You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@linkis.apache.org by "pjfanning (via GitHub)" <gi...@apache.org> on 2023/02/26 14:13:41 UTC
[GitHub] [linkis] pjfanning opened a new pull request, #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
pjfanning opened a new pull request, #4274:
URL: https://github.com/apache/linkis/pull/4274
<!--
Thank you for sending the PR! We appreciate you spending the time to work on these changes.
You can learn more about contributing to Apache Linkis here: https://linkis.apache.org/community/how-to-contribute
Happy contributing!
-->
### What is the purpose of the change
upgrade snakeyaml due to cve
### Related issues/PRs
Related issues: #4273
### Brief change log
- pom change
### Checklist
- [x] I have read the [Contributing Guidelines on pull requests](https://github.com/facebook/docusaurus/blob/main/CONTRIBUTING.md#pull-requests).
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [ ] I have added tests corresponding to this change
- [ ] I have updated the documentation to reflect this change
- [ ] I have verified that this change is backward compatible (If not, please discuss on the [Linkis mailing list](https://linkis.apache.org/community/how-to-subscribe) first)
- [ ] **If this is a code change**: I have written unit tests to fully verify the new behavior.
<!--
Note
1. Mark the PR title as `[WIP] title` until it's ready to be reviewed.
如果PR还未准备好被review,请在标题上添加[WIP]标识(WIP work in progress)
2. Always add/update tests for any changes unless you have a good reason.
除非您有充分的理由,否则任何修改都需要添加/更新测试
3. Always update the documentation to reflect the changes made in the PR.
始终更新文档以反映 PR 中所做的更改
4. After the PR is submitted, please pay attention to the execution result of git action check.
If there is any failure, please adjust it in time
PR提交后,请关注git action check 执行结果,关键的check失败时,请及时修正
5. Before the pr is merged, if the commit is missing, you can continue to commit the code
在未合并前,如果提交有遗漏,您可以继续提交代码
6. After you submit PR, you can add assistant WeChat, the WeChat QR code is
https://user-images.githubusercontent.com/7869972/176336986-d6b9be8f-d1d3-45f1-aa45-8e6adf5dd244.png
您提交pr后,可以添加助手微信,微信二维码为
https://user-images.githubusercontent.com/7869972/176336986-d6b9be8f-d1d3-45f1-aa45-8e6adf5dd244.png
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] casionone commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "casionone (via GitHub)" <gi...@apache.org>.
casionone commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1517979146
close with https://github.com/apache/linkis/pull/4469
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] pjfanning commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1445377841
Looks like we'll need to wait for spring framework to uptake snakeyaml 2.0.
```
2023-02-26T14:26:26.8919812Z [ERROR] org.apache.linkis.cs.persistence.dao.ContextKeyListenerMapperTest.removeAllTest Time elapsed: 0.005 s <<< ERROR!
2023-02-26T14:26:26.8920836Z java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method <init>()V not found
2023-02-26T14:26:26.8921920Z at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:74)
2023-02-26T14:26:26.8923110Z at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:69)
2023-02-26T14:26:26.8924160Z at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:162)
2023-02-26T14:26:26.8925214Z at org.springframework.boot.env.OriginTrackedYamlLoader.load(OriginTrackedYamlLoader.java:82)
2023-02-26T14:26:26.8926275Z at org.springframework.boot.env.YamlPropertySourceLoader.load(YamlPropertySourceLoader.java:50)
2023-02-26T14:26:26.8927440Z at org.springframework.boot.context.config.ConfigFileApplicationListener$Loader.loadDocuments(ConfigFileApplicationListener.java:632)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] peacewong commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "peacewong (via GitHub)" <gi...@apache.org>.
peacewong commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1449519491
> @aiceflower the issue is that Linkis is using an old version of Spring
@pjfanning Thank you, the community has a plan to upgrade Spring Cloud, Spring Cloud Gateway and Spring. After the upgrade is completed, adjust Snakeyaml.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] pjfanning commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1445508442
It looks like the upgrade needed for spring and spring-boot is significant - the snakeyaml code in the latest spring-boot classes looks like it is probably compatible with snakeyaml 2.0.
But upgrading spring and spring-boot will require a very large number of other jars to be updated (as well as dozens of spring jars themselves). Latest spring jars use jakarta dependencies instead of javax.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] pjfanning commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1517986887
@casionone https://github.com/apache/linkis/pull/4469 appears to revert back to snakeyaml 1.x which is the opposite of what this issue is about
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] pjfanning commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "pjfanning (via GitHub)" <gi...@apache.org>.
pjfanning commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1446018858
@aiceflower the issue is that Linkis is using an old version of Spring
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] casionone closed pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "casionone (via GitHub)" <gi...@apache.org>.
casionone closed pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
URL: https://github.com/apache/linkis/pull/4274
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] aiceflower commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "aiceflower (via GitHub)" <gi...@apache.org>.
aiceflower commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1445621101
Compilation seems not to pass, you can check the cause of the error.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] peacewong commented on pull request #4274: issue-4273: upgrade to snakeyaml 2.0 due to cve
Posted by "peacewong (via GitHub)" <gi...@apache.org>.
peacewong commented on PR #4274:
URL: https://github.com/apache/linkis/pull/4274#issuecomment-1445386659
>
Yes, or we need to check why the unit test is not compatible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org