Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update BouncyCastle dependencies from jdk15to18 to jdk18on #12317

Merged
merged 4 commits into from
Feb 14, 2024

Conversation

stephen-crawford
Copy link
Contributor

@stephen-crawford stephen-crawford commented Feb 14, 2024

Description

This change updates bouncy castle dependencies to the most recent jdk18on versions. The reason for this change is because it may fix an intermittent AEAD cipher failure experienced on cluster start.

Related Issues

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Copy link
Contributor

❌ Gradle check result for c2dc38b: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@stephen-crawford
Copy link
Contributor Author

stephen-crawford commented Feb 14, 2024

While its good that the libraries seem compile safe; there can be hidden risks of performance regression or security robustness by switching on older platforms. Can you look into how BouncyCastle recommends these different versions?

Ideally this change would alter the dependency depending on the jdk target, using the existing bouncy castle version vs on supported platforms using jdk18on. This might be a good middle ground to unblock testing on jdk21 and in the security plugin branches.

This is the recommended BouncyCastle version. The current version we use (15to18) is meant for projects which cannot support multi-release jars.

Per the website:

Java Version Details With the arrival of Java 15. jdk15 is not quite as unambiguous as it was. The jdk18on jars are compiled to work with anything from Java 1.8 up. They are also multi-release jars so do support some features that were introduced in Java 9, Java 11, and Java 15. If you have issues with multi-release jars see the jdk15to18 release jars below.

Packaging Change (users of 1.70 or earlier): BC 1.71 changed the jdk15on jars to jdk18on so the base has now moved to Java 8. For earlier JVMs, or containers/applications that cannot cope with multi-release jars, you should now use the jdk15to18 jars.

https://www.bouncycastle.org/latest_releases.html

Seems like it should be fine @peternied

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification @scrawfor99 - that works for me. Just waiting on passing CI and an outstanding comment

@peternied peternied dismissed their stale review February 14, 2024 18:30

Blocking comment on the library version isn't applicable.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Copy link
Contributor

✅ Gradle check result for 67f97c7: SUCCESS

Copy link

codecov bot commented Feb 14, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (8489294) 71.32% compared to head (67f97c7) 71.36%.
Report is 1 commits behind head on main.

Additional details and impacted files
@@             Coverage Diff              @@
##               main   #12317      +/-   ##
============================================
+ Coverage     71.32%   71.36%   +0.03%     
- Complexity    59764    59770       +6     
============================================
  Files          4959     4959              
  Lines        281129   281129              
  Branches      40857    40857              
============================================
+ Hits         200513   200614     +101     
+ Misses        63947    63864      -83     
+ Partials      16669    16651      -18     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@peternied peternied merged commit 6099ed9 into opensearch-project:main Feb 14, 2024
37 of 38 checks passed
@peternied peternied added the backport 2.x Backport to 2.x branch label Feb 14, 2024
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-12317-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 6099ed99fe68a739e60bf0c13c9954ec5c890fac
# Push it to GitHub
git push --set-upstream origin backport/backport-12317-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-12317-to-2.x.

@peternied
Copy link
Member

@scrawfor99 Could you manually backport this change to the 2.x branch?

stephen-crawford added a commit to opensearch-project/security that referenced this pull request Feb 14, 2024
### Description
[Describe what this change achieves]
Following: opensearch-project/OpenSearch#12317
in core, this PR increases the version used for bouncycastle in the
Security plugin. This is an attempt to correct the intermittent failures
described here:
[#3299](#3299)

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
peternied pushed a commit that referenced this pull request Feb 14, 2024
…15to18 to jdk18on (#12326)

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
peteralfonsi pushed a commit to peteralfonsi/OpenSearch that referenced this pull request Mar 1, 2024
rayshrey pushed a commit to rayshrey/OpenSearch that referenced this pull request Mar 18, 2024
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
…h-project#12317)

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
mwilso3 pushed a commit to mwilso3/OpenSearch-fork that referenced this pull request May 1, 2024
mwilso3 pushed a commit to mwilso3/OpenSearch-fork that referenced this pull request May 1, 2024
…k18on (opensearch-project#12317)

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>
dlin2028 pushed a commit to dlin2028/security that referenced this pull request May 1, 2024
…project#4052)

### Description
[Describe what this change achieves]
Following: opensearch-project/OpenSearch#12317
in core, this PR increases the version used for bouncycastle in the
Security plugin. This is an attempt to correct the intermittent failures
described here:
[opensearch-project#3299](opensearch-project#3299)

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
reta added a commit that referenced this pull request May 6, 2024
…0172, CVE-2024-30171 and CVE-2024-29857) (#13484)

* [Backport][1.3] Bump BouncyCastle to 1.76 (#10219)

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>

* [Backport][1.3] Update BouncyCastle dependencies from jdk15to18 to jdk18on (#12317)

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>

* [Backport][1.3] Bump bouncycastle from 1.77 to 1.78 (#13243)

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>

* PR#13484 Re-work

* Update BC from 1.78 to 1.78.1 with latest fixes.
* Remove incorrect jdk15to18 module replacement definitions as artifacts are still supported.
* Add release notes.
* Remove unneccessary license additions.

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>

* PR#13484 Re-work

* Rename licenses from jdk18on to jdk15to18 and 1.78 to 1.78.1.
* Update SHAs for BC 1.78.1 licenses.

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>

* PR#13484 Re-work

Update Changelog and remove release notes file as this will be created upon release.

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>

---------

Signed-off-by: Milly Wilson <mwilson3@atlassian.com>
Co-authored-by: Andrey Pleskach <ples@aiven.io>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Andriy Redko <andriy.redko@aiven.io>
bowenlan-amzn pushed a commit to bowenlan-amzn/OpenSearch that referenced this pull request May 24, 2024
DarshitChanpura pushed a commit to DarshitChanpura/security that referenced this pull request Jul 30, 2024
…project#4052)

[Describe what this change achieves]
Following: opensearch-project/OpenSearch#12317
in core, this PR increases the version used for bouncycastle in the
Security plugin. This is an attempt to correct the intermittent failures
described here:
[opensearch-project#3299](opensearch-project#3299)

- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
(cherry picked from commit b7b49b9)
DarshitChanpura pushed a commit to DarshitChanpura/security that referenced this pull request Jul 31, 2024
…project#4052)

[Describe what this change achieves]
Following: opensearch-project/OpenSearch#12317
in core, this PR increases the version used for bouncycastle in the
Security plugin. This is an attempt to correct the intermittent failures
described here:
[opensearch-project#3299](opensearch-project#3299)

- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
(cherry picked from commit b7b49b9)
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x Backport to 2.x branch backport-failed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants