Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-3262 Update dependencies flagged by OWASP report #792

Closed
wants to merge 1 commit into from
Closed

ZOOKEEPER-3262 Update dependencies flagged by OWASP report #792

wants to merge 1 commit into from

Conversation

eolivelli
Copy link
Contributor

@eolivelli eolivelli commented Jan 30, 2019
edited

@eolivelli eolivelli changed the title ZOOKEEPER-3262 Upgrade dependencies and suppress false positive on Netty ZOOKEEPER-3262 Update dependencies flagged by OWASP report Jan 30, 2019
@enixon
Copy link

enixon commented Jan 30, 2019

makes sense to me

anmolnar
anmolnar approved these changes Jan 31, 2019
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@phunt
Copy link
Contributor

phunt commented Jan 31, 2019

The JIRA makes no mention (nor this PR) of why these changes are being made. Please comment on the PR/jira about the why.

Is someone working with the dependency checker folks on the false positives?

Also - I'm a bit concerned that we will surpress things and then never come back to them, how will we address that? Should we add a step to the release process at a minimum? (review prior to release)

otw looks fine to me.

@eolivelli
Copy link
Contributor Author

test maven build

@eolivelli
Copy link
Contributor Author

@phunt we are suppressing specifics CVEs, they are tied to specific versions of dependencies, I think there is no trouble even for the future.

We should check suppressed CVEs in the future, maybe such suppressions won't be needed any more, but having them in the codebase does not hurt.

IMHO The is no risk that suppressing a CVE will have an impact on other checks

@eolivelli
Copy link
Contributor Author

retest ant build

@eolivelli
Copy link
Contributor Author

retest maven build

@asfgit asfgit closed this in 97e51a4 Feb 2, 2019
@phunt
Copy link
Contributor

phunt commented Feb 2, 2019

Committed to master - thanks @eolivelli !

Please submit separate PRs for 3.5/3.4 as there are conflicts.

RokLenarcic pushed a commit to RokLenarcic/zookeeper that referenced this pull request Sep 3, 2022
@eolivelli @RokLenarcic
ZOOKEEPER-3262: Update dependencies flagged by OWASP report
8858be2 
- Upgrade Jetty to 9.4.14.v20181114
- Upgrade Jackson to 2.9.8
- Suppress a false positive about Netty  (jeremylong/DependencyCheck#1653)
- Suppress false positives against ZooKeeper itself: CVE-2018-8012 and  CVE-2016-5017

Author: Enrico Olivelli <eolivelli@apache.org>

Reviewers: phunt@apache.org

Closes apache#792 from eolivelli/fix/ZOOKEEPER-3262

Change-Id: I6152ee061765a6eb7e4b9ac19db79d11bee4f4c5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anmolnar anmolnar anmolnar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@eolivelli @enixon @phunt @anmolnar