Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak #10147

Merged
merged 3 commits into from Apr 15, 2021
Merged

[Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak #10147

merged 3 commits into from Apr 15, 2021

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Apr 6, 2021

Motivation

  • Fix low-severity issue CVE-2020-15250
  • Fix some test dependencies leaking to production dependencies
    • this was causing an odd issue that switched junit:junit dependency from test scope to compile scope

Modifications

  • Use maven dependency management to set junit version to 4.13.1
  • Exclude grpc-testing from org.apache.bookkeeper:stream-storage-java-client dependency since it was causing junit to leak into production dependencies

eolivelli
eolivelli approved these changes Apr 6, 2021
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

david-streamlio
david-streamlio approved these changes Apr 6, 2021
View reviewed changes
Copy link
Contributor

@david-streamlio david-streamlio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

merlimat
merlimat approved these changes Apr 6, 2021
View reviewed changes
Copy link
Contributor

@merlimat merlimat left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

The LICENSE file also need some adjustments:

Run src/check-binary-license ./distribution/server/target/apache-pulsar-*-bin.tar.gz
io.grpc-grpc-testing-1.33.0.jar mentioned in LICENSE, but not bundled
org.hamcrest-hamcrest-core-1.3.jar mentioned in LICENSE, but not bundled

It looks like there are issues with the LICENSE/NOTICE.

@merlimat merlimat added this to the 2.8.0 milestone Apr 6, 2021
@lhotari lhotari force-pushed the lh-upgrade-junit-to-fix-vulnerability branch 2 times, most recently from c69f58d to 4d9b0cc Compare April 13, 2021 14:14
@lhotari lhotari force-pushed the lh-upgrade-junit-to-fix-vulnerability branch from 4d9b0cc to 9b46886 Compare April 15, 2021 09:25
@lhotari
Copy link
Member Author

lhotari commented Apr 15, 2021

/pulsarbot run-failure-checks

@eolivelli eolivelli merged commit 9d3cbef into apache:master Apr 15, 2021
eolivelli pushed a commit to datastax/pulsar that referenced this pull request May 20, 2021
@lhotari @eolivelli
[Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250
f270964 
…and fix test dependency leak (apache#10147)

(cherry picked from commit 9d3cbef)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

@sijie sijie sijie approved these changes

@eolivelli eolivelli eolivelli approved these changes

@codelipenghui codelipenghui codelipenghui approved these changes

@david-streamlio david-streamlio david-streamlio approved these changes

Assignees

@lhotari lhotari

Labels
area/security area/test
Projects
None yet
Milestone
2.8.0
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@lhotari @merlimat @sijie @eolivelli @codelipenghui @david-streamlio