Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-15250 fix #1095

Merged
merged 1 commit into from
Nov 22, 2022
Merged

CVE-2020-15250 fix #1095

merged 1 commit into from
Nov 22, 2022

Conversation

vmmusings
Copy link
Member

@vmmusings vmmusings commented Nov 22, 2022
edited
Loading

Description

CVE-2020-15250 fix

❯ gradle -q dependencyInsight --configuration testRuntimeClasspath  --dependency junit:junit
=======================================
OpenSearch Build Hamster says Hello!
  Gradle Version        : 7.5.1
  OS Info               : Mac OS X 12.6 (x86_64)
  JDK Version           : 11 (Amazon Corretto JDK)
  JAVA_HOME             : /Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home
  Random Testing Seed   : 3EBDD3744BBE9892
  In FIPS 140 mode      : false
=======================================
junit:junit:4.13.2 (forced)
  Variant runtime:
    | Attribute Name                 | Provided     | Requested    |
    |--------------------------------|--------------|--------------|
    | org.gradle.status              | release      |              |
    | org.gradle.category            | library      | library      |
    | org.gradle.libraryelements     | jar          | jar          |
    | org.gradle.usage               | java-runtime | java-runtime |
    | org.gradle.dependency.bundling |              | external     |
    | org.gradle.jvm.environment     |              | standard-jvm |
    | org.gradle.jvm.version         |              | 11           |

junit:junit:4.13 -> 4.13.2
\--- com.squareup.okhttp3:mockwebserver:4.9.3
     \--- testRuntimeClasspath

Issues Resolved

Related PR: https://github.com/opensearch-project/sql/pull/1079/files

Check List

  • New functionality includes testing.
    • All tests pass, including unit test, integration test and doctest
  • New functionality has been documented.
    • New functionality has javadoc added
    • New functionality has user manual doc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@vmmusings
CVE-2020-15250 fix
4994585 
Signed-off-by: vamsi-amazon <reddyvam@amazon.com>
@codecov-commenter
Copy link

codecov-commenter commented Nov 22, 2022
edited
Loading

Codecov Report

Merging #1095 (4994585) into 2.x (d4d289c) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##                2.x    #1095   +/-   ##
=========================================
  Coverage     98.28%   98.28%           
  Complexity     3454     3454           
=========================================
  Files           345      345           
  Lines          8588     8588           
  Branches        547      547           
=========================================
  Hits           8441     8441           
  Misses          142      142           
  Partials          5        5
Flag Coverage Δ
sql-engine 98.28% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@vmmusings vmmusings marked this pull request as ready for review November 22, 2022 23:26
@vmmusings vmmusings requested a review from a team as a code owner November 22, 2022 23:26
joshuali925
joshuali925 approved these changes Nov 22, 2022
View reviewed changes
prometheus/build.gradle
@@ -42,7 +42,7 @@ test {
configurations.all {
resolutionStrategy.force "org.jetbrains.kotlin:kotlin-stdlib:1.6.0"
resolutionStrategy.force "org.jetbrains.kotlin:kotlin-stdlib-common:1.6.0"
resolutionStrategy.force "org.junit.jupiter:junit-jupiter:5.6.2"
resolutionStrategy.force 'junit:junit:4.13.2'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this downgrading?

Copy link
Member Author

@vmmusings vmmusings Nov 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://mvnrepository.com/artifact/junit/junit
Its the latest one.

In the earlier PR, by mistake we forced junit-jupiter version, in this I have removed and forced junit version which actually fixes the CVE

@vmmusings vmmusings merged commit 0f5d628 into 2.x Nov 22, 2022
@dai-chen dai-chen added the dependencies Pull requests that update a dependency file label Dec 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rupal-bq rupal-bq rupal-bq approved these changes

@sejli sejli sejli approved these changes

@joshuali925 joshuali925 joshuali925 approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vmmusings @codecov-commenter @joshuali925 @sejli @rupal-bq @dai-chen