You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/06/09 10:25:10 UTC

[GitHub] [pulsar] lhotari opened a new pull request #10869: [Security] Exclude and remove freebuilder dependency

lhotari opened a new pull request #10869:
URL: https://github.com/apache/pulsar/pull/10869


   ### Motivation
   
   [Freebuilder](https://github.com/inferred/FreeBuilder) is an annotation processor used in Bookkeeper's StorageClientSetting interface:
   
   https://github.com/apache/bookkeeper/blob/16e8ba772bb5cf4c7546fb559bd9d455d4e42625/stream/clients/java/base/src/main/java/org/apache/bookkeeper/clients/config/StorageClientSettings.java#L27-L33
   
   The annotation processor is only needed at compile time.
   
   The Freebuilder library gets flagged as a vulnerable library by Sonatype IQ. This causes Pulsar distribution to be flagged as vulnerable since Freebuilder is a transitive dependency.
   
   ### Modifications
   
   Exclude freebuilder library and replace the code that used shaded dependencies from the freebuilder library.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] aahmed-se commented on pull request #10869: [Security] Exclude and remove freebuilder dependency

Posted by GitBox <gi...@apache.org>.

aahmed-se commented on pull request #10869:
URL: https://github.com/apache/pulsar/pull/10869#issuecomment-860127014


   Approved


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] sijie merged pull request #10869: [Security] Exclude and remove freebuilder dependency

Posted by GitBox <gi...@apache.org>.

sijie merged pull request #10869:
URL: https://github.com/apache/pulsar/pull/10869


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org