Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating dependencies (guava and what brought in older guava) to get rid of the guava-related CVE-2018-10237 and CVE-2020-8908 #13716

Merged
merged 11 commits into from
Jan 21, 2022
Merged

Updating dependencies (guava and what brought in older guava) to get rid of the guava-related CVE-2018-10237 and CVE-2020-8908 #13716

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7a7a850
Updating dependencies (guava and what brought in older guava) to get …
dlg99 Jan 11, 2022
d6510ee
license check
dlg99 Jan 12, 2022
06fa8eb
testng 7.5 isn't compatible with current powermock https://github.com…
dlg99 Jan 12, 2022
efa603d
more canal-related suppressions
dlg99 Jan 13, 2022
0411e33
more canal-related suppressions
dlg99 Jan 13, 2022
fe9e10f
Make sure presto does not mix in older guava
dlg99 Jan 13, 2022
a3d27c4
Presto: correct guava version
dlg99 Jan 13, 2022
43014ac
revert testng to 7.3 because of test failures on CI
dlg99 Jan 13, 2022
02b36a8
downgrade avro for flume
dlg99 Jan 13, 2022
2128a26
Upgraded canal to 1.1.5, excluded logback, and upgraded spring that c…
dlg99 Jan 18, 2022
ed4dde9
specified sha1 for suppressions intead of the regexes
dlg99 Jan 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 21 additions & 21 deletions distribution/server/src/assemble/LICENSE.bin.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ The Apache Software License, Version 2.0
- com.google.code.gson-gson-2.8.9.jar
- io.gsonfire-gson-fire-1.8.5.jar
* Guava
- com.google.guava-guava-30.1-jre.jar
- com.google.guava-guava-31.0.1-jre.jar
- com.google.guava-failureaccess-1.0.1.jar
- com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
* J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar
Expand Down Expand Up @@ -426,25 +426,25 @@ The Apache Software License, Version 2.0
- org.asynchttpclient-async-http-client-2.12.1.jar
- org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar
* Jetty
- org.eclipse.jetty-jetty-client-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-continuation-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-proxy-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-security-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-servlets-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar
- org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.43.v20210629.jar
- org.eclipse.jetty.websocket-websocket-api-9.4.43.v20210629.jar
- org.eclipse.jetty.websocket-websocket-client-9.4.43.v20210629.jar
- org.eclipse.jetty.websocket-websocket-common-9.4.43.v20210629.jar
- org.eclipse.jetty.websocket-websocket-server-9.4.43.v20210629.jar
- org.eclipse.jetty.websocket-websocket-servlet-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-alpn-server-9.4.43.v20210629.jar
- org.eclipse.jetty-jetty-client-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-continuation-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-http-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-io-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-proxy-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-security-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-server-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-servlet-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-servlets-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-util-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-util-ajax-9.4.44.v20210927.jar
- org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.44.v20210927.jar
- org.eclipse.jetty.websocket-websocket-api-9.4.44.v20210927.jar
- org.eclipse.jetty.websocket-websocket-client-9.4.44.v20210927.jar
- org.eclipse.jetty.websocket-websocket-common-9.4.44.v20210927.jar
- org.eclipse.jetty.websocket-websocket-server-9.4.44.v20210927.jar
- org.eclipse.jetty.websocket-websocket-servlet-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.44.v20210927.jar
- org.eclipse.jetty-jetty-alpn-server-9.4.44.v20210927.jar
* SnakeYaml -- org.yaml-snakeyaml-1.30.jar
* RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
* Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
Expand Down Expand Up @@ -545,7 +545,7 @@ MIT License
- org.slf4j-slf4j-api-1.7.32.jar
- org.slf4j-jcl-over-slf4j-1.7.32.jar
* The Checker Framework
- org.checkerframework-checker-qual-3.5.0.jar
- org.checkerframework-checker-qual-3.12.0.jar

Protocol Buffers License
* Protocol Buffers
Expand Down
30 changes: 7 additions & 23 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ flexible messaging model and an intuitive client API.</description>
<curator.version>5.1.0</curator.version>
<netty.version>4.1.72.Final</netty.version>
<netty-tc-native.version>2.0.46.Final</netty-tc-native.version>
<jetty.version>9.4.43.v20210629</jetty.version>
<jetty.version>9.4.44.v20210927</jetty.version>
<conscrypt.version>2.5.2</conscrypt.version>
<jersey.version>2.34</jersey.version>
<athenz.version>1.10.9</athenz.version>
Expand Down Expand Up @@ -159,11 +159,11 @@ flexible messaging model and an intuitive client API.</description>
<debezium.version>1.7.1.Final</debezium.version>
<jsonwebtoken.version>0.11.1</jsonwebtoken.version>
<opencensus.version>0.18.0</opencensus.version>
<hbase.version>2.3.0</hbase.version>
<guava.version>30.1-jre</guava.version>
<hbase.version>2.4.9</hbase.version>
<guava.version>31.0.1-jre</guava.version>
<jcip.version>1.0</jcip.version>
<prometheus-jmx.version>0.14.0</prometheus-jmx.version>
<confluent.version>5.3.2</confluent.version>
<confluent.version>7.0.1</confluent.version>
<kafka.confluent.schemaregistryclient.version>5.3.0</kafka.confluent.schemaregistryclient.version>
<kafka.confluent.avroserializer.version>5.3.0</kafka.confluent.avroserializer.version>
<kafka-avro-convert-jackson.version>1.9.13</kafka-avro-convert-jackson.version>
Expand Down Expand Up @@ -576,26 +576,10 @@ flexible messaging model and an intuitive client API.</description>

<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-servlet</artifactId>
<version>${jetty.version}</version>
</dependency>

<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-servlets</artifactId>
<version>${jetty.version}</version>
</dependency>

<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-proxy</artifactId>
<version>${jetty.version}</version>
</dependency>

<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
<artifactId>jetty-bom</artifactId>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice change! Please create a separate PR for the jetty-bom change and the jetty.version upgrade. This change isn't related to Guava and would be valuable on it's own.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lhotari IIRC this came in after I upgraded other dependencies that used older guava (confluent?), to settle on the newer version. I'd prefer to avoid spending time on ripping the PR apart/rebuilding/rescanning, testing what else needs to be downgraded etc.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to settle on the newer version. I'd prefer to avoid spending time on ripping the PR apart/rebuilding/rescanning, testing what else needs to be downgraded etc.

You can keep the change in this PR. If you submit it separately, the PR could be merged before this PR. If this PR gets later on reverted for some reason, let's say that it breaks something, we can continue to keep the Jetty change. The Jetty change might also be cherry-picked to maintenance branches, but the Guava change might not be picked. There are multiple reasons to do minimal PRs. I know that it's terrible now that our CI is in such bad shape with a lot of flaky tests and long build times. We just have to keep on improving.
@eolivelli What's your opinion about splitting the jetty-bom change to a new PR?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC importing the BOM of Jetty solves some problems with the version of Guava imported by Jetty.

While I agree with @lhotari's concern about tracking broken patches and reverting, I also understand @dlg99's pain.

Considering that this patch is only about updating dependencies that are related one to each other I am +1 with merging this patch as it is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is the Jetty upgrade related to Guava upgrade?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

found the relation to Jetty, np.

<version>${jetty.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>

<dependency>
Expand Down
50 changes: 49 additions & 1 deletion pulsar-io/canal/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@
<artifactId>pulsar-io-canal</artifactId>
<name>Pulsar IO :: Canal</name>

<properties>
<spring.version>5.0.20.RELEASE</spring.version>
<canal.version>1.1.5</canal.version>
</properties>
Comment on lines +35 to +38
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better to move the dependency management to the root pom


<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
Expand All @@ -52,11 +57,54 @@
<artifactId>fastjson</artifactId>
<version>1.2.73</version>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>${spring.version}</version>
</dependency>

<dependency>
<groupId>com.alibaba.otter</groupId>
<artifactId>canal.protocol</artifactId>
<version>${canal.version}</version>
</dependency>
<dependency>
<groupId>com.alibaba.otter</groupId>
<artifactId>canal.client</artifactId>
<version>1.1.4</version>
<version>${canal.version}</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
Expand Down
27 changes: 23 additions & 4 deletions pulsar-io/flume/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@
<artifactId>pulsar-io-flume</artifactId>
<name>Pulsar IO :: Flume</name>

<properties>
<avro.version>1.8.2</avro.version>
</properties>
Comment on lines +34 to +36
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better to move the dependency management to the root pom


<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
Expand All @@ -54,8 +58,8 @@
<type>pom</type>
<exclusions>
<exclusion>
<artifactId>avro-ipc</artifactId>
<groupId>org.apache.avro</groupId>
<artifactId>avro-ipc</artifactId>
</exclusion>
<exclusion>
<artifactId>avro</artifactId>
Expand All @@ -66,12 +70,27 @@
<dependency>
<groupId>org.apache.avro</groupId>
<artifactId>avro</artifactId>
<version>1.8.1</version>
<version>${avro.version}</version>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>org.apache.avro</groupId>
<artifactId>avro-ipc</artifactId>
<version>1.8.1</version>
<version>${avro.version}</version>
<exclusions>
<exclusion>
<groupId>org.mortbay.jetty</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.curator</groupId>
Expand Down Expand Up @@ -106,7 +125,7 @@
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>18.0</version>
<version>${guava.version}</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the current Flume version support latest Guava version? There are multiple breaking changes between 18.0 and 31.0 .

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests passed, that's as much as I can tell.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that there must have been a reason why the version was pinned to 18.0 . I doubt that the tests in pulsar-io/flume validate the full functionality. @tuteng could you shade some light into this since you are the original author?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lhotari the best testing I could do is:

  1. get flume's code.
  2. checkout d4fcab4f501d41597bc616921329a4339f73585e (last release), build. Build fails, with jdk 11 and jdk 8.
  3. checkout trunk (some dependencies upgraded after the release but no dramatic changes). build succeeds.
  4. the guava dependency is brought in by org.apache.flume:flume-ng-node - so cd flume/flume-ng-node and run tests there. tests pass (with jdk8, some failed with jdk11)
  5. force <version>31.0.1-jre</version> for guava in flume-ng-node. Build succeeds. mvn dependency:tree confirms that updated guava is used. The tests pass.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work in confirming the compatibility @dlg99

</dependency>
</dependencies>

Expand Down
36 changes: 18 additions & 18 deletions pulsar-sql/presto-distribution/LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ The Apache Software License, Version 2.0
- jackson-module-jaxb-annotations-2.12.6.jar
- jackson-module-jsonSchema-2.12.6.jar
* Guava
- guava-30.1-jre.jar
- guava-31.0.1-jre.jar
- listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
- failureaccess-1.0.1.jar
* Google Guice
Expand Down Expand Up @@ -255,22 +255,22 @@ The Apache Software License, Version 2.0
* Joda Time
- joda-time-2.10.5.jar
* Jetty
- http2-client-9.4.43.v20210629.jar
- http2-common-9.4.43.v20210629.jar
- http2-hpack-9.4.43.v20210629.jar
- http2-http-client-transport-9.4.43.v20210629.jar
- jetty-alpn-client-9.4.43.v20210629.jar
- http2-server-9.4.43.v20210629.jar
- jetty-alpn-java-client-9.4.43.v20210629.jar
- jetty-client-9.4.43.v20210629.jar
- jetty-http-9.4.43.v20210629.jar
- jetty-io-9.4.43.v20210629.jar
- jetty-jmx-9.4.43.v20210629.jar
- jetty-security-9.4.43.v20210629.jar
- jetty-server-9.4.43.v20210629.jar
- jetty-servlet-9.4.43.v20210629.jar
- jetty-util-9.4.43.v20210629.jar
- jetty-util-ajax-9.4.43.v20210629.jar
- http2-client-9.4.44.v20210927.jar
- http2-common-9.4.44.v20210927.jar
- http2-hpack-9.4.44.v20210927.jar
- http2-http-client-transport-9.4.44.v20210927.jar
- jetty-alpn-client-9.4.44.v20210927.jar
- http2-server-9.4.44.v20210927.jar
- jetty-alpn-java-client-9.4.44.v20210927.jar
- jetty-client-9.4.44.v20210927.jar
- jetty-http-9.4.44.v20210927.jar
- jetty-io-9.4.44.v20210927.jar
- jetty-jmx-9.4.44.v20210927.jar
- jetty-security-9.4.44.v20210927.jar
- jetty-server-9.4.44.v20210927.jar
- jetty-servlet-9.4.44.v20210927.jar
- jetty-util-9.4.44.v20210927.jar
- jetty-util-ajax-9.4.44.v20210927.jar
* Apache BVal
- bval-jsr-2.0.0.jar
* Bytecode
Expand Down Expand Up @@ -490,7 +490,7 @@ MIT License
* JUL to SLF4J Bridge
- jul-to-slf4j-1.7.32.jar
* Checker Qual
- checker-qual-3.5.0.jar
- checker-qual-3.12.0.jar

CDDL - 1.0
* OSGi Resource Locator
Expand Down
2 changes: 1 addition & 1 deletion pulsar-sql/presto-distribution/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
<!--https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html-->
<jackson.databind.version>2.12.6</jackson.databind.version>
<maven.version>3.0.5</maven.version>
<guava.version>30.1-jre</guava.version>
<guava.version>31.0.1-jre</guava.version>
<asynchttpclient.version>2.12.1</asynchttpclient.version>
<errorprone.version>2.5.1</errorprone.version>
<javax.servlet-api>4.0.1</javax.servlet-api>
Expand Down
Loading