You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@skywalking.apache.org by Sheng Wu <wu...@apache.org> on 2020/05/20 12:51:23 UTC
[WARNING] Fastjson library has a continuously insecurity trend
Hi dev team
Especially committer and PMC member, recently, we just upgrade the fastjson
through https://github.com/apache/skywalking/pull/4753. But today, we
received the another report about the security issue again,
https://github.com/apache/skywalking/pull/4804.
The 4804 PR is not correct, but that is not the point.
The concern I want to mention is that FastJson, imported by Nacos, keeps
reporting security issues. This breaks our stable/security status high
frequently.
I want to ask, *do we need to consider removing the Nacos +
FastJSON dependency? Due to this library is not in high quality from a
security perspective.*
These two are not required, they are just an implementation of
configuration server and cluster management server.
I don't request to act now, but I would like to hear, what do you think?
Sheng Wu 吴晟
Twitter, wusheng1108
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Sheng Wu <wu...@gmail.com>.
Ming Wen <we...@apache.org> 于2020年5月20日周三 下午9:49写道:
> Security is very important for open source project, so I agree to remove
> nacos + fastjson, which continue to have security vulnerabilities.
>
> Are other components of skywalking using fastjosn?
>
Ming,
No core and skywalking's own codes depend on Nacos or Fastjson.
They are just a plugin but included in the skywalking's official release.
Sheng Wu 吴晟
Twitter, wusheng1108
>
>
>
> kezhenxu94 <ke...@163.com> 于 2020年5月20日周三 下午9:25写道:
>
> > I agree to remove the related modules, at least we can move it to our
> > SkyAPM org
> >
> > kezhenxu94
> >
> > > On May 20, 2020, at 20:51, Sheng Wu <wu...@apache.org> wrote:
> > >
> > > Hi dev team
> > >
> > > Especially committer and PMC member, recently, we just upgrade the
> > fastjson
> > > through https://github.com/apache/skywalking/pull/4753. But today, we
> > > received the another report about the security issue again,
> > > https://github.com/apache/skywalking/pull/4804.
> > > The 4804 PR is not correct, but that is not the point.
> > >
> > > The concern I want to mention is that FastJson, imported by Nacos,
> keeps
> > > reporting security issues. This breaks our stable/security status high
> > > frequently.
> > >
> > > I want to ask, *do we need to consider removing the Nacos +
> > > FastJSON dependency? Due to this library is not in high quality from a
> > > security perspective.*
> > > These two are not required, they are just an implementation of
> > > configuration server and cluster management server.
> > >
> > > I don't request to act now, but I would like to hear, what do you
> think?
> > >
> > > Sheng Wu 吴晟
> > > Twitter, wusheng1108
> >
> >
> >
>
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Ming Wen <we...@apache.org>.
Security is very important for open source project, so I agree to remove
nacos + fastjson, which continue to have security vulnerabilities.
Are other components of skywalking using fastjosn?
kezhenxu94 <ke...@163.com> 于 2020年5月20日周三 下午9:25写道:
> I agree to remove the related modules, at least we can move it to our
> SkyAPM org
>
> kezhenxu94
>
> > On May 20, 2020, at 20:51, Sheng Wu <wu...@apache.org> wrote:
> >
> > Hi dev team
> >
> > Especially committer and PMC member, recently, we just upgrade the
> fastjson
> > through https://github.com/apache/skywalking/pull/4753. But today, we
> > received the another report about the security issue again,
> > https://github.com/apache/skywalking/pull/4804.
> > The 4804 PR is not correct, but that is not the point.
> >
> > The concern I want to mention is that FastJson, imported by Nacos, keeps
> > reporting security issues. This breaks our stable/security status high
> > frequently.
> >
> > I want to ask, *do we need to consider removing the Nacos +
> > FastJSON dependency? Due to this library is not in high quality from a
> > security perspective.*
> > These two are not required, they are just an implementation of
> > configuration server and cluster management server.
> >
> > I don't request to act now, but I would like to hear, what do you think?
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
>
>
>
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by kezhenxu94 <ke...@163.com>.
I agree to remove the related modules, at least we can move it to our SkyAPM org
kezhenxu94
> On May 20, 2020, at 20:51, Sheng Wu <wu...@apache.org> wrote:
>
> Hi dev team
>
> Especially committer and PMC member, recently, we just upgrade the fastjson
> through https://github.com/apache/skywalking/pull/4753. But today, we
> received the another report about the security issue again,
> https://github.com/apache/skywalking/pull/4804.
> The 4804 PR is not correct, but that is not the point.
>
> The concern I want to mention is that FastJson, imported by Nacos, keeps
> reporting security issues. This breaks our stable/security status high
> frequently.
>
> I want to ask, *do we need to consider removing the Nacos +
> FastJSON dependency? Due to this library is not in high quality from a
> security perspective.*
> These two are not required, they are just an implementation of
> configuration server and cluster management server.
>
> I don't request to act now, but I would like to hear, what do you think?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Sheng Wu <wu...@gmail.com>.
An update, Nacos team gave a promise, they will remove the Fastjson
dependency to ease our concern.
I think we could wait for the progress until we begin to initial our 8.0.0
release. If they can't finish it on time, we do the deletion action.
Is everyone OK with this strategy?
Sheng Wu 吴晟
Twitter, wusheng1108
Sheng Wu <wu...@gmail.com> 于2020年5月21日周四 上午9:50写道:
> I have submitted the issue to Nacos team,
> https://github.com/alibaba/nacos/issues/2842
> To check, *Does Nacos provide an alternative JSON library, rather than
> FastJSON, as a new option*
>
> If the answer is negative, and our consensus is clear, preferring to
> remove the codes. Then it is time to make the decision.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Sheng Wu <wu...@gmail.com> 于2020年5月21日周四 上午9:23写道:
>
>> I just recheck the dependency tree, and could confirm the fastjson is
>> imported by Nacos only. No other library depends on this.
>>
>> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
>> apache-skywalking-apm-es7 ---
>> [WARNING] Failure to transfer
>> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
>> from https://repository.apache.org/snapshots was cached in the local
>> repository, resolution will not be reattempted until the update interval of
>> apache.snapshots has elapsed or updates are forced. Original error: Could
>> not transfer metadata
>> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
>> from/to apache.snapshots (https://repository.apache.org/snapshots):
>> Connect to repository.apache.org:443 [
>> repository.apache.org/207.244.88.140] failed: Operation timed out
>> Downloading from apache.snapshots:
>> https://repository.apache.org/snapshots/org/apache/skywalking/server-starter-es7/8.0.0-SNAPSHOT/server-starter-es7-8.0.0-SNAPSHOT.jar
>> [INFO] org.apache.skywalking:apache-skywalking-apm-es7:pom:8.0.0-SNAPSHOT
>> [INFO] +- org.apache.skywalking:apm-agent:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | \-
>> org.apache.skywalking:apm-agent-core:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | +-
>> org.apache.skywalking:apm-network:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +- io.grpc:grpc-netty:jar:1.26.0:compile
>> [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.42.Final:compile
>> (version selected from constraint [4.1.42.Final,4.1.42.Final])
>> [INFO] | | | \-
>> io.netty:netty-handler-proxy:jar:4.1.42.Final:compile
>> [INFO] | | | \-
>> io.netty:netty-codec-socks:jar:4.1.42.Final:compile
>> [INFO] | | +- io.grpc:grpc-protobuf:jar:1.26.0:compile
>> [INFO] | | | +- io.grpc:grpc-api:jar:1.26.0:compile
>> [INFO] | | | | \- io.grpc:grpc-context:jar:1.26.0:compile
>> [INFO] | | | +- com.google.protobuf:protobuf-java:jar:3.11.0:compile
>> [INFO] | | | +-
>> com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile
>> [INFO] | | | \- io.grpc:grpc-protobuf-lite:jar:1.26.0:compile
>> [INFO] | | +- io.grpc:grpc-stub:jar:1.26.0:compile
>> [INFO] | | \-
>> io.netty:netty-tcnative-boringssl-static:jar:2.0.26.Final:compile
>> [INFO] | +- org.apache.skywalking:apm-util:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | +- net.bytebuddy:byte-buddy:jar:1.10.7:compile
>> [INFO] | \-
>> org.apache.skywalking:apm-datacarrier:jar:8.0.0-SNAPSHOT:compile
>> [INFO] +-
>> org.apache.skywalking:server-starter-es7:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | +-
>> org.apache.skywalking:server-bootstrap:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:server-core:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +- org.yaml:snakeyaml:jar:1.18:compile
>> [INFO] | | | +-
>> org.apache.skywalking:library-module:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +-
>> org.apache.skywalking:telemetry-api:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +-
>> org.apache.skywalking:configuration-api:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +-
>> org.apache.skywalking:library-util:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | | +- joda-time:joda-time:jar:2.10.5:compile
>> [INFO] | | | | \-
>> com.google.protobuf:protobuf-java-util:jar:3.11.4:compile
>> [INFO] | | | +-
>> org.apache.skywalking:library-client:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | | +- com.zaxxer:HikariCP:jar:3.1.0:compile
>> [INFO] | | | | +- commons-dbcp:commons-dbcp:jar:1.4:compile
>> [INFO] | | | | | \- commons-pool:commons-pool:jar:1.5.4:compile
>> [INFO] | | | | +-
>> org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:compile
>> [INFO] | | | | | +- org.elasticsearch:elasticsearch:jar:6.3.2:compile
>> [INFO] | | | | | | +-
>> org.elasticsearch:elasticsearch-core:jar:6.3.2:compile
>> [INFO] | | | | | | +-
>> org.elasticsearch:elasticsearch-secure-sm:jar:6.3.2:compile
>> [INFO] | | | | | | +-
>> org.elasticsearch:elasticsearch-x-content:jar:6.3.2:compile
>> [INFO] | | | | | | | +-
>> com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile
>> [INFO] | | | | | | | +-
>> com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.10:compile
>> [INFO] | | | | | | | \-
>> com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.8.10:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-core:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-analyzers-common:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-backward-codecs:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-grouping:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-highlighter:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-join:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-memory:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-misc:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-queries:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-queryparser:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-sandbox:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-spatial:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-spatial-extras:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-spatial3d:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.apache.lucene:lucene-suggest:jar:7.3.1:compile
>> [INFO] | | | | | | +-
>> org.elasticsearch:elasticsearch-cli:jar:6.3.2:compile
>> [INFO] | | | | | | +- com.carrotsearch:hppc:jar:0.7.1:compile
>> [INFO] | | | | | | +- com.tdunning:t-digest:jar:3.2:compile
>> [INFO] | | | | | | \- org.elasticsearch:jna:jar:4.5.1:compile
>> [INFO] | | | | | +-
>> org.elasticsearch.client:elasticsearch-rest-client:jar:6.3.2:compile
>> [INFO] | | | | | | +-
>> org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
>> [INFO] | | | | | | \-
>> org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
>> [INFO] | | | | | +-
>> org.elasticsearch.plugin:parent-join-client:jar:6.3.2:compile
>> [INFO] | | | | | +-
>> org.elasticsearch.plugin:aggs-matrix-stats-client:jar:6.3.2:compile
>> [INFO] | | | | | \-
>> org.elasticsearch.plugin:rank-eval-client:jar:6.3.2:compile
>> [INFO] | | | | \- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
>> [INFO] | | | +-
>> org.apache.skywalking:library-server:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | | +-
>> org.eclipse.jetty:jetty-server:jar:9.4.28.v20200408:compile
>> [INFO] | | | | | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
>> [INFO] | | | | | +-
>> org.eclipse.jetty:jetty-http:jar:9.4.28.v20200408:compile
>> [INFO] | | | | | | \-
>> org.eclipse.jetty:jetty-util:jar:9.4.28.v20200408:compile
>> [INFO] | | | | | \-
>> org.eclipse.jetty:jetty-io:jar:9.4.28.v20200408:compile
>> [INFO] | | | | \-
>> org.eclipse.jetty:jetty-servlet:jar:9.4.28.v20200408:compile
>> [INFO] | | | | \-
>> org.eclipse.jetty:jetty-security:jar:9.4.28.v20200408:compile
>> [INFO] | | | \- org.javassist:javassist:jar:3.25.0-GA:compile
>> [INFO] | | +- org.apache.skywalking:oal-rt:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +-
>> org.apache.skywalking:oal-grammar:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +- org.antlr:antlr4-runtime:jar:4.7.1:compile
>> [INFO] | | | +- org.freemarker:freemarker:jar:2.3.28:compile
>> [INFO] | | | \- commons-io:commons-io:jar:2.6:compile
>> [INFO] | | +-
>> org.apache.skywalking:cluster-standalone-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:cluster-zookeeper-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \-
>> org.apache.curator:curator-x-discovery:jar:4.0.1:compile
>> [INFO] | | | +- org.apache.curator:curator-recipes:jar:4.0.1:compile
>> [INFO] | | | | \-
>> org.apache.curator:curator-framework:jar:4.0.1:compile
>> [INFO] | | | | \-
>> org.apache.curator:curator-client:jar:4.0.1:compile
>> [INFO] | | | | \-
>> org.apache.zookeeper:zookeeper:jar:3.5.3-beta:compile
>> [INFO] | | | | +- commons-cli:commons-cli:jar:1.2:compile
>> [INFO] | | | | +- log4j:log4j:jar:1.2.17:compile
>> [INFO] | | | | \- io.netty:netty:jar:3.10.5.Final:compile
>> [INFO] | | | \-
>> org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
>> [INFO] | | | \-
>> org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
>> [INFO] | | +-
>> org.apache.skywalking:cluster-kubernetes-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \- io.kubernetes:client-java:jar:4.0.0:compile
>> [INFO] | | | +- io.kubernetes:client-java-api:jar:4.0.0:compile
>> [INFO] | | | | +- io.sundr:builder-annotations:jar:0.9.2:compile
>> [INFO] | | | | | +- io.sundr:sundr-core:jar:0.9.2:compile
>> [INFO] | | | | | +- io.sundr:sundr-codegen:jar:0.9.2:compile
>> [INFO] | | | | | \-
>> io.sundr:resourcecify-annotations:jar:0.9.2:compile
>> [INFO] | | | | +- io.swagger:swagger-annotations:jar:1.5.12:compile
>> [INFO] | | | | +- com.squareup.okhttp:okhttp:jar:2.7.5:compile
>> [INFO] | | | | +-
>> com.squareup.okhttp:logging-interceptor:jar:2.7.5:compile
>> [INFO] | | | | \- org.joda:joda-convert:jar:1.2:compile
>> [INFO] | | | +- io.kubernetes:client-java-proto:jar:4.0.0:compile
>> [INFO] | | | +- org.apache.commons:commons-compress:jar:1.18:compile
>> [INFO] | | | +- org.apache.commons:commons-lang3:jar:3.7:compile
>> [INFO] | | | +- com.squareup.okhttp:okhttp-ws:jar:2.7.5:compile
>> [INFO] | | | +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.59:compile
>> [INFO] | | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.59:compile
>> [INFO] | | | \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
>> [INFO] | | +-
>> org.apache.skywalking:cluster-consul-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \- com.orbitz.consul:consul-client:jar:1.2.6:compile
>> [INFO] | | | +- com.squareup.retrofit2:retrofit:jar:2.3.0:compile
>> [INFO] | | | +-
>> com.squareup.retrofit2:converter-jackson:jar:2.3.0:compile
>> [INFO] | | | +- com.squareup.okhttp3:okhttp:jar:3.9.0:compile
>> [INFO] | | | | \- com.squareup.okio:okio:jar:1.13.0:compile
>> [INFO] | | | +-
>> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.5:compile
>> [INFO] | | | \-
>> com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.9.5:compile
>> [INFO] | | +-
>> org.apache.skywalking:cluster-nacos-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \- com.alibaba.nacos:nacos-client:jar:1.2.0:compile
>> [INFO] | | | +- com.alibaba.nacos:nacos-common:jar:1.2.0:compile
>> [INFO] | | | \- com.alibaba.nacos:nacos-api:jar:1.2.0:compile
>> [INFO] | | | \- com.alibaba:fastjson:jar:1.2.58:compile
>> [INFO] | | +-
>> org.apache.skywalking:cluster-etcd-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +- io.netty:netty-codec-dns:jar:4.1.42.Final:compile
>> [INFO] | | | | +- io.netty:netty-common:jar:4.1.42.Final:compile
>> [INFO] | | | | +- io.netty:netty-buffer:jar:4.1.42.Final:compile
>> [INFO] | | | | +- io.netty:netty-transport:jar:4.1.42.Final:compile
>> [INFO] | | | | \- io.netty:netty-codec:jar:4.1.42.Final:compile
>> [INFO] | | | +- io.netty:netty-codec-http:jar:4.1.42.Final:compile
>> [INFO] | | | +- io.netty:netty-handler:jar:4.1.42.Final:compile
>> [INFO] | | | +- io.netty:netty-resolver-dns:jar:4.1.42.Final:compile
>> [INFO] | | | | \- io.netty:netty-resolver:jar:4.1.42.Final:compile
>> [INFO] | | | +- org.mousio:etcd4j:jar:2.17.0:compile
>> [INFO] | | | | \-
>> com.github.wnameless:json-flattener:jar:0.6.0:compile
>> [INFO] | | | | +-
>> com.eclipsesource.minimal-json:minimal-json:jar:0.9.5:compile
>> [INFO] | | | | \- org.apache.commons:commons-text:jar:1.4:compile
>> [INFO] | | | \-
>> com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.9.5:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-mesh-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \-
>> org.apache.skywalking:skywalking-sharing-server-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-istio-telemetry-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \-
>> org.apache.skywalking:receiver-proto:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-management-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-jvm-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-trace-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:envoy-metrics-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-clr-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-so11y-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:skywalking-profile-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:prometheus-fetcher-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:storage-jdbc-hikaricp-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \- com.h2database:h2:jar:1.4.196:compile
>> [INFO] | | +-
>> org.apache.skywalking:storage-influxdb-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \- org.influxdb:influxdb-java:jar:2.15:compile
>> [INFO] | | | +-
>> com.squareup.retrofit2:converter-moshi:jar:2.5.0:compile
>> [INFO] | | | | \- com.squareup.moshi:moshi:jar:1.5.0:compile
>> [INFO] | | | +- org.msgpack:msgpack-core:jar:0.8.16:compile
>> [INFO] | | | \-
>> com.squareup.okhttp3:logging-interceptor:jar:3.13.1:compile
>> [INFO] | | +-
>> org.apache.skywalking:query-graphql-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +- com.graphql-java:graphql-java:jar:8.0:compile
>> [INFO] | | | | +- com.graphql-java:java-dataloader:jar:2.0.2:compile
>> [INFO] | | | | \-
>> org.reactivestreams:reactive-streams:jar:1.0.2:compile
>> [INFO] | | | \- com.graphql-java:graphql-java-tools:jar:5.2.3:compile
>> [INFO] | | | +-
>> org.jetbrains.kotlin:kotlin-stdlib:jar:1.1.60:compile
>> [INFO] | | | | \- org.jetbrains:annotations:jar:13.0:compile
>> [INFO] | | | +-
>> com.fasterxml.jackson.module:jackson-module-kotlin:jar:2.8.8:compile
>> [INFO] | | | | \-
>> org.jetbrains.kotlin:kotlin-reflect:jar:1.1.1:compile
>> [INFO] | | | \- com.esotericsoftware:reflectasm:jar:1.11.7:compile
>> [INFO] | | +-
>> org.apache.skywalking:server-alarm-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:telemetry-prometheus:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | +- io.prometheus:simpleclient:jar:0.6.0:compile
>> [INFO] | | | +- io.prometheus:simpleclient_hotspot:jar:0.6.0:compile
>> [INFO] | | | \- io.prometheus:simpleclient_httpserver:jar:0.6.0:compile
>> [INFO] | | | \- io.prometheus:simpleclient_common:jar:0.6.0:compile
>> [INFO] | | +-
>> org.apache.skywalking:telemetry-so11y:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +- org.apache.skywalking:exporter:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:grpc-configuration-sync:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \- io.grpc:grpc-core:jar:1.26.0:compile
>> [INFO] | | | +- io.perfmark:perfmark-api:jar:0.19.0:compile
>> [INFO] | | | +- io.opencensus:opencensus-api:jar:0.24.0:compile
>> [INFO] | | | \-
>> io.opencensus:opencensus-contrib-grpc-metrics:jar:0.24.0:compile
>> [INFO] | | +-
>> org.apache.skywalking:configuration-apollo:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | | \-
>> com.ctrip.framework.apollo:apollo-client:jar:1.4.0:compile
>> [INFO] | | | +-
>> com.ctrip.framework.apollo:apollo-core:jar:1.4.0:compile
>> [INFO] | | | \- com.google.inject:guice:jar:4.1.0:compile
>> [INFO] | | | \- aopalliance:aopalliance:jar:1.0:compile
>> [INFO] | | +-
>> org.apache.skywalking:configuration-nacos:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:configuration-zookeeper:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | +-
>> org.apache.skywalking:configuration-etcd:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | \-
>> org.apache.skywalking:configuration-consul:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | +-
>> org.apache.skywalking:storage-elasticsearch7-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | \-
>> org.apache.skywalking:storage-elasticsearch-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | +-
>> org.apache.skywalking:tool-profile-snapshot-exporter-es7:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | \-
>> org.apache.skywalking:tool-profile-snapshot-bootstrap:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | | \-
>> org.apache.skywalking:tool-profile-snapshot-server-mock:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | +- org.slf4j:slf4j-api:jar:1.7.25:compile
>> [INFO] | +- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
>> [INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.9.0:compile
>> [INFO] | | \- org.apache.logging.log4j:log4j-api:jar:2.9.0:compile
>> [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.9.0:compile
>> [INFO] | \- com.google.guava:guava:jar:28.1-jre:compile
>> [INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
>> [INFO] | +-
>> com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
>> [INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
>> [INFO] | +- org.checkerframework:checker-qual:jar:2.8.1:compile
>> [INFO] | +-
>> com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
>> [INFO] | \-
>> org.codehaus.mojo:animal-sniffer-annotations:jar:1.18:compile
>> [INFO] +- org.apache.skywalking:apm-webapp:jar:8.0.0-SNAPSHOT:compile
>> [INFO] | +-
>> org.springframework.boot:spring-boot-starter-web:jar:1.5.11.RELEASE:compile
>> [INFO] | | +-
>> org.springframework.boot:spring-boot-starter:jar:1.5.11.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework.boot:spring-boot:jar:1.5.11.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework.boot:spring-boot-autoconfigure:jar:1.5.11.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework.boot:spring-boot-starter-logging:jar:1.5.11.RELEASE:compile
>> [INFO] | | | | \- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
>> [INFO] | | | \-
>> org.springframework:spring-core:jar:4.3.15.RELEASE:compile
>> [INFO] | | +-
>> org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.11.RELEASE:compile
>> [INFO] | | | +-
>> org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.29:compile
>> [INFO] | | | | \-
>> org.apache.tomcat:tomcat-annotations-api:jar:8.5.29:compile
>> [INFO] | | | +-
>> org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.29:compile
>> [INFO] | | | \-
>> org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.29:compile
>> [INFO] | | +- org.hibernate:hibernate-validator:jar:5.3.6.Final:compile
>> [INFO] | | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
>> [INFO] | | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
>> [INFO] | | | \- com.fasterxml:classmate:jar:1.3.1:compile
>> [INFO] | | +- org.springframework:spring-web:jar:4.3.15.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework:spring-aop:jar:4.3.15.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework:spring-beans:jar:4.3.15.RELEASE:compile
>> [INFO] | | | \-
>> org.springframework:spring-context:jar:4.3.15.RELEASE:compile
>> [INFO] | | \-
>> org.springframework:spring-webmvc:jar:4.3.15.RELEASE:compile
>> [INFO] | | \-
>> org.springframework:spring-expression:jar:4.3.15.RELEASE:compile
>> [INFO] | +-
>> org.springframework.boot:spring-boot-starter-actuator:jar:1.5.11.RELEASE:compile
>> [INFO] | | \-
>> org.springframework.boot:spring-boot-actuator:jar:1.5.11.RELEASE:compile
>> [INFO] | +-
>> com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile
>> [INFO] | | +-
>> com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
>> [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
>> [INFO] | +-
>> org.springframework.boot:spring-boot-configuration-processor:jar:1.5.11.RELEASE:compile
>> [INFO] | +- com.google.code.gson:gson:jar:2.8.2:compile
>> [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
>> [INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
>> [INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
>> [INFO] | | \- commons-codec:commons-codec:jar:1.9:compile
>> [INFO] | +-
>> org.springframework.cloud:spring-cloud-starter-netflix-zuul:jar:1.4.2.RELEASE:compile
>> [INFO] | | +-
>> org.springframework.cloud:spring-cloud-starter:jar:1.3.1.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework.cloud:spring-cloud-context:jar:1.3.1.RELEASE:compile
>> [INFO] | | | | \-
>> org.springframework.security:spring-security-crypto:jar:4.2.3.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework.cloud:spring-cloud-commons:jar:1.3.1.RELEASE:compile
>> [INFO] | | | \-
>> org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
>> [INFO] | | +-
>> org.springframework.cloud:spring-cloud-starter-netflix-hystrix:jar:1.4.2.RELEASE:compile
>> [INFO] | | | +-
>> org.springframework.cloud:spring-cloud-netflix-core:jar:1.4.2.RELEASE:compile
>> [INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.12:compile
>> [INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
>> [INFO] | | | +-
>> com.netflix.hystrix:hystrix-metrics-event-stream:jar:1.5.12:compile
>> [INFO] | | | | \-
>> com.netflix.hystrix:hystrix-serialization:jar:1.5.12:runtime
>> [INFO] | | | \- com.netflix.hystrix:hystrix-javanica:jar:1.5.12:compile
>> [INFO] | | | +- org.ow2.asm:asm:jar:5.0.4:runtime
>> [INFO] | | | \- org.aspectj:aspectjweaver:jar:1.8.6:compile
>> [INFO] | | +-
>> org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.2.RELEASE:compile
>> [INFO] | | | +- com.netflix.ribbon:ribbon:jar:2.2.4:compile
>> [INFO] | | | | +-
>> com.netflix.ribbon:ribbon-transport:jar:2.2.4:runtime
>> [INFO] | | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
>> [INFO] | | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
>> [INFO] | | | | +- javax.inject:javax.inject:jar:1:compile
>> [INFO] | | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
>> [INFO] | | | | \-
>> io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
>> [INFO] | | | +- com.netflix.ribbon:ribbon-core:jar:2.2.4:compile
>> [INFO] | | | | \- commons-lang:commons-lang:jar:2.6:compile
>> [INFO] | | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.4:compile
>> [INFO] | | | | +-
>> commons-collections:commons-collections:jar:3.2.2:runtime
>> [INFO] | | | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
>> [INFO] | | | | | \- com.sun.jersey:jersey-core:jar:1.19.1:runtime
>> [INFO] | | | | | \- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
>> [INFO] | | | | \-
>> com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
>> [INFO] | | | +-
>> com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.4:compile
>> [INFO] | | | | \-
>> com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
>> [INFO] | | | \- io.reactivex:rxjava:jar:1.2.0:compile
>> [INFO] | | +-
>> org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.2.RELEASE:compile
>> [INFO] | | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
>> [INFO] | | | \-
>> commons-configuration:commons-configuration:jar:1.8:compile
>> [INFO] | | \- com.netflix.zuul:zuul-core:jar:1.3.0:compile
>> [INFO] | | +- com.netflix.servo:servo-core:jar:0.7.2:runtime
>> [INFO] | | | \-
>> com.google.code.findbugs:annotations:jar:2.0.0:runtime
>> [INFO] | | \-
>> com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
>> [INFO] | \- ch.qos.logback:logback-classic:jar:1.2.3:compile
>> [INFO] | \- ch.qos.logback:logback-core:jar:1.2.3:compile
>> [INFO] +- junit:junit:jar:4.12:test
>> [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
>> [INFO] +- org.mockito:mockito-all:jar:1.10.19:test
>> [INFO] +- org.powermock:powermock-module-junit4:jar:1.6.4:test
>> [INFO] | \- org.powermock:powermock-module-junit4-common:jar:1.6.4:test
>> [INFO] | +- org.powermock:powermock-core:jar:1.6.4:test
>> [INFO] | \- org.powermock:powermock-reflect:jar:1.6.4:test
>> [INFO] +- org.powermock:powermock-api-mockito:jar:1.6.4:test
>> [INFO] | +- org.mockito:mockito-core:jar:1.10.19:test
>> [INFO] | | \- org.objenesis:objenesis:jar:2.1:test
>> [INFO] | \- org.powermock:powermock-api-support:jar:1.6.4:test
>> [INFO] +- org.openjdk.jmh:jmh-core:jar:1.21:test
>> [INFO] | +- net.sf.jopt-simple:jopt-simple:jar:4.6:compile
>> [INFO] | \- org.apache.commons:commons-math3:jar:3.2:test
>> [INFO] +- org.projectlombok:lombok:jar:1.18.10:provided
>> [INFO] \- javax.annotation:javax.annotation-api:jar:1.3.2:provided
>> [INFO]
>> ------------------------------------------------------------------------
>>
>> Sheng Wu 吴晟
>> Twitter, wusheng1108
>>
>>
>> Sheng Wu <wu...@gmail.com> 于2020年5月21日周四 上午8:22写道:
>>
>>>
>>>
>>> Hongtao Gao <ha...@gmail.com> 于2020年5月20日周三 下午11:13写道:
>>>
>>>> >
>>>> > So i suggest just remove the Nacos from the release package,
>>>> keeping the
>>>> > source code in our project.
>>>>
>>>>
>>>> Coordination and configuration APIs are stable now, and I don't see any
>>>> potential improvements about them.
>>>> Anyone who needs it can revert to the commit contains nacos easily.
>>>> Keeping unreleased codes in the main repo is dangerous for us, so I
>>>> prefer
>>>> to remove it straightly.
>>>>
>>>
>>> Agree, git is the time machine. We should not worry about rolling back
>>> in some days.
>>>
>>> Zhenxu
>>> Moving the code to skyapm, is fine, we just need to keep the Apache
>>> license header there, and indicate why these codes are copied there.
>>> If we really think that is meaningful. People are going to ask questions
>>> there, it will be some workload there.
>>> Also, notice, once we don't change the codes, how to release them.
>>>
>>> Sheng Wu 吴晟
>>> Twitter, wusheng1108
>>>
>>>
>>>>
>>>> peng-yongsheng <pe...@apache.org> 于2020年5月20日周三 下午10:27写道:
>>>>
>>>> > FastJSON is the source of this security issues and the Nacos is a
>>>> famous
>>>> > project. But security issues is very important problem, and they
>>>> can’t
>>>> > really resolve it .
>>>> >
>>>> > So i suggest just remove the Nacos from the release package,
>>>> keeping the
>>>> > source code in our project.
>>>> >
>>>> >
>>>> > Sheng Wu <wu...@apache.org>于2020年5月20日 周三20:51写道:
>>>> >
>>>> > > Hi dev team
>>>> > >
>>>> > > Especially committer and PMC member, recently, we just upgrade the
>>>> > fastjson
>>>> > > through https://github.com/apache/skywalking/pull/4753. But today,
>>>> we
>>>> > > received the another report about the security issue again,
>>>> > > https://github.com/apache/skywalking/pull/4804.
>>>> > > The 4804 PR is not correct, but that is not the point.
>>>> > >
>>>> > > The concern I want to mention is that FastJson, imported by Nacos,
>>>> keeps
>>>> > > reporting security issues. This breaks our stable/security status
>>>> high
>>>> > > frequently.
>>>> > >
>>>> > > I want to ask, *do we need to consider removing the Nacos +
>>>> > > FastJSON dependency? Due to this library is not in high quality
>>>> from a
>>>> > > security perspective.*
>>>> > > These two are not required, they are just an implementation of
>>>> > > configuration server and cluster management server.
>>>> > >
>>>> > > I don't request to act now, but I would like to hear, what do you
>>>> think?
>>>> > >
>>>> > > Sheng Wu 吴晟
>>>> > > Twitter, wusheng1108
>>>> > >
>>>> >
>>>>
>>>>
>>>> --
>>>> Hongtao Gao
>>>>
>>>> Apache SkyWalking && Apache ShardingSphere
>>>> Twitter, @hanahmily
>>>>
>>>
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Sheng Wu <wu...@gmail.com>.
I have submitted the issue to Nacos team,
https://github.com/alibaba/nacos/issues/2842
To check, *Does Nacos provide an alternative JSON library, rather than
FastJSON, as a new option*
If the answer is negative, and our consensus is clear, preferring to remove
the codes. Then it is time to make the decision.
Sheng Wu 吴晟
Twitter, wusheng1108
Sheng Wu <wu...@gmail.com> 于2020年5月21日周四 上午9:23写道:
> I just recheck the dependency tree, and could confirm the fastjson is
> imported by Nacos only. No other library depends on this.
>
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
> apache-skywalking-apm-es7 ---
> [WARNING] Failure to transfer
> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
> from https://repository.apache.org/snapshots was cached in the local
> repository, resolution will not be reattempted until the update interval of
> apache.snapshots has elapsed or updates are forced. Original error: Could
> not transfer metadata
> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
> from/to apache.snapshots (https://repository.apache.org/snapshots):
> Connect to repository.apache.org:443 [repository.apache.org/207.244.88.140]
> failed: Operation timed out
> Downloading from apache.snapshots:
> https://repository.apache.org/snapshots/org/apache/skywalking/server-starter-es7/8.0.0-SNAPSHOT/server-starter-es7-8.0.0-SNAPSHOT.jar
> [INFO] org.apache.skywalking:apache-skywalking-apm-es7:pom:8.0.0-SNAPSHOT
> [INFO] +- org.apache.skywalking:apm-agent:jar:8.0.0-SNAPSHOT:compile
> [INFO] | \-
> org.apache.skywalking:apm-agent-core:jar:8.0.0-SNAPSHOT:compile
> [INFO] | +-
> org.apache.skywalking:apm-network:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +- io.grpc:grpc-netty:jar:1.26.0:compile
> [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.42.Final:compile
> (version selected from constraint [4.1.42.Final,4.1.42.Final])
> [INFO] | | | \- io.netty:netty-handler-proxy:jar:4.1.42.Final:compile
> [INFO] | | | \-
> io.netty:netty-codec-socks:jar:4.1.42.Final:compile
> [INFO] | | +- io.grpc:grpc-protobuf:jar:1.26.0:compile
> [INFO] | | | +- io.grpc:grpc-api:jar:1.26.0:compile
> [INFO] | | | | \- io.grpc:grpc-context:jar:1.26.0:compile
> [INFO] | | | +- com.google.protobuf:protobuf-java:jar:3.11.0:compile
> [INFO] | | | +-
> com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile
> [INFO] | | | \- io.grpc:grpc-protobuf-lite:jar:1.26.0:compile
> [INFO] | | +- io.grpc:grpc-stub:jar:1.26.0:compile
> [INFO] | | \-
> io.netty:netty-tcnative-boringssl-static:jar:2.0.26.Final:compile
> [INFO] | +- org.apache.skywalking:apm-util:jar:8.0.0-SNAPSHOT:compile
> [INFO] | +- net.bytebuddy:byte-buddy:jar:1.10.7:compile
> [INFO] | \-
> org.apache.skywalking:apm-datacarrier:jar:8.0.0-SNAPSHOT:compile
> [INFO] +-
> org.apache.skywalking:server-starter-es7:jar:8.0.0-SNAPSHOT:compile
> [INFO] | +-
> org.apache.skywalking:server-bootstrap:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:server-core:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +- org.yaml:snakeyaml:jar:1.18:compile
> [INFO] | | | +-
> org.apache.skywalking:library-module:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +-
> org.apache.skywalking:telemetry-api:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +-
> org.apache.skywalking:configuration-api:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +-
> org.apache.skywalking:library-util:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | | +- joda-time:joda-time:jar:2.10.5:compile
> [INFO] | | | | \-
> com.google.protobuf:protobuf-java-util:jar:3.11.4:compile
> [INFO] | | | +-
> org.apache.skywalking:library-client:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | | +- com.zaxxer:HikariCP:jar:3.1.0:compile
> [INFO] | | | | +- commons-dbcp:commons-dbcp:jar:1.4:compile
> [INFO] | | | | | \- commons-pool:commons-pool:jar:1.5.4:compile
> [INFO] | | | | +-
> org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:compile
> [INFO] | | | | | +- org.elasticsearch:elasticsearch:jar:6.3.2:compile
> [INFO] | | | | | | +-
> org.elasticsearch:elasticsearch-core:jar:6.3.2:compile
> [INFO] | | | | | | +-
> org.elasticsearch:elasticsearch-secure-sm:jar:6.3.2:compile
> [INFO] | | | | | | +-
> org.elasticsearch:elasticsearch-x-content:jar:6.3.2:compile
> [INFO] | | | | | | | +-
> com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile
> [INFO] | | | | | | | +-
> com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.10:compile
> [INFO] | | | | | | | \-
> com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.8.10:compile
> [INFO] | | | | | | +- org.apache.lucene:lucene-core:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-analyzers-common:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-backward-codecs:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-grouping:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-highlighter:jar:7.3.1:compile
> [INFO] | | | | | | +- org.apache.lucene:lucene-join:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-memory:jar:7.3.1:compile
> [INFO] | | | | | | +- org.apache.lucene:lucene-misc:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-queries:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-queryparser:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-sandbox:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-spatial:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-spatial-extras:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-spatial3d:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.apache.lucene:lucene-suggest:jar:7.3.1:compile
> [INFO] | | | | | | +-
> org.elasticsearch:elasticsearch-cli:jar:6.3.2:compile
> [INFO] | | | | | | +- com.carrotsearch:hppc:jar:0.7.1:compile
> [INFO] | | | | | | +- com.tdunning:t-digest:jar:3.2:compile
> [INFO] | | | | | | \- org.elasticsearch:jna:jar:4.5.1:compile
> [INFO] | | | | | +-
> org.elasticsearch.client:elasticsearch-rest-client:jar:6.3.2:compile
> [INFO] | | | | | | +-
> org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
> [INFO] | | | | | | \-
> org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
> [INFO] | | | | | +-
> org.elasticsearch.plugin:parent-join-client:jar:6.3.2:compile
> [INFO] | | | | | +-
> org.elasticsearch.plugin:aggs-matrix-stats-client:jar:6.3.2:compile
> [INFO] | | | | | \-
> org.elasticsearch.plugin:rank-eval-client:jar:6.3.2:compile
> [INFO] | | | | \- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
> [INFO] | | | +-
> org.apache.skywalking:library-server:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | | +-
> org.eclipse.jetty:jetty-server:jar:9.4.28.v20200408:compile
> [INFO] | | | | | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
> [INFO] | | | | | +-
> org.eclipse.jetty:jetty-http:jar:9.4.28.v20200408:compile
> [INFO] | | | | | | \-
> org.eclipse.jetty:jetty-util:jar:9.4.28.v20200408:compile
> [INFO] | | | | | \-
> org.eclipse.jetty:jetty-io:jar:9.4.28.v20200408:compile
> [INFO] | | | | \-
> org.eclipse.jetty:jetty-servlet:jar:9.4.28.v20200408:compile
> [INFO] | | | | \-
> org.eclipse.jetty:jetty-security:jar:9.4.28.v20200408:compile
> [INFO] | | | \- org.javassist:javassist:jar:3.25.0-GA:compile
> [INFO] | | +- org.apache.skywalking:oal-rt:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +-
> org.apache.skywalking:oal-grammar:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +- org.antlr:antlr4-runtime:jar:4.7.1:compile
> [INFO] | | | +- org.freemarker:freemarker:jar:2.3.28:compile
> [INFO] | | | \- commons-io:commons-io:jar:2.6:compile
> [INFO] | | +-
> org.apache.skywalking:cluster-standalone-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:cluster-zookeeper-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \- org.apache.curator:curator-x-discovery:jar:4.0.1:compile
> [INFO] | | | +- org.apache.curator:curator-recipes:jar:4.0.1:compile
> [INFO] | | | | \-
> org.apache.curator:curator-framework:jar:4.0.1:compile
> [INFO] | | | | \-
> org.apache.curator:curator-client:jar:4.0.1:compile
> [INFO] | | | | \-
> org.apache.zookeeper:zookeeper:jar:3.5.3-beta:compile
> [INFO] | | | | +- commons-cli:commons-cli:jar:1.2:compile
> [INFO] | | | | +- log4j:log4j:jar:1.2.17:compile
> [INFO] | | | | \- io.netty:netty:jar:3.10.5.Final:compile
> [INFO] | | | \-
> org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] | | | \-
> org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] | | +-
> org.apache.skywalking:cluster-kubernetes-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \- io.kubernetes:client-java:jar:4.0.0:compile
> [INFO] | | | +- io.kubernetes:client-java-api:jar:4.0.0:compile
> [INFO] | | | | +- io.sundr:builder-annotations:jar:0.9.2:compile
> [INFO] | | | | | +- io.sundr:sundr-core:jar:0.9.2:compile
> [INFO] | | | | | +- io.sundr:sundr-codegen:jar:0.9.2:compile
> [INFO] | | | | | \-
> io.sundr:resourcecify-annotations:jar:0.9.2:compile
> [INFO] | | | | +- io.swagger:swagger-annotations:jar:1.5.12:compile
> [INFO] | | | | +- com.squareup.okhttp:okhttp:jar:2.7.5:compile
> [INFO] | | | | +-
> com.squareup.okhttp:logging-interceptor:jar:2.7.5:compile
> [INFO] | | | | \- org.joda:joda-convert:jar:1.2:compile
> [INFO] | | | +- io.kubernetes:client-java-proto:jar:4.0.0:compile
> [INFO] | | | +- org.apache.commons:commons-compress:jar:1.18:compile
> [INFO] | | | +- org.apache.commons:commons-lang3:jar:3.7:compile
> [INFO] | | | +- com.squareup.okhttp:okhttp-ws:jar:2.7.5:compile
> [INFO] | | | +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.59:compile
> [INFO] | | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.59:compile
> [INFO] | | | \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
> [INFO] | | +-
> org.apache.skywalking:cluster-consul-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \- com.orbitz.consul:consul-client:jar:1.2.6:compile
> [INFO] | | | +- com.squareup.retrofit2:retrofit:jar:2.3.0:compile
> [INFO] | | | +-
> com.squareup.retrofit2:converter-jackson:jar:2.3.0:compile
> [INFO] | | | +- com.squareup.okhttp3:okhttp:jar:3.9.0:compile
> [INFO] | | | | \- com.squareup.okio:okio:jar:1.13.0:compile
> [INFO] | | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.5:compile
> [INFO] | | | \-
> com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.9.5:compile
> [INFO] | | +-
> org.apache.skywalking:cluster-nacos-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \- com.alibaba.nacos:nacos-client:jar:1.2.0:compile
> [INFO] | | | +- com.alibaba.nacos:nacos-common:jar:1.2.0:compile
> [INFO] | | | \- com.alibaba.nacos:nacos-api:jar:1.2.0:compile
> [INFO] | | | \- com.alibaba:fastjson:jar:1.2.58:compile
> [INFO] | | +-
> org.apache.skywalking:cluster-etcd-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +- io.netty:netty-codec-dns:jar:4.1.42.Final:compile
> [INFO] | | | | +- io.netty:netty-common:jar:4.1.42.Final:compile
> [INFO] | | | | +- io.netty:netty-buffer:jar:4.1.42.Final:compile
> [INFO] | | | | +- io.netty:netty-transport:jar:4.1.42.Final:compile
> [INFO] | | | | \- io.netty:netty-codec:jar:4.1.42.Final:compile
> [INFO] | | | +- io.netty:netty-codec-http:jar:4.1.42.Final:compile
> [INFO] | | | +- io.netty:netty-handler:jar:4.1.42.Final:compile
> [INFO] | | | +- io.netty:netty-resolver-dns:jar:4.1.42.Final:compile
> [INFO] | | | | \- io.netty:netty-resolver:jar:4.1.42.Final:compile
> [INFO] | | | +- org.mousio:etcd4j:jar:2.17.0:compile
> [INFO] | | | | \- com.github.wnameless:json-flattener:jar:0.6.0:compile
> [INFO] | | | | +-
> com.eclipsesource.minimal-json:minimal-json:jar:0.9.5:compile
> [INFO] | | | | \- org.apache.commons:commons-text:jar:1.4:compile
> [INFO] | | | \-
> com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.9.5:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-mesh-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \-
> org.apache.skywalking:skywalking-sharing-server-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-istio-telemetry-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \-
> org.apache.skywalking:receiver-proto:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-management-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-jvm-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-trace-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:envoy-metrics-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-clr-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-so11y-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:skywalking-profile-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:prometheus-fetcher-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:storage-jdbc-hikaricp-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \- com.h2database:h2:jar:1.4.196:compile
