Skip to content

[FLINK-14121] Update commons-compress because of CVE-2019-12402 #11333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nielsbasjes wants to merge 1 commit into from
Closed

[FLINK-14121] Update commons-compress because of CVE-2019-12402 #11333

nielsbasjes wants to merge 1 commit into from

Conversation

@nielsbasjes
Copy link
Contributor

@nielsbasjes nielsbasjes commented Mar 6, 2020

What is the purpose of the change

Brief change log

  • Update commons-compress to the latest release

Verifying this change

This change is already covered by existing tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): yes
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn/Mesos, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? no
  • If yes, how is the feature documented? not applicable

@flinkbot
Copy link
Collaborator

flinkbot commented Mar 6, 2020

Thanks a lot for your contribution to the Apache Flink project. I'm the @flinkbot. I help the community
to review your pull request. We will use this comment to track the progress of the review.

Automated Checks

Last check on commit 53e1de9 (Fri Mar 06 15:52:13 UTC 2020)

Warnings:

  • 1 pom.xml files were touched: Check for build and licensing issues.
  • No documentation files were touched! Remember to keep the Flink docs up to date!
  • This pull request references an unassigned Jira ticket. According to the code contribution guide, tickets need to be assigned before starting with the implementation work.

Mention the bot in a comment to re-run the automated checks.

Review Progress

  • ❓ 1. The [description] looks good.
  • ❓ 2. There is [consensus] that the contribution should go into to Flink.
  • ❓ 3. Needs [attention] from.
  • ❓ 4. The change fits into the overall [architecture].
  • ❓ 5. Overall code [quality] is good.

Please see the Pull Request Review Guide for a full explanation of the review process.

Details
The Bot is tracking the review progress through labels. Labels are applied according to the order of the review items. For consensus, approval by a Flink committer of PMC member is required Bot commands
The @flinkbot bot supports the following commands:

  • @flinkbot approve description to approve one or more aspects (aspects: description, consensus, architecture and quality)
  • @flinkbot approve all to approve all aspects
  • @flinkbot approve-until architecture to approve everything until architecture
  • @flinkbot attention @username1 [@username2 ..] to require somebody's attention
  • @flinkbot disapprove architecture to remove an approval you gave earlier

@flinkbot
Copy link
Collaborator

flinkbot commented Mar 6, 2020
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run travis re-run the last Travis build
  • @flinkbot run azure re-run the last Azure build

@GJL GJL self-assigned this Mar 9, 2020
@GJL
Copy link
Member

GJL commented Mar 10, 2020

Do you know which tests cover this change?

@nielsbasjes
Copy link
Contributor Author

nielsbasjes commented Mar 11, 2020
edited
Loading

@GJL No, I do not which tests do that.
Perhaps I trust the people, the process and the projects a bit too much.
I expect that any functionality that needs a dependency is enough test covered in Flink to show it still works.
Similar I expect that the guys at commons-compress have test coverage on the working of their project.

I did a build of the project locally and in Travis and both passed.
I expect this to be good.

@GJL
Copy link
Member

GJL commented Mar 11, 2020

The following NOTICE files also need to be updated.

flink-filesystems/flink-swift-fs-hadoop/src/main/resources/META-INF/NOTICE
flink-filesystems/flink-oss-fs-hadoop/src/main/resources/META-INF/NOTICE
flink-dist/src/main/resources/META-INF/NOTICE

Do you see anything else, @zentol?

@nielsbasjes nielsbasjes force-pushed the FLINK-14121-CommonsCompress-CVE-Fix branch from 53e1de9 to 10fc3f0 Compare March 11, 2020 14:03
@nielsbasjes
Copy link
Contributor Author

nielsbasjes commented Mar 11, 2020

@GJL @zentol I've updated those NOTICE files.
I've also done a search in all of the code for "1.18" and I have not been able to find any additional places related to this fix.

GJL
GJL approved these changes Mar 11, 2020
View reviewed changes
Copy link
Member

@GJL GJL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc: @zentol

@zentol zentol self-assigned this Mar 12, 2020
@zentol
Copy link
Contributor

zentol commented Mar 12, 2020

The flink-oss-fs-hadoop NOTICE should not be changed since it isn't actually bundling commons-compress; it is set to provided since it is a transitive dependency of flink-core (which is also provided).

Beyond that this looks good.

@GJL
Copy link
Member

GJL commented Mar 12, 2020

The flink-oss-fs-hadoop NOTICE should not be changed since it isn't actually bundling commons-compress; it is set to provided since it is a transitive dependency of flink-core (which is also provided).

Good catch. Since this implies that we have to remove some other dependencies from the NOTICE file, I am suggesting to merge this PR as is and fix the NOTICE file in a separate jira issue.

@zentol
Copy link
Contributor

zentol commented Mar 12, 2020

I am suggesting to merge this PR as is and fix the NOTICE file in a separate jira issue.

Sounds good. 👍

@GJL
Copy link
Member

GJL commented Mar 13, 2020

The flink-oss-fs-hadoop NOTICE should not be changed since it isn't actually bundling commons-compress;

Actually, commons-compress seems to be bundled:

jar -tf flink-oss-fs-hadoop-1.10.0.jar | grep XZCompressorInputStream
org/apache/commons/compress/compressors/xz/XZCompressorInputStream.class

Do you want to have another look, @zentol?

@zentol
Copy link
Contributor

zentol commented Mar 13, 2020

@GJL My guess is that you aren't on the latest master. Until recently we also bundled hadoop-common in this module, which pulled in commons-compress.

@GJL
Copy link
Member

GJL commented Mar 13, 2020

I see ok.

@GJL GJL closed this in 0477368 Mar 13, 2020
liuzhixing1006 pushed a commit to liuzhixing1006/flink that referenced this pull request Mar 19, 2020
@nielsbasjes @lzh576177775
[FLINK-14121] Update commons-compress because of CVE-2019-12402
02a5894 
This closes apache#11333.
@nielsbasjes nielsbasjes deleted the FLINK-14121-CommonsCompress-CVE-Fix branch September 1, 2020 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GJL GJL GJL approved these changes

Assignees

@GJL GJL

@zentol zentol

Labels

component=API/DataStream component=BuildSystem component=ReleaseSystem review=description?

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nielsbasjes @flinkbot @GJL @zentol @rmetzger