Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HBASE-26821 Bump dependencies in /dev-support/git-jira-release-audit #4193

Merged
merged 1 commit into from
Mar 10, 2022

Conversation

apurtell
Copy link
Contributor

@apurtell apurtell commented Mar 9, 2022

Bumps urllib3 from 1.25.8 to 1.26.5 to resolve two dependabot warnings

  • CRLF injection (Moderate) urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt

  • Catastrophic backtracking in URL authority parser when passed URL containing many @ characters (High) urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt

Bumps cryptography from 2.8 to 3.3.2 to resolve one dependabot warning

  • RSA decryption vulnerable to Bleichenbacher timing vulnerability (Moderate) cryptography (pip) · dev-support/git-jira-release-audit/requirements.txt

@apurtell apurtell requested review from ndimiduk and busbey March 9, 2022 19:41
@apurtell apurtell changed the title HBASE-26821 Bump urllib3 in /dev-support/git-jira-release-audit HBASE-26821 Bump dependencies in /dev-support/git-jira-release-audit Mar 9, 2022
Bumps urllib3 from 1.25.8 to 1.26.5 to resolve two dependabot warnings

  CRLF injection (Moderate)
  urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt

  Catastrophic backtracking in URL authority parser when passed URL containing many @ characters (High)
  urllib3 (pip) · dev-support/git-jira-release-audit/requirements.txt

Bumps cryptography from 2.8 to 3.3.2 to resolve one dependabot warning

  RSA decryption vulnerable to Bleichenbacher timing vulnerability (Moderate)
  cryptography (pip) · dev-support/git-jira-release-audit/requirements.txt
@apurtell
Copy link
Contributor Author

apurtell commented Mar 9, 2022

Lame but I get this after enabling depandabot warnings on my hbase repo fork. There is another warning about old codehaus Jackson that nothing can be done about for now.

@Apache-HBase
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 0m 29s Docker mode activated.
-0 ⚠️ yetus 0m 3s Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
_ Prechecks _
_ master Compile Tests _
+0 🆗 mvndep 0m 11s Maven dependency ordering for branch
_ Patch Compile Tests _
+0 🆗 mvndep 0m 3s Maven dependency ordering for patch
_ Other Tests _
1m 34s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4193/1/artifact/yetus-jdk8-hadoop3-check/output/Dockerfile
GITHUB PR #4193
Optional Tests
uname Linux 944a3040e0e1 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / 1047194
Max. process+thread count 28 (vs. ulimit of 30000)
modules C: U:
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4193/1/console
versions git=2.17.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@Apache-HBase
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 0m 39s Docker mode activated.
-0 ⚠️ yetus 0m 2s Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
_ Prechecks _
_ master Compile Tests _
+0 🆗 mvndep 0m 15s Maven dependency ordering for branch
_ Patch Compile Tests _
+0 🆗 mvndep 0m 4s Maven dependency ordering for patch
_ Other Tests _
1m 45s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4193/1/artifact/yetus-jdk11-hadoop3-check/output/Dockerfile
GITHUB PR #4193
Optional Tests
uname Linux 1e048fe74a72 5.4.0-1043-aws #45~18.04.1-Ubuntu SMP Fri Apr 9 23:32:25 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / 1047194
Max. process+thread count 44 (vs. ulimit of 30000)
modules C: U:
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4193/1/console
versions git=2.17.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@Apache-HBase
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 1m 4s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
_ master Compile Tests _
+0 🆗 mvndep 0m 17s Maven dependency ordering for branch
_ Patch Compile Tests _
+0 🆗 mvndep 0m 5s Maven dependency ordering for patch
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
_ Other Tests _
+0 🆗 asflicense 0m 0s ASF License check generated no output?
2m 30s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4193/1/artifact/yetus-general-check/output/Dockerfile
GITHUB PR #4193
Optional Tests dupname asflicense
uname Linux 98d42c77bb24 5.4.0-1025-aws #25~18.04.1-Ubuntu SMP Fri Sep 11 12:03:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / 1047194
Max. process+thread count 33 (vs. ulimit of 30000)
modules C: U:
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4193/1/console
versions git=2.17.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

Copy link
Contributor

@jojochuang jojochuang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1
I have Dependabot security alert enabled in my HBase fork and I see test warnings.

It would be nice to enable Dependabot in Apache HBase repo, IMO.

Copy link
Member

@ndimiduk ndimiduk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, seems fine.

I'm reminded that we never wired this up to our nightlies.

@apurtell
Copy link
Contributor Author

apurtell commented Mar 10, 2022

I'm reminded that we never wired this up to our nightlies.

@ndimiduk Not sure I would advise this. One of the warnings is

Improper Restriction of XML External Entity Reference in jackson-mapper-asl
org.codehaus.jackson:jackson-mapper-asl (Maven) · hbase-shaded/hbase-shaded-testing-util-tester/pom.xml
"A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to GHSA-hmq6-frv3-4727 also affects codehaus jackson-mapper-asl libraries but in different classes."

There is no fix for this until we are only up on Hadoop 3 and Hadoop fully excises Codehaus Jackson from their dependencies. It's required transitively for old Jersey/Jetty underpinning the servlet stack in Hadoop 2 so is quite important and not easily dislodged.

If we did wire it up, there would always be one unresolvable high severity warning produced for every build.

@ndimiduk
Copy link
Member

I was not speaking of security scans (though we should figure this out too), I meant wire up use of this auditing tool to detect missing back ports.

@apurtell apurtell merged commit addace2 into apache:master Mar 10, 2022
@apurtell apurtell deleted the HBASE-26821 branch March 10, 2022 20:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants