Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgraded software.amazon.awssdk from 2.25.40 to 2.29.0 to address CVE… #3320

Merged
merged 2 commits into from
Jan 3, 2025

Conversation

rithin-pullela-aws
Copy link
Contributor

…-2024-47535

Description

[Describe what this change achieves]

Related Issues

Resolves #1865

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…-2024-47535

Signed-off-by: rithin-pullela-aws <rithinp@amazon.com>
@mingshl
Copy link
Collaborator

mingshl commented Jan 2, 2025

    REPRODUCE WITH: gradlew ':opensearch-ml-plugin:integTest' --tests "org.opensearch.ml.rest.RestMLGuardrailsIT.testPredictRemoteModelFailedWithModelGuardrail" -Dtests.seed=88E3FE127C9CA16A -Dtests.security.manager=false -Dtests.locale=ff-Adlm-LR -Dtests.timezone=Asia/Tel_Aviv -Druntime.java=21

RestMLGuardrailsIT > testPredictRemoteModelFailedWithModelGuardrail FAILED
    java.lang.AssertionError: Expected test to throw (an instance of org.opensearch.client.ResponseException and exception with message a string containing "guardrails triggered for user input")
        at __randomizedtesting.SeedInfo.seed([88E3FE127C9CA16A:EE2D0BEEB9943940]:0)
        at org.junit.Assert.fail(Assert.java:89)
        at org.junit.rules.ExpectedException.failDueToMissingException(ExpectedException.java:278)
        at org.junit.rules.ExpectedException.access$100(ExpectedException.java:111)
        at org.junit.rules.ExpectedException$ExpectedExceptionStatement.evaluate(ExpectedException.java:264)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at org.junit.rules.RunRules.evaluate(RunRules.java:20)
        at org.apache.lucene.tests.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:48)
        at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
        at org.apache.lucene.tests.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:45)
        at org.apache.lucene.tests.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:60)
        at org.apache.lucene.tests.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:44)
        at org.junit.rules.RunRules.evaluate(RunRules.java:20)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
        at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817)
        at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468)
        at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:832)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:883)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:894)
        at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at org.apache.lucene.tests.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:38)
        at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
        at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at org.apache.lucene.tests.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53)
        at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
        at org.apache.lucene.tests.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:44)
        at org.apache.lucene.tests.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:60)
        at org.apache.lucene.tests.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:47)
        at org.junit.rules.RunRules.evaluate(RunRules.java:20)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
        at java.base/java.lang.Thread.run(Thread.java:1583)

RestMLGuardrailsIT > testPredictRemoteModelSuccess STANDARD_OUT
    [2025-01-01T02:19:40,178][INFO ][o.o.m.r.RestMLGuardrailsIT] [testPredictRemoteModelSuccess] before test
    [2025-01-01T02:20:01,877][INFO ][o.o.m.r.RestMLGuardrailsIT] [testPredictRemoteModelSuccess] after test

RestMLGuardrailsIT > testPredictRemoteModelFailed STANDARD_OUT
    [2025-01-01T02:20:01,877][INFO ][o.o.m.r.RestMLGuardrailsIT] [testPredictRemoteModelFailed] before test

    [2025-01-01T02:20:22,690][INFO ][o.o.m.r.RestMLGuardrailsIT] [testPredictRemoteModelFailed] after test

Suite: Test class org.opensearch.ml.rest.RestMLGuardrailsIT
  2> REPRODUCE WITH: gradlew ':opensearch-ml-plugin:integTest' --tests "org.opensearch.ml.rest.RestMLGuardrailsIT.testPredictRemoteModelFailedWithModelGuardrail" -Dtests.seed=88E3FE127C9CA16A -Dtests.security.manager=false -Dtests.locale=ff-Adlm-LR -Dtests.timezone=Asia/Tel_Aviv -Druntime.java=21
  2> java.lang.AssertionError: Expected test to throw (an instance of org.opensearch.client.ResponseException and exception with message a string containing "guardrails triggered for user input")
        at __randomizedtesting.SeedInfo.seed([88E3FE127C9CA16A:EE2D0BEEB9943940]:0)
        at org.junit.Assert.fail(Assert.java:89)
        at org.junit.rules.ExpectedException.failDueToMissingException(ExpectedException.java:278)
        at org.junit.rules.ExpectedException.access$100(ExpectedException.java:111)
        at org.junit.rules.ExpectedException$ExpectedExceptionStatement.evaluate(ExpectedException.java:264)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at org.junit.rules.RunRules.evaluate(RunRules.java:20)
        at org.apache.lucene.tests.util.TestRuleSetupTeardownChained$1.evaluate(TestRuleSetupTeardownChained.java:48)
        at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
        at org.apache.lucene.tests.util.TestRuleThreadAndTestName$1.evaluate(TestRuleThreadAndTestName.java:45)
        at org.apache.lucene.tests.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:60)
        at org.apache.lucene.tests.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:44)
        at org.junit.rules.RunRules.evaluate(RunRules.java:20)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
        at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:817)

