Updated dependency versions to reduce security problems#143
Merged
zootalures merged 1 commit intomasterfrom Jul 3, 2018
Merged
Updated dependency versions to reduce security problems#143zootalures merged 1 commit intomasterfrom
zootalures merged 1 commit intomasterfrom
Conversation
Member
|
build failed |
Using snyk.io tools we found several dependencies had security vulnerabilities and could be updated. This does not remove all of them, but the remaining CVEs are in transitive dependencies brought in by 3rd party code. CVEs remain in: async-thumbnails example (low priority to fix) through - minio - wiremock fn-spring-cloud-function through - spring-cloud-function-context Additional changes were needed to adjust for API changes in updated dependencies: async-thumbnails example: - new minio client uses chunked file uploads so assertions needed changing fn-spring-cloud-function: - Several breaking API changes, and it seems now that Consumer behaviour is broken.
Closed
zootalures
approved these changes
Jul 3, 2018
denis256
added a commit
to denis256/fdk-java
that referenced
this pull request
Oct 13, 2019
* Updating docs to reflect new CLI syntax (fnproject#138) * Updating docs to reflect new CLI syntax * Missed a few * fn-java-fdk: post-1.0.60 version bump [skip ci] * remove printenv * manual version bump * fn-java-fdk: post-1.0.62 version bump [skip ci] * Update FN container name (fnproject#139) [skip ci] Update FN container name from functions to fnserver at grabbing internal docker network IP * Updated dependency versions to reduce security problems (fnproject#143) Using snyk.io tools we found several dependencies had security vulnerabilities and could be updated. This does not remove all of them, but the remaining CVEs are in transitive dependencies brought in by 3rd party code. CVEs remain in: async-thumbnails example (low priority to fix) through - minio - wiremock fn-spring-cloud-function through - spring-cloud-function-context Additional changes were needed to adjust for API changes in updated dependencies: async-thumbnails example: - new minio client uses chunked file uploads so assertions needed changing fn-spring-cloud-function: - Several breaking API changes, and it seems now that Consumer behaviour is broken. * fn-java-fdk: post-1.0.63 version bump [skip ci] * preparations for the junit5 module - separation of the junit4 and junit5 code into different modules. - core module to share code between different TDD frameworks * cleaning of unused folders/modules * fixed deps in build-image module * fixed integration-tests examples * fixed deps in build-image module * deactivated integration-test 3 and 7 - cycle dependency to cli * fn-java-fdk: post-1.0.64 version bump [skip ci] * pom.xml files - refactoring * switched all versions to the latest available in maven central * switched all plugin-versions to the latest available in maven central * removed comment * will make the google compiler happy... * fn-java-fdk: post-1.0.65 version bump [skip ci] * Add Unix Stream codec, Split flow from FDK, update integration tests (fnproject#150) * http input codec * add jetty-core and UDS deps * PoC jetty core UDS event codec * revise FDK contract for initial relase, split flow from fn, support new unix domain socket contract * First pass of refactor * added annotations for for features to support flow * moving flow feature to runtime package * rename flow testing and add docs, fix race in Stream testing * fixing failing tests * Update to reflect FN_ID * more integration test fixing * fix up format name * first stab at home-grown UDS implementation * docker build fix * UDS rework, remove old UDS dep and test new one * adjust permissions on file on start * new integration tests * simlify build and integration tests, add tests for http-stream * fix ci * typo * make igntests standalone * itests run 1.8 * fix itest result * env for itests * add createDir * test failures in circle * fix test interference * Use standard properties in fdk tests, fix versions in itests * hmm no entropy on circle boxes :) * use consistent properties for versions everywhere * add waits for start * this time with feeling * diagnosing timeout * close input, try more aggressive testing * C errors * fixing up accept and twiddling with integration test start * set DOCKER_LOCALHOST * integration test fixing/finessing * cludge docker localhost * no_proxy messing * set fnserver IP correctly * typo * nits in C code * review nits * more C fix nits * Make mandatory headers mandatory again * minus comment * remove Content-Length from stripped input * fix call test * bump version to fix broken release [skip ci] * Initial cut at HTTP gateway prtotocol support * regen sig file * unit tests on HTTPGw Stuff * ign tests code * integration tests * update QR code demo to be HTTP Gateway friendly * tests and docs, organize inputs * Readme typos * fn-java-fdk: post-1.0.67 version bump [skip ci] * Fix typos, minor lints, and a small race condition in stream codec cleanup (fnproject#155) * Fix typos, minor lints, and a small race condition in stream codec cleanup * review feedback * debug log * add more logging * mask binary stuff in c debug code * Fix issue with uninitialised addres in accept * default REPO location in ign tests, fix race condition in Flow test tests * fix typo from fnproject#154 * bump jetty client to latest * fn-java-fdk: post-1.0.68 version bump [skip ci] * trying new delpoyment setting * fn-java-fdk: post-1.0.69 version bump [skip ci] * Try another new deployment setting (fnproject#158) * fn-java-fdk: post-1.0.70 version bump [skip ci] * make FnFeature multi-valued remove use of getAnnotationsByType (fnproject#160) * fn-java-fdk: post-1.0.71 version bump [skip ci] * Build and Init Images for substrate VM This adds a a build and init image that builds functions using substrateVM as consolidated binaries. * fn-java-fdk: post-1.0.72 version bump [skip ci] * CI/Release of substrate related images (fnproject#161) * first cut at substrate images * fix docker build * bump fdk for release * fn-java-fdk: post-1.0.74 version bump [skip ci] * Rev jackson-databind to deal with latest vulnerabilities. (fnproject#163) * Fix Jackson databind to deal with latest CVE * rev minio version used in async thumbnails test to pick up newer jetty version * fix up async thumbnails to test new minio version * fn-java-fdk: post-1.0.75 version bump [skip ci] * [164] Support http-stream protocol in substrate/native java. * This gets the local build.sh working again on the latest JDK8 * Remove comment * Include some CI fixes from @tteggel * Update file permissions on surefire CI fix script * Remove old default and http formats from boilerplate test * Add some logging to boilerplate test * Update FunctionsTest.java * Update FunctionsTest.java * Update FunctionsTest.java * Update FunctionsTest.java * Update FunctionsTest.java * Added some output to help if fn operation fails * Update IntegrationTestRule.java * Update IntegrationTestRule.java * Update IntegrationTestRule.java * Update pom.xml * tweak to surefire version and config * Add specific 8-friendly test and pom for boilerplate test. * Update FunctionsTest.java * Another attempt at logging a failed result...sigh * Rename func.yaml to prevent overwrite * Let's go again... * fn-java-fdk: post-1.0.76 version bump [skip ci] * fn-java-fdk: post-1.0.77 version bump [skip ci] * Add jdk11 build/runtime images (fnproject#169) * Add build for J11 images * Remove JDK9 VM memory options * fn-java-fdk: post-1.0.78 version bump [skip ci] * Use JRE instead of JDK for 11 runtime image, and add push of 11 images into CI release.sh * Reinstate SNAPSHOT version in init-native pom * fn-java-fdk: post-1.0.79 version bump [skip ci] * Replace java9 tests with java11 * Ooops... * Add JDK9 test back whilst CLI still supports it. * fn-java-fdk: post-1.0.80 version bump [skip ci] * Bump jackson version * fn-java-fdk: post-1.0.81 version bump [skip ci] * removed the (now) useless Docker & Format entries (fnproject#178) * fn-java-fdk: post-1.0.82 version bump [skip ci] * Native java fixes (fnproject#179) * Fixed maven surefire classloader. * Fixed SVM problem with max heap size in container. * fn-java-fdk: post-1.0.83 version bump [skip ci] * Removed old format codecs and tests * Remove Java 9 dockerfiles, update builds and tests * Update tests to java11 * Fix broken release * Bump version number past previous broken release * fn-java-fdk: post-1.0.85 version bump [skip ci] * Update HTTPGatewayFunctions.md * removed some legacy stuff (fn call & route) * A first cut at updating and simplifying the Java FDK Readme. Removed user tutorial already included in tutorials. Reorganized and simplified. More work to do reviewing each of the docs linked here. * simplifying the fdk repo readme along with mikes update * Update README.md * add generic link back to official docs * WIP fn user added to runtime image, working on adding user to the init-image * added fn user to runtime java * changes to RUN cmd syntax * trying to run fn user with correct cli flags * added user name * added gid * create app before deploy app * remove --local from create app * create app before deploy in all integ tests * deploy after context created * --create-app change to integ tests * removal of comments * fn-java-fdk: post-1.0.86 version bump [skip ci] * Update Java FDK string-reverse example * post-1.0.87 bump (manual) * fn-java-fdk: post-1.0.88 version bump [skip ci] * WIP adding logframer and tests to fdk-java, before each function invocation * WIP debugging test * Quick fix..? * checking if env variables are logged out to stdout and stderr, stdout gets redirected to stderr hence the duplication in the assertion * removing comments of test in wrong file * fn-java-fdk: post-1.0.89 version bump [skip ci] * adding explicit newline characters in print statements * editing tests * correcting \n * fn-java-fdk: post-1.0.90 version bump [skip ci] * Update pom.xml so circleci test will pass. JDK 11 not allowed currently. * fnproject/functions -> fnproject/fnserver * add fn user to jre11 runtime image * fn-java-fdk: post-1.0.91 version bump [skip ci] * fn-java-fdk: post-1.0.92 version bump [skip ci] * Re-order release artifact publishing By publishing tag to github first we ensure that no artifacts are pushed for a version which isn't tagged. Publishing to bintray last ensures that the CLI won't pick up a version which is not pushed everywhere. * Post-1.0.93 version bump [skip ci] * fn-java-fdk: post-1.0.94 version bump [skip ci] * Skip deployment of example code Do not attempt to publish artifacts for the string-reverse exapmle function * fn-java-fdk: post-1.0.95 version bump [skip ci] * Bump Jackson version * fn-java-fdk: post-1.0.96 version bump [skip ci] * Fix path of java binary in Dockerfile (fnproject#210) * fn-java-fdk: post-1.0.97 version bump [skip ci] * Updated to GraalVM 19. (fnproject#209) * fn-java-fdk: post-1.0.98 version bump [skip ci] * Add env to test server to allow setting fn limits (fnproject#214) work around changed paths in new j11 image * fn-java-fdk: post-1.0.99 version bump [skip ci] * Updated native-image to GraalVM 19.2.0. (fnproject#213) * Updated to GraalVM 19.2.0. * Fixed build-native Dockerfile. * fn-java-fdk: post-1.0.100 version bump [skip ci] * Bump Jackson version to 2.9.10 (fnproject#216) * fn-java-fdk: post-1.0.101 version bump [skip ci] * Update all names to Function Development Kit for Java per Shaun, per Legal, and for consistency. * Removed hyphen as best practice seems to be no hyphen * Updating abbrev to FDK for Java * fn-java-fdk: post-1.0.102 version bump [skip ci]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated dependency versions to reduce security problems
Using snyk.io tools we found several dependencies had security vulnerabilities
and could be updated. This does not remove all of them, but the remaining CVEs
are in transitive dependencies brought in by 3rd party code.
CVEs remain in:
async-thumbnails example (low priority to fix) through
fn-spring-cloud-function through
Additional changes were needed to adjust for API changes in updated dependencies:
async-thumbnails example:
fn-spring-cloud-function: