Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5) #3346

Merged
merged 5 commits into from
Jun 22, 2022
Merged

upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5) #3346

merged 5 commits into from
Jun 22, 2022

Conversation

hangc0276
Copy link
Contributor

Motivation

There is a CVE in testing, which was introduced by groovy.

Error:  Failed to execute goal org.owasp:dependency-check-maven:7.1.0:aggregate (default) on project bookkeeper: 
Error: 
Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
Error: 
Error:  testng-6.13.1.jar: CVE-2019-[11](https://github.com/apache/bookkeeper/runs/6953376087?check_suite_focus=true#step:6:12)358(7.5)
Error: 
Error:  See the dependency-check report for more details.
Error:  -> [Help 1]
Error: 
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error: 
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Error: Process completed with exit code 1.

Changes

Upgrade groovy version from 2.5.8 to 3.0.11

hezhangjian
hezhangjian reviewed Jun 19, 2022
View reviewed changes
pom.xml
@@ -1138,6 +1138,7 @@
<mixAuditAnalyzerEnabled>false</mixAuditAnalyzerEnabled>
<nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
<assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
<skipSystemScope>true</skipSystemScope>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have searched the project. we don't have <scope>system<scope> import. Why need this config?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will be failed in jdk8.
https://github.com/apache/bookkeeper/runs/6953541383?check_suite_focus=true

@hezhangjian
Copy link
Member

Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html
Maybe we should update to Groovy2 latest version?

@hangc0276 hangc0276 changed the title upgrade groovy from 2.5.8 to 3.0.11 to fix CVE-2019-11358(7.5) upgrade groovy from 2.5.8 to 3.5.17 to fix CVE-2019-11358(7.5) Jun 19, 2022
@hangc0276
Copy link
Contributor Author

Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?

done

@hangc0276
Copy link
Contributor Author

Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?

done

@Shoothzj It doesn't work on 2.5.17, due to the groovy-testng dependent on testng 6.13.1, which has CVE issues.
https://github.com/apache/bookkeeper/runs/6954538682?check_suite_focus=true

@hangc0276
Copy link
Contributor Author

rerun failure checks

@hangc0276 hangc0276 changed the title upgrade groovy from 2.5.8 to 3.5.17 to fix CVE-2019-11358(7.5) upgrade groovy from 2.5.8 to 3.0.11 to fix CVE-2019-11358(7.5) Jun 20, 2022
@hangc0276 hangc0276 changed the title upgrade groovy from 2.5.8 to 3.0.11 to fix CVE-2019-11358(7.5) upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5) Jun 20, 2022
@zymap zymap requested review from eolivelli and dlg99 June 22, 2022 02:50
@zymap zymap added the dependencies Pull requests that update a dependency file label Jun 22, 2022
@zymap zymap added this to the 4.16.0 milestone Jun 22, 2022
@eolivelli eolivelli merged commit 8d4b9e2 into apache:master Jun 22, 2022
@nicoloboschi
Copy link
Contributor

Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?

@Shoothzj so we upgraded to groovy 3 but the JDK8 check passed, so I'm a bit confused now

@hangc0276
Copy link
Contributor Author

Groovy 3.0 requires JDK9+ to build and JDK8 is the minimum version of the JRE that we support. See https://groovy-lang.org/releasenotes/groovy-3.0.html Maybe we should update to Groovy2 latest version?

@Shoothzj so we upgraded to groovy 3 but the JDK8 check passed, so I'm a bit confused now

@nicoloboschi I have added the <skipSystemScope>true</skipSystemScope> configuration to skip the SystemScope ckeck.

zymap pushed a commit that referenced this pull request Aug 2, 2022
@hangc0276 @zymap
upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5) (#3346)
3464e07 
(cherry picked from commit 8d4b9e2)
Ghatage pushed a commit to sijie/bookkeeper that referenced this pull request Jul 12, 2024
@hangc0276
upgrade groovy from 2.5.17 to 3.0.11 to fix CVE-2019-11358(7.5) (apac…
b661b02 
…he#3346)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zymap zymap zymap approved these changes

@hezhangjian hezhangjian hezhangjian approved these changes

@eolivelli eolivelli eolivelli approved these changes

@dlg99 dlg99 Awaiting requested review from dlg99

Assignees

@hangc0276 hangc0276

Labels
cherry-picked/branch-4.15 dependencies Pull requests that update a dependency file release/4.15.1
Projects
None yet
Milestone
4.16.0
Development

Successfully merging this pull request may close these issues.
5 participants
@hangc0276 @hezhangjian @nicoloboschi @eolivelli @zymap