New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HDDS-2150. Update dependency versions to avoid security vulnerabilities. #1472
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hanishakoneru thanks for working on this. Unfortunately Jaeger upgrade requires further changes.
pom.ozone.xml
Outdated
@@ -127,6 +127,9 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xs | |||
<jackson.version>1.9.13</jackson.version> | |||
<jackson2.version>2.9.9</jackson2.version> | |||
|
|||
<!-- jaegertracing veresion --> | |||
<jaeger.version>1.0.0</jaeger.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Jaeger 1.0 depends on newer OpenTracing (0.33), which is not backwards compatible.
opentracing/opentracing-java#339
https://github.com/opentracing/opentracing-java#deprecated-members-since-031
hadoop-hdds-common
compiles only due to explicit dependency on opentracing-util
0.31.0. However, it fails at runtime with NoSuchMethodError
.
For the security fix I think it is enough to upgrade to Jaeger 0.34, which updated Apache Thrift to 0.12. Latest Jaeger Client release 0.35.2 should be OK, too, as it depends on OpenTracing 0.32, which still has the deprecated methods. In this case OpenTracing version should be changed to 0.32.0.
Thank you @adoroszlai . I have updated the jaeger tracing version to 0.34.0. |
dependencyTree-
Outdated
[INFO] +- io.dropwizard.metrics:metrics-core:jar:3.2.4:compile | ||
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.25:compile | ||
[INFO] +- org.assertj:assertj-core:jar:3.8.0:test | ||
[INFO] +- org. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this file was added accidentally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @hanishakoneru for the changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 LGTM.
Thank You @hanishakoneru for the contribution and @adoroszlai for the review,
The following dependency versions have known security vulnerabilities. We should update them to recent/ later versions.