-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unpin snakeyaml, add suppressions and licenses #15549
unpin snakeyaml, add suppressions and licenses #15549
Conversation
The long term solution is to migrate to an updated version of jackson, as updates to 2.12.x branch are unlikely except for critical issues. |
licenses.yaml
Outdated
--- | ||
|
||
name: org.yaml snakeyaml | ||
license_category: binary | ||
module: extensions/druid-kubernetes-extensions | ||
license_name: Apache License version 2.0 | ||
version: 2.0 | ||
libraries: | ||
- org.yaml: snakeyaml | ||
|
||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need this section since you already updated the version in the section above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed it to protobuf-extensions
(version 1.27) | ||
The contrib extension: druid-cassandra-storage uses version 1.6 in compile | ||
scope | ||
The integration tests use version 1.27 in compile scope. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we know where 1.27 comes from in integration tests? It would be nice if we could upgrade integration tests to 2.x as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's transitive dependency of:
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.12.7
so unless we update jackson there, can't upgrade.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's update the version since we pin integration tests to 1.33 and not 1.27
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this is more hairy, we can do the jackson upgrade as a follow-up
…e licenses and owasp suppression
minor nit about version numbers in the comments, otherwise LGTM. It also, looks intellij-inspections is failling with |
I believe I've fixed the versions. Not sure about the failing checks, except for the last one, they all seemed unrelated. gonna investigate a bit further. |
@xvrl |
<notes><![CDATA[ | ||
file name: snakeyaml-1.33.jar | ||
file name: snakeyaml-1.27.jar snakeyaml-1.33.jar |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we shouldn't be regressing here and have everything at least on 1.33 like we did before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just for completeness as snakeyaml is not packaged in the standard distribution
mvn clean install -Pdist -DskipTests
dependency-check-maven is disabled for the contrib extensions and it tests, this suppression stays in place if we re-enable checks on the additional modules)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* unpin snakeyaml globally, add suppressions and licenses * pin snakeyaml in the specific modules that require version 1.x, update licenses and owasp suppression This removes the pin of the Snakeyaml introduced in: apache#14519 After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are: - in test scope, transitive dependency of jackson-dataformat-yaml:jar:2.12.7 - in compile scope in contrib extension druid-cassandra-storage - in compile scope in it-tests. With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
* unpin snakeyaml globally, add suppressions and licenses * pin snakeyaml in the specific modules that require version 1.x, update licenses and owasp suppression This removes the pin of the Snakeyaml introduced in: apache#14519 After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are: - in test scope, transitive dependency of jackson-dataformat-yaml:jar:2.12.7 - in compile scope in contrib extension druid-cassandra-storage - in compile scope in it-tests. With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
* unpin snakeyaml globally, add suppressions and licenses * pin snakeyaml in the specific modules that require version 1.x, update licenses and owasp suppression This removes the pin of the Snakeyaml introduced in: apache#14519 After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are: - in test scope, transitive dependency of jackson-dataformat-yaml:jar:2.12.7 - in compile scope in contrib extension druid-cassandra-storage - in compile scope in it-tests. With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
Description
This removes the pin of the Snakeyaml introduced in:
#14519
After the updates of io.kubernetes.java-client and io.confluent.kafka-clients, the only uses of the Snakeyaml 1.x are:
With the dependency version un-pinned, io.kubernetes.java-client and io.confluent.kafka-clients bring Snakeyaml versions 2.0 and 2.2, consequently allowing to build a Druid distribution without the contrib-extension and free of vulnerable Snakeyaml versions.
This PR has: