You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by GitBox <gi...@apache.org> on 2021/09/26 17:49:37 UTC
[GitHub] [skywalking] sonatype-lift[bot] commented on a change in pull request #7810: Support E2E testing satellite native protocols
sonatype-lift[bot] commented on a change in pull request #7810:
URL: https://github.com/apache/skywalking/pull/7810#discussion_r716238214
##########
File path: test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
##########
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~
+ -->
+
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <parent>
+ <artifactId>apache-skywalking-e2e</artifactId>
+ <groupId>org.apache.skywalking</groupId>
+ <version>2.0.0</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <packaging>jar</packaging>
+
+ <artifactId>e2e-service-provider</artifactId>
+
+ <properties>
+ <log4j.version>1.2.17</log4j.version>
+ <log4j2.version>2.7</log4j2.version>
+ <logback.version>1.2.3</logback.version>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-data-jpa</artifactId>
+ <version>${spring.boot.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.h2database</groupId>
+ <artifactId>h2</artifactId>
+ <version>${h2.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-actuator</artifactId>
+ <exclusions>
+ <exclusion>
+ <artifactId>log4j-to-slf4j</artifactId>
+ <groupId>org.apache.logging.log4j</groupId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.skywalking</groupId>
+ <artifactId>apm-toolkit-micrometer-registry</artifactId>
+ <version>8.2.0</version>
+ </dependency>
+ <dependency>
Review comment:
*Critical OSS Vulnerability:*
### pkg:maven/log4j/log4j@1.2.17
1 Critical, 0 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/log4j/log4j@1.2.17</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserializat...
> Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
>
> **CVSS Score:** 9.8
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
</ul>
</details>
<details>
<summary><b>MODERATE Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen...
> Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
>
> **CVSS Score:** 3.7
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
##########
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~
+ -->
+
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <parent>
+ <artifactId>apache-skywalking-e2e</artifactId>
+ <groupId>org.apache.skywalking</groupId>
+ <version>2.0.0</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <packaging>jar</packaging>
+
+ <artifactId>e2e-service-provider</artifactId>
+
+ <properties>
+ <log4j.version>1.2.17</log4j.version>
+ <log4j2.version>2.7</log4j2.version>
+ <logback.version>1.2.3</logback.version>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-data-jpa</artifactId>
+ <version>${spring.boot.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.h2database</groupId>
+ <artifactId>h2</artifactId>
+ <version>${h2.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-actuator</artifactId>
+ <exclusions>
+ <exclusion>
+ <artifactId>log4j-to-slf4j</artifactId>
+ <groupId>org.apache.logging.log4j</groupId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.skywalking</groupId>
+ <artifactId>apm-toolkit-micrometer-registry</artifactId>
+ <version>8.2.0</version>
+ </dependency>
+ <dependency>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>${log4j.version}</version>
+ </dependency>
+ <dependency>
Review comment:
*Critical OSS Vulnerability:*
### pkg:maven/org.apache.logging.log4j/log4j-core@2.7
1 Critical, 0 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/org.apache.logging.log4j/log4j-core@2.7</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2017-5645] Deserialization of Untrusted Data
> In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
>
> **CVSS Score:** 9.8
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
</ul>
</details>
<details>
<summary><b>MODERATE Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen...
> Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
>
> **CVSS Score:** 3.7
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
##########
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~
+ -->
+
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <parent>
+ <artifactId>apache-skywalking-e2e</artifactId>
+ <groupId>org.apache.skywalking</groupId>
+ <version>2.0.0</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <packaging>jar</packaging>
+
+ <artifactId>e2e-service-provider</artifactId>
+
+ <properties>
+ <log4j.version>1.2.17</log4j.version>
+ <log4j2.version>2.7</log4j2.version>
+ <logback.version>1.2.3</logback.version>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-data-jpa</artifactId>
+ <version>${spring.boot.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.h2database</groupId>
+ <artifactId>h2</artifactId>
+ <version>${h2.version}</version>
+ </dependency>
+ <dependency>
Review comment:
*Critical OSS Vulnerability:*
### pkg:maven/org.springframework.boot/spring-boot-starter-actuator@2.2.5.RELEASE
1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.2</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-25649] A flaw was found in FasterXML Jackson Databind, where it did not have entity exp...
