You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hudi.apache.org by GitBox <gi...@apache.org> on 2022/10/16 08:33:39 UTC
[GitHub] [hudi] lxxawfl opened a new pull request, #6962: fix(sec): upgrade com.google.guava:guava to 30.0-jre
lxxawfl opened a new pull request, #6962:
URL: https://github.com/apache/hudi/pull/6962
### What happened?
There are 1 security vulnerabilities found in com.google.guava:guava 12.0.1
- [CVE-2018-10237](https://www.oscs1024.com/hd/CVE-2018-10237)
### What did I do?
Upgrade com.google.guava:guava from 12.0.1 to 30.0-jre for vulnerability fix
### What did you expect to happen?
Ideally, no insecure libs should be used.
### How was this patch tested?
Run `mvn compile` failed locally, couldn't complete the build process.
Run `mvn clean test` failed locally, unit-test couldn't pass.
### The specification of the pull request
[PR Specification](https://www.oscs1024.com/docs/pr-specification/) from OSCS
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@hudi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hudi] bvaradar commented on pull request #6962: [HUDI-5071] Upgrade com.google.guava:guava to 30.0-jre
Posted by "bvaradar (via GitHub)" <gi...@apache.org>.
bvaradar commented on PR #6962:
URL: https://github.com/apache/hudi/pull/6962#issuecomment-1449287898
@codope @yihua : Should this PR be closed ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@hudi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hudi] codope commented on pull request #6962: [HUDI-5071] Upgrade com.google.guava:guava to 30.0-jre
Posted by GitBox <gi...@apache.org>.
codope commented on PR #6962:
URL: https://github.com/apache/hudi/pull/6962#issuecomment-1287650595
@lxxawfl Thanks for this fix. Unfortunately, if we upgrade guava here then it will run into conflict when we upgrade hudi-presto-bundle version in prestodb https://github.com/prestodb/presto/blob/0.277/pom.xml#L1263. I tried to build presto with hudi-presto-bundle incorporating this fix and it ran into following build failure:
```
[INFO] --- duplicate-finder-maven-plugin:1.2.1:check (default) @ presto-hive ---
[INFO] Checking compile classpath
[INFO] Checking runtime classpath
[INFO] Checking test classpath
[WARNING] Found duplicate and different classes in [com.google.guava:guava:26.0-jre, org.apache.hudi:hudi-presto-bundle:0.13.0-SNAPSHOT]:
[WARNING] com.google.thirdparty.publicsuffix.PublicSuffixPatterns
[WARNING] com.google.thirdparty.publicsuffix.PublicSuffixType
[WARNING] com.google.thirdparty.publicsuffix.TrieParser
[WARNING] Found duplicate classes/resources in compile classpath.
[WARNING] Found duplicate and different classes in [com.google.guava:guava:26.0-jre, org.apache.hudi:hudi-presto-bundle:0.13.0-SNAPSHOT]:
[WARNING] com.google.thirdparty.publicsuffix.PublicSuffixPatterns
[WARNING] com.google.thirdparty.publicsuffix.PublicSuffixType
[WARNING] com.google.thirdparty.publicsuffix.TrieParser
[WARNING] Found duplicate classes/resources in runtime classpath.
[WARNING] Found duplicate and different classes in [com.google.guava:guava:26.0-jre, org.apache.hudi:hudi-presto-bundle:0.13.0-SNAPSHOT]:
[WARNING] com.google.thirdparty.publicsuffix.PublicSuffixPatterns
[WARNING] com.google.thirdparty.publicsuffix.PublicSuffixType
[WARNING] com.google.thirdparty.publicsuffix.TrieParser
[WARNING] Found duplicate classes/resources in test classpath.
...
...
[ERROR] Failed to execute goal org.basepom.maven:duplicate-finder-maven-plugin:1.2.1:check (default) on project presto-hive: Found duplicate classes/resources! -> [Help 1]
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@hudi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hudi] hudi-bot commented on pull request #6962: fix(sec): upgrade com.google.guava:guava to 30.0-jre
Posted by GitBox <gi...@apache.org>.
hudi-bot commented on PR #6962:
URL: https://github.com/apache/hudi/pull/6962#issuecomment-1279923686
<!--
Meta data
{
"version" : 1,
"metaDataEntries" : [ {
"hash" : "d8616dc683ad04888f3917c17b2faf10983ebbaf",
"status" : "UNKNOWN",
"url" : "TBD",
"triggerID" : "d8616dc683ad04888f3917c17b2faf10983ebbaf",
"triggerType" : "PUSH"
} ]
}-->
## CI report:
* d8616dc683ad04888f3917c17b2faf10983ebbaf UNKNOWN
<details>
<summary>Bot commands</summary>
@hudi-bot supports the following commands:
- `@hudi-bot run azure` re-run the last Azure build
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@hudi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hudi] hudi-bot commented on pull request #6962: fix(sec): upgrade com.google.guava:guava to 30.0-jre
Posted by GitBox <gi...@apache.org>.
hudi-bot commented on PR #6962:
URL: https://github.com/apache/hudi/pull/6962#issuecomment-1279924551
<!--
Meta data
{
"version" : 1,
"metaDataEntries" : [ {
"hash" : "d8616dc683ad04888f3917c17b2faf10983ebbaf",
"status" : "PENDING",
"url" : "https://dev.azure.com/apache-hudi-ci-org/785b6ef4-2f42-4a89-8f0e-5f0d7039a0cc/_build/results?buildId=12237",
"triggerID" : "d8616dc683ad04888f3917c17b2faf10983ebbaf",
"triggerType" : "PUSH"
} ]
}-->
## CI report:
* d8616dc683ad04888f3917c17b2faf10983ebbaf Azure: [PENDING](https://dev.azure.com/apache-hudi-ci-org/785b6ef4-2f42-4a89-8f0e-5f0d7039a0cc/_build/results?buildId=12237)
<details>
<summary>Bot commands</summary>
@hudi-bot supports the following commands:
- `@hudi-bot run azure` re-run the last Azure build
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@hudi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hudi] codope commented on pull request #6962: [HUDI-5071] Upgrade com.google.guava:guava to 30.0-jre
Posted by GitBox <gi...@apache.org>.
codope commented on PR #6962:
URL: https://github.com/apache/hudi/pull/6962#issuecomment-1301753429
I don't think we can get rid of Guava right away as HBase depends Guava. I tried but ran into issues with `Precondition` class conflict when querying a Hudi table with metadata enabled. And we cannot upgrade directly because HBase depends on a particular version of guava that is used by hadoop (more specifically hadoop-common). When we upgrade to Hadoop 3 then guava will automatically get upgraded to version 27 which is compatible with that in Presto. So, IMO we should wait unti we have upgraded Hadoop libs in Hudi. https://issues.apache.org/jira/browse/HUDI-2955 tracks the effort
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@hudi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hudi] hudi-bot commented on pull request #6962: fix(sec): upgrade com.google.guava:guava to 30.0-jre
Posted by GitBox <gi...@apache.org>.
hudi-bot commented on PR #6962:
URL: https://github.com/apache/hudi/pull/6962#issuecomment-1279960667
<!--
Meta data
{
"version" : 1,
"metaDataEntries" : [ {
"hash" : "d8616dc683ad04888f3917c17b2faf10983ebbaf",
"status" : "SUCCESS",
"url" : "https://dev.azure.com/apache-hudi-ci-org/785b6ef4-2f42-4a89-8f0e-5f0d7039a0cc/_build/results?buildId=12237",
"triggerID" : "d8616dc683ad04888f3917c17b2faf10983ebbaf",
"triggerType" : "PUSH"
} ]
}-->
## CI report:
* d8616dc683ad04888f3917c17b2faf10983ebbaf Azure: [SUCCESS](https://dev.azure.com/apache-hudi-ci-org/785b6ef4-2f42-4a89-8f0e-5f0d7039a0cc/_build/results?buildId=12237)
<details>
<summary>Bot commands</summary>
@hudi-bot supports the following commands:
- `@hudi-bot run azure` re-run the last Azure build
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@hudi.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org