> [INFO] | | +-
> org.apache.skywalking:storage-influxdb-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \- org.influxdb:influxdb-java:jar:2.15:compile
> [INFO] | | | +-
> com.squareup.retrofit2:converter-moshi:jar:2.5.0:compile
> [INFO] | | | | \- com.squareup.moshi:moshi:jar:1.5.0:compile
> [INFO] | | | +- org.msgpack:msgpack-core:jar:0.8.16:compile
> [INFO] | | | \-
> com.squareup.okhttp3:logging-interceptor:jar:3.13.1:compile
> [INFO] | | +-
> org.apache.skywalking:query-graphql-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +- com.graphql-java:graphql-java:jar:8.0:compile
> [INFO] | | | | +- com.graphql-java:java-dataloader:jar:2.0.2:compile
> [INFO] | | | | \-
> org.reactivestreams:reactive-streams:jar:1.0.2:compile
> [INFO] | | | \- com.graphql-java:graphql-java-tools:jar:5.2.3:compile
> [INFO] | | | +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.1.60:compile
> [INFO] | | | | \- org.jetbrains:annotations:jar:13.0:compile
> [INFO] | | | +-
> com.fasterxml.jackson.module:jackson-module-kotlin:jar:2.8.8:compile
> [INFO] | | | | \-
> org.jetbrains.kotlin:kotlin-reflect:jar:1.1.1:compile
> [INFO] | | | \- com.esotericsoftware:reflectasm:jar:1.11.7:compile
> [INFO] | | +-
> org.apache.skywalking:server-alarm-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:telemetry-prometheus:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | +- io.prometheus:simpleclient:jar:0.6.0:compile
> [INFO] | | | +- io.prometheus:simpleclient_hotspot:jar:0.6.0:compile
> [INFO] | | | \- io.prometheus:simpleclient_httpserver:jar:0.6.0:compile
> [INFO] | | | \- io.prometheus:simpleclient_common:jar:0.6.0:compile
> [INFO] | | +-
> org.apache.skywalking:telemetry-so11y:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +- org.apache.skywalking:exporter:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:grpc-configuration-sync:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \- io.grpc:grpc-core:jar:1.26.0:compile
> [INFO] | | | +- io.perfmark:perfmark-api:jar:0.19.0:compile
> [INFO] | | | +- io.opencensus:opencensus-api:jar:0.24.0:compile
> [INFO] | | | \-
> io.opencensus:opencensus-contrib-grpc-metrics:jar:0.24.0:compile
> [INFO] | | +-
> org.apache.skywalking:configuration-apollo:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | | \-
> com.ctrip.framework.apollo:apollo-client:jar:1.4.0:compile
> [INFO] | | | +-
> com.ctrip.framework.apollo:apollo-core:jar:1.4.0:compile
> [INFO] | | | \- com.google.inject:guice:jar:4.1.0:compile
> [INFO] | | | \- aopalliance:aopalliance:jar:1.0:compile
> [INFO] | | +-
> org.apache.skywalking:configuration-nacos:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:configuration-zookeeper:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | +-
> org.apache.skywalking:configuration-etcd:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | \-
> org.apache.skywalking:configuration-consul:jar:8.0.0-SNAPSHOT:compile
> [INFO] | +-
> org.apache.skywalking:storage-elasticsearch7-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | \-
> org.apache.skywalking:storage-elasticsearch-plugin:jar:8.0.0-SNAPSHOT:compile
> [INFO] | +-
> org.apache.skywalking:tool-profile-snapshot-exporter-es7:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | \-
> org.apache.skywalking:tool-profile-snapshot-bootstrap:jar:8.0.0-SNAPSHOT:compile
> [INFO] | | \-
> org.apache.skywalking:tool-profile-snapshot-server-mock:jar:8.0.0-SNAPSHOT:compile
> [INFO] | +- org.slf4j:slf4j-api:jar:1.7.25:compile
> [INFO] | +- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
> [INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.9.0:compile
> [INFO] | | \- org.apache.logging.log4j:log4j-api:jar:2.9.0:compile
> [INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.9.0:compile
> [INFO] | \- com.google.guava:guava:jar:28.1-jre:compile
> [INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
> [INFO] | +-
> com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
> [INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
> [INFO] | +- org.checkerframework:checker-qual:jar:2.8.1:compile
> [INFO] | +-
> com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
> [INFO] | \-
> org.codehaus.mojo:animal-sniffer-annotations:jar:1.18:compile
> [INFO] +- org.apache.skywalking:apm-webapp:jar:8.0.0-SNAPSHOT:compile
> [INFO] | +-
> org.springframework.boot:spring-boot-starter-web:jar:1.5.11.RELEASE:compile
> [INFO] | | +-
> org.springframework.boot:spring-boot-starter:jar:1.5.11.RELEASE:compile
> [INFO] | | | +-
> org.springframework.boot:spring-boot:jar:1.5.11.RELEASE:compile
> [INFO] | | | +-
> org.springframework.boot:spring-boot-autoconfigure:jar:1.5.11.RELEASE:compile
> [INFO] | | | +-
> org.springframework.boot:spring-boot-starter-logging:jar:1.5.11.RELEASE:compile
> [INFO] | | | | \- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
> [INFO] | | | \-
> org.springframework:spring-core:jar:4.3.15.RELEASE:compile
> [INFO] | | +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.11.RELEASE:compile
> [INFO] | | | +-
> org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.29:compile
> [INFO] | | | | \-
> org.apache.tomcat:tomcat-annotations-api:jar:8.5.29:compile
> [INFO] | | | +-
> org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.29:compile
> [INFO] | | | \-
> org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.29:compile
> [INFO] | | +- org.hibernate:hibernate-validator:jar:5.3.6.Final:compile
> [INFO] | | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
> [INFO] | | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> [INFO] | | | \- com.fasterxml:classmate:jar:1.3.1:compile
> [INFO] | | +- org.springframework:spring-web:jar:4.3.15.RELEASE:compile
> [INFO] | | | +-
> org.springframework:spring-aop:jar:4.3.15.RELEASE:compile
> [INFO] | | | +-
> org.springframework:spring-beans:jar:4.3.15.RELEASE:compile
> [INFO] | | | \-
> org.springframework:spring-context:jar:4.3.15.RELEASE:compile
> [INFO] | | \-
> org.springframework:spring-webmvc:jar:4.3.15.RELEASE:compile
> [INFO] | | \-
> org.springframework:spring-expression:jar:4.3.15.RELEASE:compile
> [INFO] | +-
> org.springframework.boot:spring-boot-starter-actuator:jar:1.5.11.RELEASE:compile
> [INFO] | | \-
> org.springframework.boot:spring-boot-actuator:jar:1.5.11.RELEASE:compile
> [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile
> [INFO] | | +-
> com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
> [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
> [INFO] | +-
> org.springframework.boot:spring-boot-configuration-processor:jar:1.5.11.RELEASE:compile
> [INFO] | +- com.google.code.gson:gson:jar:2.8.2:compile
> [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
> [INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
> [INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
> [INFO] | | \- commons-codec:commons-codec:jar:1.9:compile
> [INFO] | +-
> org.springframework.cloud:spring-cloud-starter-netflix-zuul:jar:1.4.2.RELEASE:compile
> [INFO] | | +-
> org.springframework.cloud:spring-cloud-starter:jar:1.3.1.RELEASE:compile
> [INFO] | | | +-
> org.springframework.cloud:spring-cloud-context:jar:1.3.1.RELEASE:compile
> [INFO] | | | | \-
> org.springframework.security:spring-security-crypto:jar:4.2.3.RELEASE:compile
> [INFO] | | | +-
> org.springframework.cloud:spring-cloud-commons:jar:1.3.1.RELEASE:compile
> [INFO] | | | \-
> org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
> [INFO] | | +-
> org.springframework.cloud:spring-cloud-starter-netflix-hystrix:jar:1.4.2.RELEASE:compile
> [INFO] | | | +-
> org.springframework.cloud:spring-cloud-netflix-core:jar:1.4.2.RELEASE:compile
> [INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.12:compile
> [INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
> [INFO] | | | +-
> com.netflix.hystrix:hystrix-metrics-event-stream:jar:1.5.12:compile
> [INFO] | | | | \-
> com.netflix.hystrix:hystrix-serialization:jar:1.5.12:runtime
> [INFO] | | | \- com.netflix.hystrix:hystrix-javanica:jar:1.5.12:compile
> [INFO] | | | +- org.ow2.asm:asm:jar:5.0.4:runtime
> [INFO] | | | \- org.aspectj:aspectjweaver:jar:1.8.6:compile
> [INFO] | | +-
> org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.2.RELEASE:compile
> [INFO] | | | +- com.netflix.ribbon:ribbon:jar:2.2.4:compile
> [INFO] | | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.4:runtime
> [INFO] | | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
> [INFO] | | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
> [INFO] | | | | +- javax.inject:javax.inject:jar:1:compile
> [INFO] | | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
> [INFO] | | | | \-
> io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
> [INFO] | | | +- com.netflix.ribbon:ribbon-core:jar:2.2.4:compile
> [INFO] | | | | \- commons-lang:commons-lang:jar:2.6:compile
> [INFO] | | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.4:compile
> [INFO] | | | | +-
> commons-collections:commons-collections:jar:3.2.2:runtime
> [INFO] | | | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
> [INFO] | | | | | \- com.sun.jersey:jersey-core:jar:1.19.1:runtime
> [INFO] | | | | | \- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
> [INFO] | | | | \-
> com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
> [INFO] | | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.4:compile
> [INFO] | | | | \-
> com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
> [INFO] | | | \- io.reactivex:rxjava:jar:1.2.0:compile
> [INFO] | | +-
> org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.2.RELEASE:compile
> [INFO] | | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
> [INFO] | | | \-
> commons-configuration:commons-configuration:jar:1.8:compile
> [INFO] | | \- com.netflix.zuul:zuul-core:jar:1.3.0:compile
> [INFO] | | +- com.netflix.servo:servo-core:jar:0.7.2:runtime
> [INFO] | | | \-
> com.google.code.findbugs:annotations:jar:2.0.0:runtime
> [INFO] | | \-
> com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
> [INFO] | \- ch.qos.logback:logback-classic:jar:1.2.3:compile
> [INFO] | \- ch.qos.logback:logback-core:jar:1.2.3:compile
> [INFO] +- junit:junit:jar:4.12:test
> [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
> [INFO] +- org.mockito:mockito-all:jar:1.10.19:test
> [INFO] +- org.powermock:powermock-module-junit4:jar:1.6.4:test
> [INFO] | \- org.powermock:powermock-module-junit4-common:jar:1.6.4:test
> [INFO] | +- org.powermock:powermock-core:jar:1.6.4:test
> [INFO] | \- org.powermock:powermock-reflect:jar:1.6.4:test
> [INFO] +- org.powermock:powermock-api-mockito:jar:1.6.4:test
> [INFO] | +- org.mockito:mockito-core:jar:1.10.19:test
> [INFO] | | \- org.objenesis:objenesis:jar:2.1:test
> [INFO] | \- org.powermock:powermock-api-support:jar:1.6.4:test
> [INFO] +- org.openjdk.jmh:jmh-core:jar:1.21:test
> [INFO] | +- net.sf.jopt-simple:jopt-simple:jar:4.6:compile
> [INFO] | \- org.apache.commons:commons-math3:jar:3.2:test
> [INFO] +- org.projectlombok:lombok:jar:1.18.10:provided
> [INFO] \- javax.annotation:javax.annotation-api:jar:1.3.2:provided
> [INFO]
> ------------------------------------------------------------------------
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Sheng Wu <wu...@gmail.com> 于2020年5月21日周四 上午8:22写道:
>
>>
>>
>> Hongtao Gao <ha...@gmail.com> 于2020年5月20日周三 下午11:13写道:
>>
>>> >
>>> > So i suggest just remove the Nacos from the release package, keeping
>>> the
>>> > source code in our project.
>>>
>>>
>>> Coordination and configuration APIs are stable now, and I don't see any
>>> potential improvements about them.
>>> Anyone who needs it can revert to the commit contains nacos easily.
>>> Keeping unreleased codes in the main repo is dangerous for us, so I
>>> prefer
>>> to remove it straightly.
>>>
>>
>> Agree, git is the time machine. We should not worry about rolling back in
>> some days.
>>
>> Zhenxu
>> Moving the code to skyapm, is fine, we just need to keep the Apache
>> license header there, and indicate why these codes are copied there.
>> If we really think that is meaningful. People are going to ask questions
>> there, it will be some workload there.
>> Also, notice, once we don't change the codes, how to release them.
>>
>> Sheng Wu 吴晟
>> Twitter, wusheng1108
>>
>>
>>>
>>> peng-yongsheng <pe...@apache.org> 于2020年5月20日周三 下午10:27写道:
>>>
>>> > FastJSON is the source of this security issues and the Nacos is a
>>> famous
>>> > project. But security issues is very important problem, and they can’t
>>> > really resolve it .
>>> >
>>> > So i suggest just remove the Nacos from the release package, keeping
>>> the
>>> > source code in our project.
>>> >
>>> >
>>> > Sheng Wu <wu...@apache.org>于2020年5月20日 周三20:51写道:
>>> >
>>> > > Hi dev team
>>> > >
>>> > > Especially committer and PMC member, recently, we just upgrade the
>>> > fastjson
>>> > > through https://github.com/apache/skywalking/pull/4753. But today,
>>> we
>>> > > received the another report about the security issue again,
>>> > > https://github.com/apache/skywalking/pull/4804.
>>> > > The 4804 PR is not correct, but that is not the point.
>>> > >
>>> > > The concern I want to mention is that FastJson, imported by Nacos,
>>> keeps
>>> > > reporting security issues. This breaks our stable/security status
>>> high
>>> > > frequently.
>>> > >
>>> > > I want to ask, *do we need to consider removing the Nacos +
>>> > > FastJSON dependency? Due to this library is not in high quality from
>>> a
>>> > > security perspective.*
>>> > > These two are not required, they are just an implementation of
>>> > > configuration server and cluster management server.
>>> > >
>>> > > I don't request to act now, but I would like to hear, what do you
>>> think?
>>> > >
>>> > > Sheng Wu 吴晟
>>> > > Twitter, wusheng1108
>>> > >
>>> >
>>>
>>>
>>> --
>>> Hongtao Gao
>>>
>>> Apache SkyWalking && Apache ShardingSphere
>>> Twitter, @hanahmily
>>>
>>
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Sheng Wu <wu...@gmail.com>.
I just recheck the dependency tree, and could confirm the fastjson is
imported by Nacos only. No other library depends on this.
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
apache-skywalking-apm-es7 ---
[WARNING] Failure to transfer
org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
from https://repository.apache.org/snapshots was cached in the local
repository, resolution will not be reattempted until the update interval of
apache.snapshots has elapsed or updates are forced. Original error: Could
not transfer metadata
org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
from/to apache.snapshots (https://repository.apache.org/snapshots): Connect
to repository.apache.org:443 [repository.apache.org/207.244.88.140] failed:
Operation timed out
Downloading from apache.snapshots:
https://repository.apache.org/snapshots/org/apache/skywalking/server-starter-es7/8.0.0-SNAPSHOT/server-starter-es7-8.0.0-SNAPSHOT.jar
[INFO] org.apache.skywalking:apache-skywalking-apm-es7:pom:8.0.0-SNAPSHOT
[INFO] +- org.apache.skywalking:apm-agent:jar:8.0.0-SNAPSHOT:compile
[INFO] | \- org.apache.skywalking:apm-agent-core:jar:8.0.0-SNAPSHOT:compile
[INFO] | +- org.apache.skywalking:apm-network:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +- io.grpc:grpc-netty:jar:1.26.0:compile
[INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.42.Final:compile
(version selected from constraint [4.1.42.Final,4.1.42.Final])
[INFO] | | | \- io.netty:netty-handler-proxy:jar:4.1.42.Final:compile
[INFO] | | | \- io.netty:netty-codec-socks:jar:4.1.42.Final:compile
[INFO] | | +- io.grpc:grpc-protobuf:jar:1.26.0:compile
[INFO] | | | +- io.grpc:grpc-api:jar:1.26.0:compile
[INFO] | | | | \- io.grpc:grpc-context:jar:1.26.0:compile
[INFO] | | | +- com.google.protobuf:protobuf-java:jar:3.11.0:compile
[INFO] | | | +-
com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile
[INFO] | | | \- io.grpc:grpc-protobuf-lite:jar:1.26.0:compile
[INFO] | | +- io.grpc:grpc-stub:jar:1.26.0:compile
[INFO] | | \-
io.netty:netty-tcnative-boringssl-static:jar:2.0.26.Final:compile
[INFO] | +- org.apache.skywalking:apm-util:jar:8.0.0-SNAPSHOT:compile
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.10.7:compile
[INFO] | \-
org.apache.skywalking:apm-datacarrier:jar:8.0.0-SNAPSHOT:compile
[INFO] +-
org.apache.skywalking:server-starter-es7:jar:8.0.0-SNAPSHOT:compile
[INFO] | +-
org.apache.skywalking:server-bootstrap:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +- org.apache.skywalking:server-core:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +- org.yaml:snakeyaml:jar:1.18:compile
[INFO] | | | +-
org.apache.skywalking:library-module:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +-
org.apache.skywalking:telemetry-api:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +-
org.apache.skywalking:configuration-api:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +-
org.apache.skywalking:library-util:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | | +- joda-time:joda-time:jar:2.10.5:compile
[INFO] | | | | \-
com.google.protobuf:protobuf-java-util:jar:3.11.4:compile
[INFO] | | | +-
org.apache.skywalking:library-client:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | | +- com.zaxxer:HikariCP:jar:3.1.0:compile
[INFO] | | | | +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] | | | | | \- commons-pool:commons-pool:jar:1.5.4:compile
[INFO] | | | | +-
org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:compile
[INFO] | | | | | +- org.elasticsearch:elasticsearch:jar:6.3.2:compile
[INFO] | | | | | | +-
org.elasticsearch:elasticsearch-core:jar:6.3.2:compile
[INFO] | | | | | | +-
org.elasticsearch:elasticsearch-secure-sm:jar:6.3.2:compile
[INFO] | | | | | | +-
org.elasticsearch:elasticsearch-x-content:jar:6.3.2:compile
[INFO] | | | | | | | +-
com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile
[INFO] | | | | | | | +-
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.10:compile
[INFO] | | | | | | | \-
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.8.10:compile
[INFO] | | | | | | +- org.apache.lucene:lucene-core:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-analyzers-common:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-backward-codecs:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-grouping:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-highlighter:jar:7.3.1:compile
[INFO] | | | | | | +- org.apache.lucene:lucene-join:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-memory:jar:7.3.1:compile
[INFO] | | | | | | +- org.apache.lucene:lucene-misc:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-queries:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-queryparser:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-sandbox:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-spatial:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-spatial-extras:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-spatial3d:jar:7.3.1:compile
[INFO] | | | | | | +-
org.apache.lucene:lucene-suggest:jar:7.3.1:compile
[INFO] | | | | | | +-
org.elasticsearch:elasticsearch-cli:jar:6.3.2:compile
[INFO] | | | | | | +- com.carrotsearch:hppc:jar:0.7.1:compile
[INFO] | | | | | | +- com.tdunning:t-digest:jar:3.2:compile
[INFO] | | | | | | \- org.elasticsearch:jna:jar:4.5.1:compile
[INFO] | | | | | +-
org.elasticsearch.client:elasticsearch-rest-client:jar:6.3.2:compile
[INFO] | | | | | | +-
org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
[INFO] | | | | | | \-
org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
[INFO] | | | | | +-
org.elasticsearch.plugin:parent-join-client:jar:6.3.2:compile
[INFO] | | | | | +-
org.elasticsearch.plugin:aggs-matrix-stats-client:jar:6.3.2:compile
[INFO] | | | | | \-
org.elasticsearch.plugin:rank-eval-client:jar:6.3.2:compile
[INFO] | | | | \- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO] | | | +-
org.apache.skywalking:library-server:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | | +-
org.eclipse.jetty:jetty-server:jar:9.4.28.v20200408:compile
[INFO] | | | | | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] | | | | | +-
org.eclipse.jetty:jetty-http:jar:9.4.28.v20200408:compile
[INFO] | | | | | | \-
org.eclipse.jetty:jetty-util:jar:9.4.28.v20200408:compile
[INFO] | | | | | \-
org.eclipse.jetty:jetty-io:jar:9.4.28.v20200408:compile
[INFO] | | | | \-
org.eclipse.jetty:jetty-servlet:jar:9.4.28.v20200408:compile
[INFO] | | | | \-
org.eclipse.jetty:jetty-security:jar:9.4.28.v20200408:compile
[INFO] | | | \- org.javassist:javassist:jar:3.25.0-GA:compile
[INFO] | | +- org.apache.skywalking:oal-rt:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +-
org.apache.skywalking:oal-grammar:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +- org.antlr:antlr4-runtime:jar:4.7.1:compile
[INFO] | | | +- org.freemarker:freemarker:jar:2.3.28:compile
[INFO] | | | \- commons-io:commons-io:jar:2.6:compile
[INFO] | | +-
org.apache.skywalking:cluster-standalone-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:cluster-zookeeper-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \- org.apache.curator:curator-x-discovery:jar:4.0.1:compile
[INFO] | | | +- org.apache.curator:curator-recipes:jar:4.0.1:compile
[INFO] | | | | \-
org.apache.curator:curator-framework:jar:4.0.1:compile
[INFO] | | | | \-
org.apache.curator:curator-client:jar:4.0.1:compile
[INFO] | | | | \-
org.apache.zookeeper:zookeeper:jar:3.5.3-beta:compile
[INFO] | | | | +- commons-cli:commons-cli:jar:1.2:compile
[INFO] | | | | +- log4j:log4j:jar:1.2.17:compile
[INFO] | | | | \- io.netty:netty:jar:3.10.5.Final:compile
[INFO] | | | \-
org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] | | | \-
org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] | | +-
org.apache.skywalking:cluster-kubernetes-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \- io.kubernetes:client-java:jar:4.0.0:compile
[INFO] | | | +- io.kubernetes:client-java-api:jar:4.0.0:compile
[INFO] | | | | +- io.sundr:builder-annotations:jar:0.9.2:compile
[INFO] | | | | | +- io.sundr:sundr-core:jar:0.9.2:compile
[INFO] | | | | | +- io.sundr:sundr-codegen:jar:0.9.2:compile
[INFO] | | | | | \-
io.sundr:resourcecify-annotations:jar:0.9.2:compile
[INFO] | | | | +- io.swagger:swagger-annotations:jar:1.5.12:compile
[INFO] | | | | +- com.squareup.okhttp:okhttp:jar:2.7.5:compile
[INFO] | | | | +-
com.squareup.okhttp:logging-interceptor:jar:2.7.5:compile
[INFO] | | | | \- org.joda:joda-convert:jar:1.2:compile
[INFO] | | | +- io.kubernetes:client-java-proto:jar:4.0.0:compile
[INFO] | | | +- org.apache.commons:commons-compress:jar:1.18:compile
[INFO] | | | +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] | | | +- com.squareup.okhttp:okhttp-ws:jar:2.7.5:compile
[INFO] | | | +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.59:compile
[INFO] | | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.59:compile
[INFO] | | | \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
[INFO] | | +-
org.apache.skywalking:cluster-consul-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \- com.orbitz.consul:consul-client:jar:1.2.6:compile
[INFO] | | | +- com.squareup.retrofit2:retrofit:jar:2.3.0:compile
[INFO] | | | +-
com.squareup.retrofit2:converter-jackson:jar:2.3.0:compile
[INFO] | | | +- com.squareup.okhttp3:okhttp:jar:3.9.0:compile
[INFO] | | | | \- com.squareup.okio:okio:jar:1.13.0:compile
[INFO] | | | +-
com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.5:compile
[INFO] | | | \-
com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.9.5:compile
[INFO] | | +-
org.apache.skywalking:cluster-nacos-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \- com.alibaba.nacos:nacos-client:jar:1.2.0:compile
[INFO] | | | +- com.alibaba.nacos:nacos-common:jar:1.2.0:compile
[INFO] | | | \- com.alibaba.nacos:nacos-api:jar:1.2.0:compile
[INFO] | | | \- com.alibaba:fastjson:jar:1.2.58:compile
[INFO] | | +-
org.apache.skywalking:cluster-etcd-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +- io.netty:netty-codec-dns:jar:4.1.42.Final:compile
[INFO] | | | | +- io.netty:netty-common:jar:4.1.42.Final:compile
[INFO] | | | | +- io.netty:netty-buffer:jar:4.1.42.Final:compile
[INFO] | | | | +- io.netty:netty-transport:jar:4.1.42.Final:compile
[INFO] | | | | \- io.netty:netty-codec:jar:4.1.42.Final:compile
[INFO] | | | +- io.netty:netty-codec-http:jar:4.1.42.Final:compile
[INFO] | | | +- io.netty:netty-handler:jar:4.1.42.Final:compile
[INFO] | | | +- io.netty:netty-resolver-dns:jar:4.1.42.Final:compile
[INFO] | | | | \- io.netty:netty-resolver:jar:4.1.42.Final:compile
[INFO] | | | +- org.mousio:etcd4j:jar:2.17.0:compile
[INFO] | | | | \- com.github.wnameless:json-flattener:jar:0.6.0:compile
[INFO] | | | | +-
com.eclipsesource.minimal-json:minimal-json:jar:0.9.5:compile
[INFO] | | | | \- org.apache.commons:commons-text:jar:1.4:compile
[INFO] | | | \-
com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.9.5:compile
[INFO] | | +-
org.apache.skywalking:skywalking-mesh-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \-
org.apache.skywalking:skywalking-sharing-server-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:skywalking-istio-telemetry-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \-
org.apache.skywalking:receiver-proto:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:skywalking-management-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:skywalking-jvm-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:skywalking-trace-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:envoy-metrics-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:skywalking-clr-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:skywalking-so11y-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:skywalking-profile-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:prometheus-fetcher-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:storage-jdbc-hikaricp-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \- com.h2database:h2:jar:1.4.196:compile
[INFO] | | +-
org.apache.skywalking:storage-influxdb-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \- org.influxdb:influxdb-java:jar:2.15:compile
[INFO] | | | +-
com.squareup.retrofit2:converter-moshi:jar:2.5.0:compile
[INFO] | | | | \- com.squareup.moshi:moshi:jar:1.5.0:compile
[INFO] | | | +- org.msgpack:msgpack-core:jar:0.8.16:compile
[INFO] | | | \-
com.squareup.okhttp3:logging-interceptor:jar:3.13.1:compile
[INFO] | | +-
org.apache.skywalking:query-graphql-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +- com.graphql-java:graphql-java:jar:8.0:compile
[INFO] | | | | +- com.graphql-java:java-dataloader:jar:2.0.2:compile
[INFO] | | | | \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] | | | \- com.graphql-java:graphql-java-tools:jar:5.2.3:compile
[INFO] | | | +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.1.60:compile
[INFO] | | | | \- org.jetbrains:annotations:jar:13.0:compile
[INFO] | | | +-
com.fasterxml.jackson.module:jackson-module-kotlin:jar:2.8.8:compile
[INFO] | | | | \-
org.jetbrains.kotlin:kotlin-reflect:jar:1.1.1:compile
[INFO] | | | \- com.esotericsoftware:reflectasm:jar:1.11.7:compile
[INFO] | | +-
org.apache.skywalking:server-alarm-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:telemetry-prometheus:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | +- io.prometheus:simpleclient:jar:0.6.0:compile
[INFO] | | | +- io.prometheus:simpleclient_hotspot:jar:0.6.0:compile
[INFO] | | | \- io.prometheus:simpleclient_httpserver:jar:0.6.0:compile
[INFO] | | | \- io.prometheus:simpleclient_common:jar:0.6.0:compile
[INFO] | | +-
org.apache.skywalking:telemetry-so11y:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +- org.apache.skywalking:exporter:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:grpc-configuration-sync:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \- io.grpc:grpc-core:jar:1.26.0:compile
[INFO] | | | +- io.perfmark:perfmark-api:jar:0.19.0:compile
[INFO] | | | +- io.opencensus:opencensus-api:jar:0.24.0:compile
[INFO] | | | \-
io.opencensus:opencensus-contrib-grpc-metrics:jar:0.24.0:compile
[INFO] | | +-
org.apache.skywalking:configuration-apollo:jar:8.0.0-SNAPSHOT:compile
[INFO] | | | \-
com.ctrip.framework.apollo:apollo-client:jar:1.4.0:compile
[INFO] | | | +-
com.ctrip.framework.apollo:apollo-core:jar:1.4.0:compile
[INFO] | | | \- com.google.inject:guice:jar:4.1.0:compile
[INFO] | | | \- aopalliance:aopalliance:jar:1.0:compile
[INFO] | | +-
org.apache.skywalking:configuration-nacos:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:configuration-zookeeper:jar:8.0.0-SNAPSHOT:compile
[INFO] | | +-
org.apache.skywalking:configuration-etcd:jar:8.0.0-SNAPSHOT:compile
[INFO] | | \-
org.apache.skywalking:configuration-consul:jar:8.0.0-SNAPSHOT:compile
[INFO] | +-
org.apache.skywalking:storage-elasticsearch7-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | | \-
org.apache.skywalking:storage-elasticsearch-plugin:jar:8.0.0-SNAPSHOT:compile
[INFO] | +-
org.apache.skywalking:tool-profile-snapshot-exporter-es7:jar:8.0.0-SNAPSHOT:compile
[INFO] | | \-
org.apache.skywalking:tool-profile-snapshot-bootstrap:jar:8.0.0-SNAPSHOT:compile
[INFO] | | \-
org.apache.skywalking:tool-profile-snapshot-server-mock:jar:8.0.0-SNAPSHOT:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] | +- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.9.0:compile
[INFO] | | \- org.apache.logging.log4j:log4j-api:jar:2.9.0:compile
[INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.9.0:compile
[INFO] | \- com.google.guava:guava:jar:28.1-jre:compile
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | +-
com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- org.checkerframework:checker-qual:jar:2.8.1:compile
[INFO] | +-
com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
[INFO] | \-
org.codehaus.mojo:animal-sniffer-annotations:jar:1.18:compile
[INFO] +- org.apache.skywalking:apm-webapp:jar:8.0.0-SNAPSHOT:compile
[INFO] | +-
org.springframework.boot:spring-boot-starter-web:jar:1.5.11.RELEASE:compile
[INFO] | | +-
org.springframework.boot:spring-boot-starter:jar:1.5.11.RELEASE:compile
[INFO] | | | +-
org.springframework.boot:spring-boot:jar:1.5.11.RELEASE:compile
[INFO] | | | +-
org.springframework.boot:spring-boot-autoconfigure:jar:1.5.11.RELEASE:compile
[INFO] | | | +-
org.springframework.boot:spring-boot-starter-logging:jar:1.5.11.RELEASE:compile
[INFO] | | | | \- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] | | | \-
org.springframework:spring-core:jar:4.3.15.RELEASE:compile
[INFO] | | +-
org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.11.RELEASE:compile
[INFO] | | | +-
org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.29:compile
[INFO] | | | | \-
org.apache.tomcat:tomcat-annotations-api:jar:8.5.29:compile
[INFO] | | | +-
org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.29:compile
[INFO] | | | \-
org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.29:compile
[INFO] | | +- org.hibernate:hibernate-validator:jar:5.3.6.Final:compile
[INFO] | | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | | | \- com.fasterxml:classmate:jar:1.3.1:compile
[INFO] | | +- org.springframework:spring-web:jar:4.3.15.RELEASE:compile
[INFO] | | | +- org.springframework:spring-aop:jar:4.3.15.RELEASE:compile
[INFO] | | | +-
org.springframework:spring-beans:jar:4.3.15.RELEASE:compile
[INFO] | | | \-
org.springframework:spring-context:jar:4.3.15.RELEASE:compile
[INFO] | | \- org.springframework:spring-webmvc:jar:4.3.15.RELEASE:compile
[INFO] | | \-
org.springframework:spring-expression:jar:4.3.15.RELEASE:compile
[INFO] | +-
org.springframework.boot:spring-boot-starter-actuator:jar:1.5.11.RELEASE:compile
[INFO] | | \-
org.springframework.boot:spring-boot-actuator:jar:1.5.11.RELEASE:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile
[INFO] | | +-
com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
[INFO] | +-
org.springframework.boot:spring-boot-configuration-processor:jar:1.5.11.RELEASE:compile
[INFO] | +- com.google.code.gson:gson:jar:2.8.2:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.9:compile
[INFO] | +-
org.springframework.cloud:spring-cloud-starter-netflix-zuul:jar:1.4.2.RELEASE:compile
[INFO] | | +-
org.springframework.cloud:spring-cloud-starter:jar:1.3.1.RELEASE:compile
[INFO] | | | +-
org.springframework.cloud:spring-cloud-context:jar:1.3.1.RELEASE:compile
[INFO] | | | | \-
org.springframework.security:spring-security-crypto:jar:4.2.3.RELEASE:compile
[INFO] | | | +-
org.springframework.cloud:spring-cloud-commons:jar:1.3.1.RELEASE:compile
[INFO] | | | \-
org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] | | +-
org.springframework.cloud:spring-cloud-starter-netflix-hystrix:jar:1.4.2.RELEASE:compile
[INFO] | | | +-
org.springframework.cloud:spring-cloud-netflix-core:jar:1.4.2.RELEASE:compile
[INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.12:compile
[INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
[INFO] | | | +-
com.netflix.hystrix:hystrix-metrics-event-stream:jar:1.5.12:compile
[INFO] | | | | \-
com.netflix.hystrix:hystrix-serialization:jar:1.5.12:runtime
[INFO] | | | \- com.netflix.hystrix:hystrix-javanica:jar:1.5.12:compile
[INFO] | | | +- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] | | | \- org.aspectj:aspectjweaver:jar:1.8.6:compile
[INFO] | | +-
org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.2.RELEASE:compile
[INFO] | | | +- com.netflix.ribbon:ribbon:jar:2.2.4:compile
[INFO] | | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.4:runtime
[INFO] | | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] | | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] | | | | +- javax.inject:javax.inject:jar:1:compile
[INFO] | | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] | | | | \-
io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] | | | +- com.netflix.ribbon:ribbon-core:jar:2.2.4:compile
[INFO] | | | | \- commons-lang:commons-lang:jar:2.6:compile
[INFO] | | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.4:compile
[INFO] | | | | +-
commons-collections:commons-collections:jar:3.2.2:runtime
[INFO] | | | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] | | | | | \- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] | | | | | \- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] | | | | \-
com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] | | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.4:compile
[INFO] | | | | \-
com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] | | | \- io.reactivex:rxjava:jar:1.2.0:compile
[INFO] | | +-
org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.2.RELEASE:compile
[INFO] | | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] | | | \-
commons-configuration:commons-configuration:jar:1.8:compile
[INFO] | | \- com.netflix.zuul:zuul-core:jar:1.3.0:compile
[INFO] | | +- com.netflix.servo:servo-core:jar:0.7.2:runtime
[INFO] | | | \- com.google.code.findbugs:annotations:jar:2.0.0:runtime
[INFO] | | \-
com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] | \- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.mockito:mockito-all:jar:1.10.19:test
[INFO] +- org.powermock:powermock-module-junit4:jar:1.6.4:test
[INFO] | \- org.powermock:powermock-module-junit4-common:jar:1.6.4:test
[INFO] | +- org.powermock:powermock-core:jar:1.6.4:test
[INFO] | \- org.powermock:powermock-reflect:jar:1.6.4:test
[INFO] +- org.powermock:powermock-api-mockito:jar:1.6.4:test
[INFO] | +- org.mockito:mockito-core:jar:1.10.19:test
[INFO] | | \- org.objenesis:objenesis:jar:2.1:test
[INFO] | \- org.powermock:powermock-api-support:jar:1.6.4:test
[INFO] +- org.openjdk.jmh:jmh-core:jar:1.21:test
[INFO] | +- net.sf.jopt-simple:jopt-simple:jar:4.6:compile
[INFO] | \- org.apache.commons:commons-math3:jar:3.2:test
[INFO] +- org.projectlombok:lombok:jar:1.18.10:provided
[INFO] \- javax.annotation:javax.annotation-api:jar:1.3.2:provided
[INFO]
------------------------------------------------------------------------
Sheng Wu 吴晟
Twitter, wusheng1108
Sheng Wu <wu...@gmail.com> 于2020年5月21日周四 上午8:22写道:
>
>
> Hongtao Gao <ha...@gmail.com> 于2020年5月20日周三 下午11:13写道:
>
>> >
>> > So i suggest just remove the Nacos from the release package, keeping
>> the
>> > source code in our project.