> A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: test/e2e-v2/java-test-service/e2e-service-provider/pom.xml
##########
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~
+ -->
+
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <parent>
+ <artifactId>apache-skywalking-e2e</artifactId>
+ <groupId>org.apache.skywalking</groupId>
+ <version>2.0.0</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <packaging>jar</packaging>
+
+ <artifactId>e2e-service-provider</artifactId>
+
+ <properties>
+ <log4j.version>1.2.17</log4j.version>
+ <log4j2.version>2.7</log4j2.version>
+ <logback.version>1.2.3</logback.version>
+ </properties>
+
+ <dependencies>
+ <dependency>
Review comment:
*Critical OSS Vulnerability:*
### pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@2.2.5.RELEASE
5 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 4 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/org.springframework/spring-core@5.2.4.RELEASE</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (2)</b></summary><br/>
<ul>
<details>
<summary>CVE-2020-5421</summary>
> #### [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3....
> In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
>
> **CVSS Score:** 8.8
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
</details>
<details>
<summary>CVE-2021-22118</summary>
> #### [CVE-2021-22118] In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to ...
> In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
>
> **CVSS Score:** 7.8
>
> **CVSS Vector:** CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
</details>
</ul>
</details>
</ul>
</details>
<details>
<summary><b>pkg:maven/org.dom4j/dom4j@2.1.1</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-10683] dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Enti...
> dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
>
> **CVSS Score:** 9.8
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
</ul>
</details>
</ul>
</details>
<details>
<summary><b>pkg:maven/org.hibernate/hibernate-core@5.4.12.Final</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-25638] A flaw was found in hibernate-core in versions prior to and including 5.4.23.Fin...
> A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
>
> **CVSS Score:** 7.4
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
</ul>
</details>
</ul>
</details>
<details>
<summary><b>pkg:maven/org.yaml/snakeyaml@1.25</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2017-18640] The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operat...
> The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: test/e2e-v2/java-test-service/pom.xml
##########
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~
+ -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>org.apache.skywalking</groupId>
+ <artifactId>apache-skywalking-e2e</artifactId>
+ <version>2.0.0</version>
+
+ <packaging>pom</packaging>
+
+ <modules>
+ <module>e2e-service-provider</module>
+ <module>e2e-service-consumer</module>
+ </modules>
+
+ <properties>
+ <sw.version>8.7.0</sw.version>
+
+ <java.version>1.8</java.version>
+ <maven.compiler.source>${java.version}</maven.compiler.source>
+ <maven.compiler.target>${java.version}</maven.compiler.target>
+
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+ <spring.boot.version>2.2.5.RELEASE</spring.boot.version>
+ <spring.cloud.version>2.1.2.RELEASE</spring.cloud.version>
+ <jupeter.version>5.6.0</jupeter.version>
+ <jackson.version>2.9.7</jackson.version>
+ <guava.version>30.1.1-jre</guava.version>
+ <h2.version>1.4.199</h2.version>
+ <mysql.version>8.0.13</mysql.version>
+ <lombok.version>1.18.20</lombok.version>
+ <kafka-clients.version>2.4.1</kafka-clients.version>
+
+ <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
+ <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
+ <maven-checkstyle-plugin.version>3.1.0</maven-checkstyle-plugin.version>
+
+ <testcontainers.version>1.15.3</testcontainers.version>
+ </properties>
+
+ <repositories>
+ <repository>
+ <id>apache.snapshots</id>
+ <name>Apache Development Snapshot Repository</name>
+ <url>https://repository.apache.org/content/groups/snapshots/</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-dependencies</artifactId>
+ <version>2.2.5.RELEASE</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-web</artifactId>
+ </dependency>
+ <dependency>
Review comment:
*Critical OSS Vulnerability:*
### pkg:maven/org.springframework.boot/spring-boot-starter-test@2.2.5.RELEASE
1 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/junit/junit@4.12</b></summary>
<ul>
<details>
<summary><b>SEVERE Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-15250] In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder cont...
> In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no
patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
>
> **CVSS Score:** 5.5
>
> **CVSS Vector:** CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
</ul>
</details>
</ul>
</details>
<details>
<summary><b>pkg:maven/net.minidev/json-smart@2.3</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2021-27568] An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-sma...
> An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
>
> **CVSS Score:** 9.1
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: test/e2e-v2/java-test-service/pom.xml
##########
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ ~
+ -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>org.apache.skywalking</groupId>
+ <artifactId>apache-skywalking-e2e</artifactId>
+ <version>2.0.0</version>
+
+ <packaging>pom</packaging>
+
+ <modules>
+ <module>e2e-service-provider</module>
+ <module>e2e-service-consumer</module>
+ </modules>
+
+ <properties>
+ <sw.version>8.7.0</sw.version>
+
+ <java.version>1.8</java.version>
+ <maven.compiler.source>${java.version}</maven.compiler.source>
+ <maven.compiler.target>${java.version}</maven.compiler.target>
+
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+ <spring.boot.version>2.2.5.RELEASE</spring.boot.version>
+ <spring.cloud.version>2.1.2.RELEASE</spring.cloud.version>
+ <jupeter.version>5.6.0</jupeter.version>
+ <jackson.version>2.9.7</jackson.version>
+ <guava.version>30.1.1-jre</guava.version>
+ <h2.version>1.4.199</h2.version>
+ <mysql.version>8.0.13</mysql.version>
+ <lombok.version>1.18.20</lombok.version>
+ <kafka-clients.version>2.4.1</kafka-clients.version>
+
+ <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
+ <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
+ <maven-checkstyle-plugin.version>3.1.0</maven-checkstyle-plugin.version>
+
+ <testcontainers.version>1.15.3</testcontainers.version>
+ </properties>
+
+ <repositories>
+ <repository>
+ <id>apache.snapshots</id>
+ <name>Apache Development Snapshot Repository</name>
+ <url>https://repository.apache.org/content/groups/snapshots/</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-dependencies</artifactId>
+ <version>2.2.5.RELEASE</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
+ <dependencies>
+ <dependency>
Review comment:
*Critical OSS Vulnerability:*
### pkg:maven/org.springframework.boot/spring-boot-starter-web@2.2.5.RELEASE
10 Critical, 3 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
<details>
<summary><b>Components</b></summary><br/>
<ul>
<details>
<summary><b>pkg:maven/org.springframework/spring-web@5.2.4.RELEASE</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-5421] In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3....
> In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
>
> **CVSS Score:** 8.8
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
</ul>
</details>
</ul>
</details>
<details>
<summary><b>pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.31</b></summary>
<ul>
<details>
<summary><b>CRITICAL Vulnerabilities (9)</b></summary><br/>
<ul>
<details>
<summary>CVE-2021-30640</summary>
> #### [CVE-2021-30640] A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authent...
> A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
>
> **CVSS Score:** 8.2
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
</details>
<details>
<summary>CVE-2020-13935</summary>
> #### [CVE-2020-13935] The payload length in a WebSocket frame was not correctly validated in Apache To...
> The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
</details>
<details>
<summary>CVE-2020-13934</summary>
> #### [CVE-2020-13934] An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9....
> An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
</details>
<details>
<summary>CVE-2020-17527</summary>
> #### [CVE-2020-17527] While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to ...
> While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
</details>
<details>
<summary>CVE-2020-11996</summary>
> #### [CVE-2020-11996] A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 ...
> A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
</details>
<details>
<summary>CVE-2021-25122</summary>
> #### [CVE-2021-25122] When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1...
> When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
</details>
<details>
<summary>CVE-2021-24122</summary>
> #### [CVE-2021-24122] When serving resources from a network location using the NTFS file system, Apach...
> When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
>
> **CVSS Score:** 7.5
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
</details>
<details>
<summary>CVE-2020-9484</summary>
> #### [CVE-2020-9484] When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8....
> When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
>
> **CVSS Score:** 7
>
> **CVSS Vector:** CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
</details>
<details>
<summary>CVE-2021-25329</summary>
> #### [CVE-2021-25329] The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to ...
> The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
>
> **CVSS Score:** 7
>
> **CVSS Vector:** CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
</details>
</ul>
</details>
<details>
<summary><b>SEVERE Vulnerabilities (2)</b></summary><br/>
<ul>
<details>
<summary>CVE-2021-33037</summary>
> #### [CVE-2021-33037] Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did no...
> Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
>
> **CVSS Score:** 5.3
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
</details>
<details>
<summary>CVE-2020-13943</summary>
> #### [CVE-2020-13943] If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1...
> If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
>
> **CVSS Score:** 4.3
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
</details>
</ul>
</details>
</ul>
</details>
<details>
<summary><b>pkg:maven/org.hibernate.validator/hibernate-validator@6.0.18.Final</b></summary>
<ul>
<details>
<summary><b>SEVERE Vulnerabilities (1)</b></summary><br/>
<ul>
> #### [CVE-2020-10693] A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the messag...
> A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
>
> **CVSS Score:** 5.3
>
> **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
</ul>
</details>
</ul>
</details>
</ul>
</details>
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
##########
File path: test/e2e-v2/script/prepare/setup-oap/download-mysql.sh
##########
@@ -0,0 +1,27 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
Review comment:
*ShellCheck:* Tips depend on target shell and yours is unknown. Add a shebang or a 'shell' directive.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org