HDDS-2150. Update dependency versions to avoid security vulnerabilities. #1472
Conversation
There was a problem hiding this comment.
@hanishakoneru thanks for working on this. Unfortunately Jaeger upgrade requires further changes.
pom.ozone.xml
Outdated
| @@ -127,6 +127,9 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xs | |||
| <jackson.version>1.9.13</jackson.version> | |||
| <jackson2.version>2.9.9</jackson2.version> | |||
|
|
|||
| <!-- jaegertracing veresion --> | |||
| <jaeger.version>1.0.0</jaeger.version> | |||
There was a problem hiding this comment.
Jaeger 1.0 depends on newer OpenTracing (0.33), which is not backwards compatible.
opentracing/opentracing-java#339
https://github.com/opentracing/opentracing-java#deprecated-members-since-031
hadoop-hdds-common compiles only due to explicit dependency on opentracing-util 0.31.0. However, it fails at runtime with NoSuchMethodError.
For the security fix I think it is enough to upgrade to Jaeger 0.34, which updated Apache Thrift to 0.12. Latest Jaeger Client release 0.35.2 should be OK, too, as it depends on OpenTracing 0.32, which still has the deprecated methods. In this case OpenTracing version should be changed to 0.32.0.
|
Thank you @adoroszlai . I have updated the jaeger tracing version to 0.34.0. |
dependencyTree-
Outdated
| [INFO] +- io.dropwizard.metrics:metrics-core:jar:3.2.4:compile | ||
| [INFO] | \- org.slf4j:slf4j-api:jar:1.7.25:compile | ||
| [INFO] +- org.assertj:assertj-core:jar:3.8.0:test | ||
| [INFO] +- org. |
There was a problem hiding this comment.
I think this file was added accidentally.
There was a problem hiding this comment.
+1 LGTM.
Thank You @hanishakoneru for the contribution and @adoroszlai for the review,
The following dependency versions have known security vulnerabilities. We should update them to recent/ later versions.