Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SPARK-40801][BUILD][3.2] Upgrade Apache commons-text to 1.10 #38352

Closed
wants to merge 2 commits into from

Conversation

bjornjorgensen
Copy link
Contributor

What changes were proposed in this pull request?

Upgrade Apache commons-text from 1.6 to 1.10.0

Why are the changes needed?

CVE-2022-42889
this is a 9.8 CRITICAL

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Pass GA

@github-actions github-actions bot added the BUILD label Oct 22, 2022
@bjornjorgensen
Copy link
Contributor Author

@wangyum

@AmplabJenkins
Copy link

Can one of the admins verify this patch?

@srowen
Copy link
Member

srowen commented Oct 23, 2022

This is probably fine; a bigger upgrade from 1.6 but I don't have reason to believe it's a problem in 3.2 and test pass

@srowen
Copy link
Member

srowen commented Oct 24, 2022

Hm, the test seems to be stuck

@bjornjorgensen
Copy link
Contributor Author

bjornjorgensen commented Oct 24, 2022

@srowen Yes, the same thing happened with this one too.. #38098

Right now it's failing the time tests.
And the python test is failing. But that is not because of this upgrade.

@bjornjorgensen
Copy link
Contributor Author

@srowen I did rerun the failed tests now and now they pass.

But there are 2 python tests that don't pass,
-The python3.9 -m black command was not found
and
-ImportError: Missing optional dependency 'Jinja2'

@srowen
Copy link
Member

srowen commented Oct 24, 2022

Huh, that also seems unrelated. Let's hold onto this for a day or two and then rerun if needed

@dongjoon-hyun
Copy link
Member

cc @sunchao since he is the release manager of Apache Spark 3.2.3.

@bjornjorgensen
Copy link
Contributor Author

@srowen two days have passed.

@srowen
Copy link
Member

srowen commented Oct 27, 2022

The test still shows 'pending', hm. It sounds like you saw some possibly-unrelated tests failing. Ideally we'd see the tests pass first. Can you re-set or re-run the tests?

@bjornjorgensen
Copy link
Contributor Author

ok, I re-run the tests now.

@bjornjorgensen
Copy link
Contributor Author

bjornjorgensen commented Oct 27, 2022

@srowen tests have been re-run but it's the same result.
But it's the same with everyone else's PR, for a long time.
Like this one

@bjornjorgensen
Copy link
Contributor Author

@xinrong-meng There are two tests that don't work for branch 3.2
Those are both python tests, can you have a look at them?

@vitas
Copy link

vitas commented Oct 27, 2022

Could you make the same patch for 3.1 branch?

@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Oct 27, 2022

Could you make the same patch for 3.1 branch?

No, Apache Spark 3.1 reached EOL last month because the first release was March 2, 2021, @vitas .

Copy link
Contributor

@itholic itholic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good when the test pass

@sithmein
Copy link

Is Spark actually affected by the problem in the StringLookup class or is this dependency update only to get rid of all the alarms raised by code scanners?

@srowen
Copy link
Member

srowen commented Oct 28, 2022

The latter.

@srowen
Copy link
Member

srowen commented Oct 31, 2022

Hm, maybe we can try the tests 1 more time. I'm inclined to merge for the 3.2 RC as I think the test failures are unrelated.

@bjornjorgensen
Copy link
Contributor Author

I can restart the tests, but everyone else have the same problem in branch3.2
image

@bjornjorgensen
Copy link
Contributor Author

@bjornjorgensen
Copy link
Contributor Author

@srowen Will you merge this?

@srowen
Copy link
Member

srowen commented Nov 3, 2022

Well, I don't know if it passes - it probably does, but other errors are preventing it. I also don't know if this even affects Spark. If any other committer would endorse the 'override' I'd merge.

@bjornjorgensen
Copy link
Contributor Author

Yes, there are 2 python tests that fail, but the tests for java are running and those are OK. 
For this PR there are 2 @wangyum and @dongjoon-hyun that have approved this. Do you need any more? 

@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Nov 3, 2022

We have been waiting for the release manager's approval, @bjornjorgensen , because the release preparation was already started. So, it would be great that @sunchao reviews and merges this as a part of 3.2.3 release preparation.

@sunchao
Copy link
Member

sunchao commented Nov 3, 2022

I'm actually holding 3.2.3 for this PR. Once it's merged I'll start the release process.

srowen pushed a commit that referenced this pull request Nov 3, 2022
### What changes were proposed in this pull request?
Upgrade Apache commons-text from 1.6 to 1.10.0

### Why are the changes needed?
[CVE-2022-42889](https://nvd.nist.gov/vuln/detail/CVE-2022-42889)
this is a [9.8 CRITICAL](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-42889&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST)

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA

Closes #38352 from bjornjorgensen/patch-2.

Lead-authored-by: Bjørn Jørgensen <bjornjorgensen@gmail.com>
Co-authored-by: Bjørn <bjornjorgensen@gmail.com>
Signed-off-by: Sean Owen <srowen@gmail.com>
@srowen
Copy link
Member

srowen commented Nov 3, 2022

OK, merged to 3.2

@srowen srowen closed this Nov 3, 2022
@bjornjorgensen
Copy link
Contributor Author

Thanks everyone :)

@bsikander
Copy link
Contributor

@sunchao thank you for you efforts. When can we expect the release of 3.2.3?

@sunchao
Copy link
Member

sunchao commented Nov 6, 2022

I'm going to start working on it this week.

@fryz
Copy link

fryz commented Nov 8, 2022

Apologies if this is discussed elsewhere (or an FAQ that I wasn't able to find), but is there somewhere I can subscribe to this release and get notified when it's ready to pick up? Thanks!

@bjornjorgensen
Copy link
Contributor Author

@fryz It will be posted at dev@spark.apache.org and user@spark.apache.org

@bsikander
Copy link
Contributor

@sunchao @bjornjorgensen any update on this release?
As internal alarms are going off continuously, i am desperately looking for the release.

@sunchao
Copy link
Member

sunchao commented Nov 16, 2022

@bsikander again, pls check dev@spark.apache.org - it's being voted.

@dongjoon-hyun
Copy link
Member

+1 for @sunchao 's comment.
To @bsikander , it would be great if you can participate [VOTE] Release Spark 3.2.3 (RC1).

@srowen
Copy link
Member

srowen commented Nov 16, 2022

I'm curious what the urgency is @bsikander - do you have a theory that this even affects Spark? this is a 'just in case' and 'to silence automated warnings' kind of update as far as I can see

@bsikander
Copy link
Contributor

@srowen i also don't see any affect on Spark. My goal is to silence the warnings as soon as possible. That is why i am waiting for the release :)

@bsikander
Copy link
Contributor

@bjornjorgensen I noticed that you updated pyspark-notebook docker file in docker-stacks. I am looking for pyspark-notebook docker image with this fix inside. Is there a pyspark-notebook image available with spark 3.2.3?

@bjornjorgensen bjornjorgensen deleted the patch-2 branch January 19, 2023 20:36
sunchao pushed a commit to sunchao/spark that referenced this pull request Jun 2, 2023
### What changes were proposed in this pull request?
Upgrade Apache commons-text from 1.6 to 1.10.0

### Why are the changes needed?
[CVE-2022-42889](https://nvd.nist.gov/vuln/detail/CVE-2022-42889)
this is a [9.8 CRITICAL](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-42889&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST)

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA

Closes apache#38352 from bjornjorgensen/patch-2.

Lead-authored-by: Bjørn Jørgensen <bjornjorgensen@gmail.com>
Co-authored-by: Bjørn <bjornjorgensen@gmail.com>
Signed-off-by: Sean Owen <srowen@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.