New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZOOKEEPER-3262 Update dependencies flagged by OWASP report #792
Conversation
eolivelli
commented
Jan 30, 2019
•
edited
edited
- Upgrade Jetty to 9.4.14.v20181114
- Upgrade Jackson to 2.9.8
- Suppress a false positive about Netty (False positive with Netty jeremylong/DependencyCheck#1653)
- Suppress false positives against ZooKeeper itself: CVE-2018-8012 and CVE-2016-5017
makes sense to me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
The JIRA makes no mention (nor this PR) of why these changes are being made. Please comment on the PR/jira about the why. Is someone working with the dependency checker folks on the false positives? Also - I'm a bit concerned that we will surpress things and then never come back to them, how will we address that? Should we add a step to the release process at a minimum? (review prior to release) otw looks fine to me. |
test maven build |
@phunt we are suppressing specifics CVEs, they are tied to specific versions of dependencies, I think there is no trouble even for the future. We should check suppressed CVEs in the future, maybe such suppressions won't be needed any more, but having them in the codebase does not hurt. IMHO The is no risk that suppressing a CVE will have an impact on other checks |
retest ant build |
retest maven build |
Committed to master - thanks @eolivelli ! Please submit separate PRs for 3.5/3.4 as there are conflicts. |
- Upgrade Jetty to 9.4.14.v20181114 - Upgrade Jackson to 2.9.8 - Suppress a false positive about Netty (jeremylong/DependencyCheck#1653) - Suppress false positives against ZooKeeper itself: CVE-2018-8012 and CVE-2016-5017 Author: Enrico Olivelli <eolivelli@apache.org> Reviewers: phunt@apache.org Closes apache#792 from eolivelli/fix/ZOOKEEPER-3262 Change-Id: I6152ee061765a6eb7e4b9ac19db79d11bee4f4c5