Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TEZ-4435: use jackson v2 - jackson v1 is EOL and full of security issues #231

Merged
merged 5 commits into from
Aug 2, 2022
Merged

TEZ-4435: use jackson v2 - jackson v1 is EOL and full of security issues #231

merged 5 commits into from
Aug 2, 2022

Conversation

pjfanning
Copy link
Contributor

@pjfanning pjfanning commented Jul 19, 2022
edited
Loading

@pjfanning pjfanning changed the title use jackson v2 - jackson v1 is EOL and full of security issues TEZ-4435: use jackson v2 - jackson v1 is EOL and full of security issues Jul 19, 2022
@tez-yetus

This comment was marked as outdated.

Sign in to view
@tez-yetus

This comment was marked as outdated.

Sign in to view
ayushtkn
ayushtkn reviewed Jul 21, 2022
View reviewed changes
Copy link
Member

@ayushtkn ayushtkn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems similar stuff was done in Hadoop as well.
We should restrict these imports as well so as to avoid future usage by others.
Something like this
https://github.com/apache/hadoop/pull/3789/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8R276-R283

@pjfanning
Copy link
Contributor Author

@ayushtkn I've never used that plugin before. I checked its docs and the docs don't match what Hadoop has. In https://github.com/skuzzle/restrict-imports-enforcer-rule - the XML element is called 'RestrictImports' but Hadoop pom.xml has 'restrictImports'.

I tried both on my Tez checkout and so far, the rule is not enforced either way.

@pjfanning
Copy link
Contributor Author

pjfanning commented Jul 21, 2022
edited
Loading

@ayushtkn looks like Hadoop is wrong according to the plugin's release notes - https://github.com/skuzzle/restrict-imports-enforcer-rule/blob/4e939bfa9f8a048b367bd7b2ab9b79b5a87068b0/RELEASE_NOTES.md

@pjfanning
Copy link
Contributor Author

@ayushtkn I think I have the enforcement rule working now - the inherited=false flag seems to have stopped the rule being enforced in sub-modules. The 'restrictImports' XML tag seems to work despite the docs in https://github.com/skuzzle/restrict-imports-enforcer-rule

@tez-yetus

This comment was marked as outdated.

Sign in to view
@tez-yetus

This comment was marked as outdated.

Sign in to view
@tez-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 1m 17s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ master Compile Tests _
+0 🆗 mvndep 6m 30s Maven dependency ordering for branch
+1 💚 mvninstall 9m 45s master passed
+1 💚 compile 3m 18s master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 compile 3m 10s master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 checkstyle 1m 51s master passed
+1 💚 javadoc 3m 18s master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 2m 40s master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+0 🆗 spotbugs 6m 35s Used deprecated FindBugs config; considering switching to SpotBugs.
+1 💚 findbugs 7m 45s master passed
_ Patch Compile Tests _
+0 🆗 mvndep 0m 19s Maven dependency ordering for patch
+1 💚 mvninstall 4m 44s the patch passed
+1 💚 compile 3m 16s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javac 3m 16s the patch passed
+1 💚 compile 3m 4s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 javac 3m 4s the patch passed
+1 💚 checkstyle 1m 37s the patch passed
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 xml 0m 1s The patch has no ill-formed XML file.
+1 💚 javadoc 3m 5s the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚 javadoc 2m 38s the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚 findbugs 7m 29s the patch passed
_ Other Tests _
+1 💚 unit 0m 57s tez-protobuf-history-plugin in the patch passed.
+1 💚 unit 72m 50s root in the patch passed.
+1 💚 asflicense 1m 41s The patch does not generate ASF License warnings.
143m 15s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-231/5/artifact/out/Dockerfile
GITHUB PR #231
JIRA Issue TEZ-4435
Optional Tests dupname asflicense javac javadoc unit xml compile spotbugs findbugs checkstyle
uname Linux 6968e11d1add 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/tez.sh
git revision master / a192ec4
Default Java Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-231/5/testReport/
Max. process+thread count 1826 (vs. ulimit of 5500)
modules C: tez-plugins/tez-protobuf-history-plugin . U: .
Console output https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-231/5/console
versions git=2.25.1 maven=3.6.3 findbugs=3.0.1
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

ayushtkn
ayushtkn approved these changes Jul 21, 2022
View reviewed changes
Copy link
Member

@ayushtkn ayushtkn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@abstractdog can you help push this further

@pjfanning
Copy link
Contributor Author

@abstractdog @ayushtkn would it be possible to get this merged?

@abstractdog abstractdog self-requested a review August 2, 2022 08:18
abstractdog
abstractdog approved these changes Aug 2, 2022
View reviewed changes
Copy link
Contributor

@abstractdog abstractdog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1
checked locally and enforcer rule works

@abstractdog abstractdog merged commit 621a831 into apache:master Aug 2, 2022
@pjfanning pjfanning deleted the patch-1 branch August 2, 2022 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ayushtkn ayushtkn ayushtkn approved these changes

@abstractdog abstractdog abstractdog approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pjfanning @tez-yetus @abstractdog @ayushtkn