Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-10443: Update lang-tag to 1.7 #6366

Closed
wants to merge 2 commits into from
Closed

NIFI-10443: Update lang-tag to 1.7 #6366

wants to merge 2 commits into from

Conversation

mr1716
Copy link
Contributor

@mr1716 mr1716 commented Sep 5, 2022
edited

Summary

NIFI-10443 this upgrade will resolve the following CVE: CVE-2021-27568 and CVE-2020-15250

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 8
    • JDK 11
    • JDK 17

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

exceptionfactory
exceptionfactory requested changes Sep 8, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This version aligns with the version used in the oauth2-oidc-sdk and nimbus-jose-jwt dependencies before and after the lang-tag declaration. One of the vulnerabilities mentioned applies to JUnit 4, which is not applicable here, and the other applies to JSON Smart, which is already upgraded through a transitive dependency.

Instead of upgrading lang-tag, it looks like the lang-tag dependency declaration should be removed, and the other com.nimbusds dependencies should be upgraded.

@mr1716
Copy link
Contributor Author

mr1716 commented Sep 8, 2022

@exceptionfactory changes made. Updated both the oauth2-oidc-sdk and nimbus-jose-jwt dependencies and remove the lang-tag dependency

@exceptionfactory
Copy link
Contributor

Thanks for the quick response @mr1716, will plan on performing some runtime tests soon to verify the latest versions work as expected.

exceptionfactory
exceptionfactory approved these changes Sep 9, 2022
View reviewed changes
Copy link
Contributor

@exceptionfactory exceptionfactory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the upgrade and adjustments @mr1716, looks good! +1 merging

p-kimberley pushed a commit to p-kimberley/nifi that referenced this pull request Oct 15, 2022
@mr1716 @p-kimberley
NIFI-10443 Upgraded oauth2-oidc-sdk from 9.10 to 9.43
c14f833 
- Upgraded nimbus-jose-jwt to 9.11.2 to 9.24.3

This closes apache#6366

Signed-off-by: David Handermann <exceptionfactory@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@exceptionfactory exceptionfactory exceptionfactory approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mr1716 @exceptionfactory