-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HBASE-26821 Bump dependencies in /dev-support/git-jira-release-audit #4193
Conversation
Bumps urllib3 from 1.25.8 to 1.26.5 to resolve two dependabot warnings CRLF injection (Moderate) urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt Catastrophic backtracking in URL authority parser when passed URL containing many @ characters (High) urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt Bumps cryptography from 2.8 to 3.3.2 to resolve one dependabot warning RSA decryption vulnerable to Bleichenbacher timing vulnerability (Moderate) cryptography (pip) · dev-support/git-jira-release-audit/requirements.txt
Lame but I get this after enabling depandabot warnings on my hbase repo fork. There is another warning about old codehaus Jackson that nothing can be done about for now. |
🎊 +1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
I have Dependabot security alert enabled in my HBase fork and I see test warnings.
It would be nice to enable Dependabot in Apache HBase repo, IMO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, seems fine.
I'm reminded that we never wired this up to our nightlies.
@ndimiduk Not sure I would advise this. One of the warnings is Improper Restriction of XML External Entity Reference in jackson-mapper-asl There is no fix for this until we are only up on Hadoop 3 and Hadoop fully excises Codehaus Jackson from their dependencies. It's required transitively for old Jersey/Jetty underpinning the servlet stack in Hadoop 2 so is quite important and not easily dislodged. If we did wire it up, there would always be one unresolvable high severity warning produced for every build. |
I was not speaking of security scans (though we should figure this out too), I meant wire up use of this auditing tool to detect missing back ports. |
Bumps urllib3 from 1.25.8 to 1.26.5 to resolve two dependabot warnings
CRLF injection (Moderate) urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt
Catastrophic backtracking in URL authority parser when passed URL containing many @ characters (High) urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt
Bumps cryptography from 2.8 to 3.3.2 to resolve one dependabot warning