Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AMBARI-25321 - Remove dependency on org.eclipse.jetty.*:9.3.19.v20170502 in Ambari Logsearch Logfeeder #3030

Merged
merged 1 commit into from Jun 21, 2019
Merged

AMBARI-25321 - Remove dependency on org.eclipse.jetty.*:9.3.19.v20170502 in Ambari Logsearch Logfeeder #3030

merged 1 commit into from Jun 21, 2019

Conversation

kasakrisz
Copy link
Contributor

What changes were proposed in this pull request?

Remove dependency on org.eclipse.jetty.* 9.3.19.v20170502 in Ambari Logsearch Logfeeder due to security concerns. See

https://nvd.nist.gov/vuln/detail/CVE-2018-12536

https://nvd.nist.gov/vuln/detail/CVE-2017-7658

https://nvd.nist.gov/vuln/detail/CVE-2017-7657

https://nvd.nist.gov/vuln/detail/CVE-2017-7656

± % mvn dependency:tree -Dincludes=org.eclipse.jetty
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for org.apache.ambari:ambari-logsearch-logfeeder:jar:2.7.3.0.0
[WARNING] 'build.plugins.plugin.(groupId:artifactId)' must be unique but found duplicate declaration of plugin org.apache.maven.plugins:maven-compiler-plugin @ org.apache.ambari:ambari-logsearch-logfeeder:[unknown-version], /Users/gboros/Documents/dev/ambari/ambari-logsearch/ambari-logsearch-logfeeder/pom.xml, line 311, column 15
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] ------------< org.apache.ambari:ambari-logsearch-logfeeder >------------
[INFO] Building Ambari Logsearch Log Feeder 2.7.3.0.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ ambari-logsearch-logfeeder ---
[INFO] org.apache.ambari:ambari-logsearch-logfeeder:jar:2.7.3.0.0
[INFO] \- org.apache.hadoop:hadoop-common:jar:3.0.0:compile
[INFO]    +- org.eclipse.jetty:jetty-server:jar:9.3.19.v20170502:compile
[INFO]    |  +- org.eclipse.jetty:jetty-http:jar:9.3.19.v20170502:compile
[INFO]    |  \- org.eclipse.jetty:jetty-io:jar:9.3.19.v20170502:compile
[INFO]    +- org.eclipse.jetty:jetty-util:jar:9.3.19.v20170502:compile
[INFO]    +- org.eclipse.jetty:jetty-servlet:jar:9.3.19.v20170502:compile
[INFO]    |  \- org.eclipse.jetty:jetty-security:jar:9.3.19.v20170502:compile
[INFO]    \- org.eclipse.jetty:jetty-webapp:jar:9.3.19.v20170502:compile
[INFO]       \- org.eclipse.jetty:jetty-xml:jar:9.3.19.v20170502:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.939 s
[INFO] Finished at: 2019-06-17T14:36:58+02:00
[INFO] ------------------------------------------------------------------------

Exclude org.eclipse.jetty.* dependencies

How was this patch tested?

mvn clean install

manually:

  1. Create rpm
  2. deploy cluster with Ambari, Logsearch, Infra, Zookeeper
  3. replace Logfeeder rpm to the new one
  4. Check if logfeeder post log entries: check new logentries appear on Logsearch UI
  5. Check for errors in logfeeder log /var/log/ambari-logsearch-logfeeder/logfeeder.log

search for org.eclipse.jetty.* dependencies in dependency tree

@kasakrisz kasakrisz self-assigned this Jun 20, 2019
@kasakrisz
Copy link
Contributor Author

@g-boros please review

@kasakrisz
Copy link
Contributor Author

Retest this please!

@asfgit
Copy link

asfgit commented Jun 21, 2019

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/5337/
Test PASSed.

Akhilsnaik
Akhilsnaik approved these changes Jun 21, 2019
View reviewed changes
Copy link

@Akhilsnaik Akhilsnaik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kasakrisz kasakrisz merged commit 6722e35 into apache:branch-2.7 Jun 21, 2019
payert pushed a commit to payert/ambari that referenced this pull request Apr 16, 2020
@kasakrisz
AMBARI-25321 - Remove dependency on org.eclipse.jetty.*:9.3.19.v20170…
4caaa2b 
…502 in Ambari Logsearch Logfeeder (apache#3030)

(cherry picked from commit 6722e35)

Change-Id: I1029ad7a1b97ef3141f26927812877f2fa1afa12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benyoka benyoka benyoka approved these changes

@Akhilsnaik Akhilsnaik Akhilsnaik approved these changes

@oleewere oleewere Awaiting requested review from oleewere

@zeroflag zeroflag Awaiting requested review from zeroflag

Assignees

@kasakrisz kasakrisz

Labels
CVE logsearch
Projects
None yet
Milestone
No milestone
4 participants
@kasakrisz @asfgit @benyoka @Akhilsnaik