>>
>>
>> Coordination and configuration APIs are stable now, and I don't see any
>> potential improvements about them.
>> Anyone who needs it can revert to the commit contains nacos easily.
>> Keeping unreleased codes in the main repo is dangerous for us, so I prefer
>> to remove it straightly.
>>
>
> Agree, git is the time machine. We should not worry about rolling back in
> some days.
>
> Zhenxu
> Moving the code to skyapm, is fine, we just need to keep the Apache
> license header there, and indicate why these codes are copied there.
> If we really think that is meaningful. People are going to ask questions
> there, it will be some workload there.
> Also, notice, once we don't change the codes, how to release them.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
>>
>> peng-yongsheng <pe...@apache.org> 于2020年5月20日周三 下午10:27写道:
>>
>> > FastJSON is the source of this security issues and the Nacos is a famous
>> > project. But security issues is very important problem, and they can’t
>> > really resolve it .
>> >
>> > So i suggest just remove the Nacos from the release package, keeping
>> the
>> > source code in our project.
>> >
>> >
>> > Sheng Wu <wu...@apache.org>于2020年5月20日 周三20:51写道:
>> >
>> > > Hi dev team
>> > >
>> > > Especially committer and PMC member, recently, we just upgrade the
>> > fastjson
>> > > through https://github.com/apache/skywalking/pull/4753. But today, we
>> > > received the another report about the security issue again,
>> > > https://github.com/apache/skywalking/pull/4804.
>> > > The 4804 PR is not correct, but that is not the point.
>> > >
>> > > The concern I want to mention is that FastJson, imported by Nacos,
>> keeps
>> > > reporting security issues. This breaks our stable/security status high
>> > > frequently.
>> > >
>> > > I want to ask, *do we need to consider removing the Nacos +
>> > > FastJSON dependency? Due to this library is not in high quality from a
>> > > security perspective.*
>> > > These two are not required, they are just an implementation of
>> > > configuration server and cluster management server.
>> > >
>> > > I don't request to act now, but I would like to hear, what do you
>> think?
>> > >
>> > > Sheng Wu 吴晟
>> > > Twitter, wusheng1108
>> > >
>> >
>>
>>
>> --
>> Hongtao Gao
>>
>> Apache SkyWalking && Apache ShardingSphere
>> Twitter, @hanahmily
>>
>
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Sheng Wu <wu...@gmail.com>.
Hongtao Gao <ha...@gmail.com> 于2020年5月20日周三 下午11:13写道:
> >
> > So i suggest just remove the Nacos from the release package, keeping
> the
> > source code in our project.
>
>
> Coordination and configuration APIs are stable now, and I don't see any
> potential improvements about them.
> Anyone who needs it can revert to the commit contains nacos easily.
> Keeping unreleased codes in the main repo is dangerous for us, so I prefer
> to remove it straightly.
>
Agree, git is the time machine. We should not worry about rolling back in
some days.
Zhenxu
Moving the code to skyapm, is fine, we just need to keep the Apache license
header there, and indicate why these codes are copied there.
If we really think that is meaningful. People are going to ask questions
there, it will be some workload there.
Also, notice, once we don't change the codes, how to release them.
Sheng Wu 吴晟
Twitter, wusheng1108
>
> peng-yongsheng <pe...@apache.org> 于2020年5月20日周三 下午10:27写道:
>
> > FastJSON is the source of this security issues and the Nacos is a famous
> > project. But security issues is very important problem, and they can’t
> > really resolve it .
> >
> > So i suggest just remove the Nacos from the release package, keeping
> the
> > source code in our project.
> >
> >
> > Sheng Wu <wu...@apache.org>于2020年5月20日 周三20:51写道:
> >
> > > Hi dev team
> > >
> > > Especially committer and PMC member, recently, we just upgrade the
> > fastjson
> > > through https://github.com/apache/skywalking/pull/4753. But today, we
> > > received the another report about the security issue again,
> > > https://github.com/apache/skywalking/pull/4804.
> > > The 4804 PR is not correct, but that is not the point.
> > >
> > > The concern I want to mention is that FastJson, imported by Nacos,
> keeps
> > > reporting security issues. This breaks our stable/security status high
> > > frequently.
> > >
> > > I want to ask, *do we need to consider removing the Nacos +
> > > FastJSON dependency? Due to this library is not in high quality from a
> > > security perspective.*
> > > These two are not required, they are just an implementation of
> > > configuration server and cluster management server.
> > >
> > > I don't request to act now, but I would like to hear, what do you
> think?
> > >
> > > Sheng Wu 吴晟
> > > Twitter, wusheng1108
> > >
> >
>
>
> --
> Hongtao Gao
>
> Apache SkyWalking && Apache ShardingSphere
> Twitter, @hanahmily
>
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Daming <zt...@foxmail.com>.
I agree to remove the related modules.
-----------
Daming
Apache SkyWalking
> 在 2020年5月20日,下午11:13,Hongtao Gao <ha...@gmail.com> 写道:
>
>>
>> So i suggest just remove the Nacos from the release package, keeping the
>> source code in our project.
>
>
> Coordination and configuration APIs are stable now, and I don't see any
> potential improvements about them.
> Anyone who needs it can revert to the commit contains nacos easily.
> Keeping unreleased codes in the main repo is dangerous for us, so I prefer
> to remove it straightly.
>
> peng-yongsheng <pe...@apache.org> 于2020年5月20日周三 下午10:27写道:
>
>> FastJSON is the source of this security issues and the Nacos is a famous
>> project. But security issues is very important problem, and they can’t
>> really resolve it .
>>
>> So i suggest just remove the Nacos from the release package, keeping the
>> source code in our project.
>>
>>
>> Sheng Wu <wu...@apache.org>于2020年5月20日 周三20:51写道:
>>
>>> Hi dev team
>>>
>>> Especially committer and PMC member, recently, we just upgrade the
>> fastjson
>>> through https://github.com/apache/skywalking/pull/4753. But today, we
>>> received the another report about the security issue again,
>>> https://github.com/apache/skywalking/pull/4804.
>>> The 4804 PR is not correct, but that is not the point.
>>>
>>> The concern I want to mention is that FastJson, imported by Nacos, keeps
>>> reporting security issues. This breaks our stable/security status high
>>> frequently.
>>>
>>> I want to ask, *do we need to consider removing the Nacos +
>>> FastJSON dependency? Due to this library is not in high quality from a
>>> security perspective.*
>>> These two are not required, they are just an implementation of
>>> configuration server and cluster management server.
>>>
>>> I don't request to act now, but I would like to hear, what do you think?
>>>
>>> Sheng Wu 吴晟
>>> Twitter, wusheng1108
>>>
>>
>
>
> --
> Hongtao Gao
>
> Apache SkyWalking && Apache ShardingSphere
> Twitter, @hanahmily
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by Hongtao Gao <ha...@gmail.com>.
>
> So i suggest just remove the Nacos from the release package, keeping the
> source code in our project.
Coordination and configuration APIs are stable now, and I don't see any
potential improvements about them.
Anyone who needs it can revert to the commit contains nacos easily.
Keeping unreleased codes in the main repo is dangerous for us, so I prefer
to remove it straightly.
peng-yongsheng <pe...@apache.org> 于2020年5月20日周三 下午10:27写道:
> FastJSON is the source of this security issues and the Nacos is a famous
> project. But security issues is very important problem, and they can’t
> really resolve it .
>
> So i suggest just remove the Nacos from the release package, keeping the
> source code in our project.
>
>
> Sheng Wu <wu...@apache.org>于2020年5月20日 周三20:51写道:
>
> > Hi dev team
> >
> > Especially committer and PMC member, recently, we just upgrade the
> fastjson
> > through https://github.com/apache/skywalking/pull/4753. But today, we
> > received the another report about the security issue again,
> > https://github.com/apache/skywalking/pull/4804.
> > The 4804 PR is not correct, but that is not the point.
> >
> > The concern I want to mention is that FastJson, imported by Nacos, keeps
> > reporting security issues. This breaks our stable/security status high
> > frequently.
> >
> > I want to ask, *do we need to consider removing the Nacos +
> > FastJSON dependency? Due to this library is not in high quality from a
> > security perspective.*
> > These two are not required, they are just an implementation of
> > configuration server and cluster management server.
> >
> > I don't request to act now, but I would like to hear, what do you think?
> >
> > Sheng Wu 吴晟
> > Twitter, wusheng1108
> >
>
--
Hongtao Gao
Apache SkyWalking && Apache ShardingSphere
Twitter, @hanahmily
Re: [WARNING] Fastjson library has a continuously insecurity trend
Posted by peng-yongsheng <pe...@apache.org>.
FastJSON is the source of this security issues and the Nacos is a famous
project. But security issues is very important problem, and they can’t
really resolve it .
So i suggest just remove the Nacos from the release package, keeping the
source code in our project.
Sheng Wu <wu...@apache.org>于2020年5月20日 周三20:51写道:
> Hi dev team
>
> Especially committer and PMC member, recently, we just upgrade the fastjson
> through https://github.com/apache/skywalking/pull/4753. But today, we
> received the another report about the security issue again,
> https://github.com/apache/skywalking/pull/4804.
> The 4804 PR is not correct, but that is not the point.
>
> The concern I want to mention is that FastJson, imported by Nacos, keeps
> reporting security issues. This breaks our stable/security status high
> frequently.
>
> I want to ask, *do we need to consider removing the Nacos +
> FastJSON dependency? Due to this library is not in high quality from a
> security perspective.*
> These two are not required, they are just an implementation of
> configuration server and cluster management server.
>
> I don't request to act now, but I would like to hear, what do you think?
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>