ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

[anmolnar]

No description provided.

[eolivelli]

I am sorry, you have to update license files as well

[anmolnar]

@eolivelli @phunt I'm not sure where to get an up-to-date license file from.
The most confusing part is that I found Eclipse Public Lincence in latest Jetty release tarball and also in the version that we're using now, despite that we include ASF licence in Jetty licence file in our codebase.

[eolivelli]

@anmolnar AFAIK Jetty is moving from JavaEE to JarkartaEE.
It is also possible that we are going to include other new jars in the "lib" directory.

Probably we have to use the "Eclipse Public License", we usually rename those files without looking at the real license of Jetty.

Thanks for pointing it out, it is actually a great catch !

[ztzg]

The most confusing part is that I found Eclipse Public Lincence in latest Jetty release tarball and also in the version that we're using now, despite that we include ASF licence in Jetty licence file in our codebase.

The JAR manifest says either:

Bundle-License: http://www.apache.org/licenses/LICENSE-2.0, https://www.eclipse.org/org/documents/epl-v10.php

And, indeed, META-INF/LICENSE says or:

This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which is available at http://www.eclipse.org/legal/epl-2.0, or the Apache Software License 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0.

In case it helps: here is something I tried, which seems to work, and might facilitate future maintenance:

rm -f zookeeper-server/src/main/resources/lib/jetty-*.LICENSE.txt
for i in zookeeper-server/target/lib/jetty-*.jar; do
    unzip -qq -c "$i" META-INF/LICENSE \
        >"zookeeper-server/src/main/resources/lib/$(basename "$i" .jar).LICENSE.txt"
done

Cheers, -D

[anmolnar]

Thanks @eolivelli & @ztzg !
Okay, I committed the best I can do with this. These are the LICENSE files from the latest release of Jetty tarball. They're all the same and I'm not sure why we add the same file 7 times, but I followed the pattern.
It looks like Jetty folks hasn't replaced the Copyright pattern in Apache licence, but hopefully it's not the end of the world:

Copyright [yyyy] [name of copyright owner]

[nkalmar]

+1, license files looks good to me, reading the new one it seems to me same terms apply.

[eolivelli]

great work !
it is better to pick this patch to branch-3.6 and possibly to branch-3.5 as @nkalmar is going to cut a release

[symat]

LGTM, thank you!

[nkalmar]

Merged to master, 3.6 and 3.5 branch.
The 3.5 and 3.6 branch did not have prior jetty licenses... find did not find any either.

[nkalmar]

Checked package, license files are there now:

find ./ -name "jetty*.txt"
.//zookeeper-server/src/main/resources/lib/jetty-security-9.4.34.v20201102.LICENSE.txt
.//zookeeper-server/src/main/resources/lib/jetty-client-9.4.34.v20201102.LICENSE.txt
.//zookeeper-server/src/main/resources/lib/jetty-http-9.4.34.v20201102.LICENSE.txt
.//zookeeper-server/src/main/resources/lib/jetty-util-9.4.34.v20201102.LICENSE.txt
.//zookeeper-server/src/main/resources/lib/jetty-servlet-9.4.34.v20201102.LICENSE.txt
.//zookeeper-server/src/main/resources/lib/jetty-server-9.4.34.v20201102.LICENSE.txt
.//zookeeper-server/src/main/resources/lib/jetty-io-9.4.34.v20201102.LICENSE.txt
.//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-security-9.4.34.v20201102.LICENSE.txt
.//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-client-9.4.34.v20201102.LICENSE.txt
.//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-http-9.4.34.v20201102.LICENSE.txt
.//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-util-9.4.34.v20201102.LICENSE.txt
.//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-servlet-9.4.34.v20201102.LICENSE.txt
.//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-server-9.4.34.v20201102.LICENSE.txt
.//zookeeper-assembly/target/apache-zookeeper-3.6.3-SNAPSHOT-bin/lib/jetty-io-9.4.34.v20201102.LICENSE.txt