Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgraded Slf4j-api version from 25.0 to 26.0 - CVE-2018-8088 #2627

Merged
merged 1 commit into from Jun 27, 2019

Conversation

@Coduz
Copy link
Contributor

Coduz commented Jun 24, 2019

The PR bumps the version of Slf4j-api and bridging implementations to 1.7.26

Related Issue
None

Description of the solution adopted
Bumped to the last version available.
Full CQ required

slf4j-api: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20264
jcl-over-slf4j: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20265
log4j-over-slf4j: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20266
jul-to-slf4j: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20267

Screenshots
None

Any side note on the changes made
Grouped dependencies and add some comments.

@Coduz Coduz requested review from lorthirk and stefanomorson Jun 24, 2019
@Coduz Coduz added this to To Do in 1.1.0 via automation Jun 24, 2019
@codecov

This comment has been minimized.

Copy link

codecov bot commented Jun 24, 2019

Codecov Report

Merging #2627 into develop will increase coverage by 49.22%.
The diff coverage is n/a.

Impacted file tree graph

@@              Coverage Diff               @@
##             develop    #2627       +/-   ##
==============================================
+ Coverage       0.82%   50.05%   +49.22%     
- Complexity         5     2453     +2448     
==============================================
  Files            992      959       -33     
  Lines          28134    27640      -494     
  Branches        2308     2269       -39     
==============================================
+ Hits             233    13836    +13603     
+ Misses         27884    12826    -15058     
- Partials          17      978      +961
Impacted Files Coverage Δ Complexity Δ
...lipse/kapua/service/scheduler/trigger/Trigger.java 0% <0%> (ø) 0% <0%> (ø) ⬇️
...eclipse/kapua/model/type/ObjectValueConverter.java 0% <0%> (ø) 0% <0%> (ø) ⬇️
...t/commons/exception/DeviceManagementException.java 0% <0%> (ø) 0% <0%> (ø) ⬇️
...vice/device/call/message/kura/utils/GZIPUtils.java 0% <0%> (ø) 1% <0%> (+1%) ⬆️
...e/scheduler/trigger/quartz/TriggerCreatorImpl.java 0% <0%> (ø) 0% <0%> (ø) ⬇️
.../DeviceManagementNotificationMessageProcessor.java 0% <0%> (ø) 0% <0%> (ø) ⬇️
...igger/definition/quartz/TriggerDefinitionImpl.java
...efinition/quartz/TriggerDefinitionServiceImpl.java
...xception/JobDeviceManagementTriggerErrorCodes.java
...z/driver/exception/CannotScheduleJobException.java
... and 611 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bf0b8c4...3192dfc. Read the comment docs.

@Coduz Coduz force-pushed the Coduz:chng-bumpSlf4japiTo1.7.26 branch from ba42c9c to ccb047e Jun 24, 2019
@Coduz

This comment has been minimized.

Copy link
Contributor Author

Coduz commented Jun 24, 2019

According to the comments of Kai:

https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20264#c6
https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20265#c3
https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20266#c3
https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20267#c3

we should piggy back on version 1.7.25 and then we can update without a CQ to any of the patch versions if the projects follows semantic versioning.

Dependency Kapua CQ Piggy Back CQ
slf4j-api https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20270 https://dev.eclipse.org/ipzilla/show_bug.cgi?id=13368
jcl-over-slf4j https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20271 https://dev.eclipse.org/ipzilla/show_bug.cgi?id=13678
log4j-over-slf4j https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20272 https://dev.eclipse.org/ipzilla/show_bug.cgi?id=13680
jul-to-slf4j https://dev.eclipse.org/ipzilla/show_bug.cgi?id=20273 https://dev.eclipse.org/ipzilla/show_bug.cgi?id=13367

All 4 dependencies have the same GitHub project and the diff between 1.7.25 and 1.7.26 can be seen here:

qos-ch/slf4j@v_1.7.25...v_1.7.26

So we can assume it is safe to bump the version without a new CQ.

@Coduz Coduz force-pushed the Coduz:chng-bumpSlf4japiTo1.7.26 branch from ccb047e to 8ec29b9 Jun 26, 2019
@Coduz Coduz added CQ approved and removed CQ pending labels Jun 26, 2019
Signed-off-by: coduz <alberto.codutti@eurotech.com>
@Coduz Coduz force-pushed the Coduz:chng-bumpSlf4japiTo1.7.26 branch from 8ec29b9 to 3192dfc Jun 26, 2019
@Coduz Coduz changed the title Upgraded Slf4j-api version from 24.0 to 26.0 - CVE-2018-8088 Upgraded Slf4j-api version from 25.0 to 26.0 - CVE-2018-8088 Jun 26, 2019
@Coduz Coduz merged commit 23cdd3a into eclipse:develop Jun 27, 2019
1 of 2 checks passed
1 of 2 checks passed
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
eclipsefdn/eca The author(s) of the pull request is covered by necessary legal agreements in order to proceed!
Details
1.1.0 automation moved this from To Do to Done Jun 27, 2019
@Coduz Coduz deleted the Coduz:chng-bumpSlf4japiTo1.7.26 branch Jun 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
1.1.0
  
Done
2 participants
You can’t perform that action at this time.