        at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:468)
        at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:947)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:832)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:883)
        at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:894)
        at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at org.apache.lucene.tests.util.TestRuleStoreClassName$1.evaluate(TestRuleStoreClassName.java:38)
        at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
        at com.carrotsearch.randomizedtesting.rules.NoShadowingOrOverridesOnMethodsRule$1.evaluate(NoShadowingOrOverridesOnMethodsRule.java:40)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at org.apache.lucene.tests.util.TestRuleAssertionsRequired$1.evaluate(TestRuleAssertionsRequired.java:53)
        at org.apache.lucene.tests.util.AbstractBeforeAfterRule$1.evaluate(AbstractBeforeAfterRule.java:43)
        at org.apache.lucene.tests.util.TestRuleMarkFailure$1.evaluate(TestRuleMarkFailure.java:44)
        at org.apache.lucene.tests.util.TestRuleIgnoreAfterMaxFailures$1.evaluate(TestRuleIgnoreAfterMaxFailures.java:60)
        at org.apache.lucene.tests.util.TestRuleIgnoreTestSuites$1.evaluate(TestRuleIgnoreTestSuites.java:47)
        at org.junit.rules.RunRules.evaluate(RunRules.java:20)
        at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
        at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:368)
        at java.base/java.lang.Thread.run(Thread.java:1583)

Signed-off-by: rithin-pullela-aws <rithinp@amazon.com>
@rithin-pullela-aws rithin-pullela-aws temporarily deployed to ml-commons-cicd-env-require-approval January 3, 2025 00:03 — with GitHub Actions Inactive
@rithin-pullela-aws rithin-pullela-aws temporarily deployed to ml-commons-cicd-env-require-approval January 3, 2025 00:03 — with GitHub Actions Inactive
@rithin-pullela-aws rithin-pullela-aws temporarily deployed to ml-commons-cicd-env-require-approval January 3, 2025 01:11 — with GitHub Actions Inactive
@mingshl mingshl merged commit 9d04e56 into opensearch-project:main Jan 3, 2025
8 checks passed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-3320-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9d04e567b7e18176ac75c465f18759bad74f6d2e
# Push it to GitHub
git push --set-upstream origin backport/backport-3320-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3320-to-2.x.

rithin-pullela-aws added a commit to rithin-pullela-aws/ml-commons that referenced this pull request Jan 6, 2025
opensearch-project#3320)

* Upgraded software.amazon.awssdk from 2.25.40 to 2.29.0 to address CVE-2024-47535

Signed-off-by: rithin-pullela-aws <rithinp@amazon.com>

* Upgrading to 2.29.12 to upgrade netty-common library to 4.1.115

Signed-off-by: rithin-pullela-aws <rithinp@amazon.com>

---------

Signed-off-by: rithin-pullela-aws <rithinp@amazon.com>
mingshl pushed a commit that referenced this pull request Jan 8, 2025
#3320) (#3333)

* Upgraded software.amazon.awssdk from 2.25.40 to 2.29.0 to address CVE-2024-47535



* Upgrading to 2.29.12 to upgrade netty-common library to 4.1.115



---------

Signed-off-by: rithin-pullela-aws <rithinp@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

opensearch-ml-algorithms-3.0.0.0-SNAPSHOT: 1 vulnerabilities (highest severity is: 5.5)
3 participants