmesh] ruanwenjun commented on a diff in pull request #849: upgrade spring libs & jackson-databind s version to fix CVEs issues
Posted by GitBox <gi...@apache.org>.
ruanwenjun commented on code in PR #849:
URL: https://github.com/apache/incubator-eventmesh/pull/849#discussion_r866874977
##########
tools/third-party-dependencies/known-dependencies.txt:
##########
@@ -130,4 +130,5 @@ httpcore-nio-4.4.6.jar
javassist-3.21.0-GA.jar
nacos-client-2.0.4.jar
reflections-0.9.11.jar
-snakeyaml-1.23.jar
\ No newline at end of file
+snakeyaml-1.23.jar
+spring-boot-starter-web-2.6.7.jar
Review Comment:
Before submit PR, you can discuss this in issue or mail, I am not sure if this is needed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@eventmesh.apache.org
For additional commands, e-mail: dev-help@eventmesh.apache.org