Update BouncyCastle dependencies from jdk15to18 to jdk18on #12317
Conversation
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
scrawfor99
requested review from
peternied,
abbashus,
adnapibar,
anasalkouz,
andrross,
Bukhtawar,
CEHENKLE,
dblock,
dbwiddis,
dreamer-89,
gbbafna,
kartg,
kotwanikunal,
mch2,
msfroh,
nknize,
owaiskazi19,
reta,
Rishikesh1159,
ryanbogan,
sachinpkale,
saratvemulapalli,
shwetathareja,
sohami,
tlfeng and
VachaShah
as code owners
scrawfor99
changed the title
|
❌ Gradle check result for c2dc38b: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
There was a problem hiding this comment.
While its good that the libraries seem compile safe; there can be hidden risks of performance regression or security robustness by switching on older platforms. Can you look into how BouncyCastle recommends these different versions?
Ideally this change would alter the dependency depending on the jdk target, using the existing bouncy castle version vs on supported platforms using jdk18on. This might be a good middle ground to unblock testing on jdk21 and in the security plugin branches.
This is the recommended BouncyCastle version. The current version we use (15to18) is meant for projects which cannot support multi-release jars. Per the website:
https://www.bouncycastle.org/latest_releases.html Seems like it should be fine @peternied |
There was a problem hiding this comment.
Thanks for the clarification @scrawfor99 - that works for me. Just waiting on passing CI and an outstanding comment
peternied
dismissed
their stale review
Blocking comment on the library version isn't applicable.
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #12317 +/- ##
============================================
+ Coverage 71.32% 71.36% +0.03%
- Complexity 59764 59770 +6
============================================
Files 4959 4959
Lines 281129 281129
Branches 40857 40857
============================================
+ Hits 200513 200614 +101
+ Misses 63947 63864 -83
+ Partials 16669 16651 -18 ☔ View full report in Codecov by Sentry. |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-12317-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 6099ed99fe68a739e60bf0c13c9954ec5c890fac
# Push it to GitHub
git push --set-upstream origin backport/backport-12317-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.xThen, create a pull request where the |
|
@scrawfor99 Could you manually backport this change to the 2.x branch? |
### Description [Describe what this change achieves] Following: opensearch-project/OpenSearch#12317 in core, this PR increases the version used for bouncycastle in the Security plugin. This is an attempt to correct the intermittent failures described here: [#3299](#3299) ### Check List - [ ] ~New functionality includes testing~ - [ ] ~New functionality has been documented~ - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Stephen Crawford <steecraw@amazon.com>
…15to18 to jdk18on (#12326) Signed-off-by: Stephen Crawford <steecraw@amazon.com>
…h-project#12317) Signed-off-by: Stephen Crawford <steecraw@amazon.com>
…h-project#12317) Signed-off-by: Stephen Crawford <steecraw@amazon.com>
…h-project#12317) Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Shivansh Arora <hishiv@amazon.com>
…h-project#12317) Signed-off-by: Milly Wilson <mwilson3@atlassian.com>
…k18on (opensearch-project#12317) Signed-off-by: Milly Wilson <mwilson3@atlassian.com>
…project#4052) ### Description [Describe what this change achieves] Following: opensearch-project/OpenSearch#12317 in core, this PR increases the version used for bouncycastle in the Security plugin. This is an attempt to correct the intermittent failures described here: [opensearch-project#3299](opensearch-project#3299) ### Check List - [ ] ~New functionality includes testing~ - [ ] ~New functionality has been documented~ - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Stephen Crawford <steecraw@amazon.com>
…0172, CVE-2024-30171 and CVE-2024-29857) (#13484) * [Backport][1.3] Bump BouncyCastle to 1.76 (#10219) Signed-off-by: Milly Wilson <mwilson3@atlassian.com> * [Backport][1.3] Update BouncyCastle dependencies from jdk15to18 to jdk18on (#12317) Signed-off-by: Milly Wilson <mwilson3@atlassian.com> * [Backport][1.3] Bump bouncycastle from 1.77 to 1.78 (#13243) Signed-off-by: Milly Wilson <mwilson3@atlassian.com> * PR#13484 Re-work * Update BC from 1.78 to 1.78.1 with latest fixes. * Remove incorrect jdk15to18 module replacement definitions as artifacts are still supported. * Add release notes. * Remove unneccessary license additions. Signed-off-by: Milly Wilson <mwilson3@atlassian.com> * PR#13484 Re-work * Rename licenses from jdk18on to jdk15to18 and 1.78 to 1.78.1. * Update SHAs for BC 1.78.1 licenses. Signed-off-by: Milly Wilson <mwilson3@atlassian.com> * PR#13484 Re-work Update Changelog and remove release notes file as this will be created upon release. Signed-off-by: Milly Wilson <mwilson3@atlassian.com> --------- Signed-off-by: Milly Wilson <mwilson3@atlassian.com> Co-authored-by: Andrey Pleskach <ples@aiven.io> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Andriy Redko <andriy.redko@aiven.io>
…h-project#12317) Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Description
This change updates bouncy castle dependencies to the most recent jdk18on versions. The reason for this change is because it may fix an intermittent AEAD cipher failure experienced on cluster start.
Related Issues
Check List
New functionality includes testing.All tests passNew functionality has been documented.New functionality has javadoc addedFailing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)Public documentation issue/PR createdBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.