[PPP-3537] - Use of vulnerable component com.thoughtworks.xstream v1.…

[YuryBY]

…4.2 CVE-2013-7285

@mkambol, @hudak, could you please take a look?

[wingman-pentaho]

Build Completed

❌ This pull request has errors. They will need to be addressed before it can be accepted. See below for more details. Some links are also available below for further assistance in addressing those issues.

Build Commands

mvn -Dpentaho.resolve.repo=http://nexus.pentaho.org/content/groups/approved -B -fn -DrunITs=true -f pom.xml clean install && mvn -Dpentaho.resolve.repo=http://nexus.pentaho.org/content/groups/approved -B -f pom.xml site

Cleanup Commands

mvn -B build-helper:remove-project-artifact

Changed files

  assemblies/pmr-libraries/pom.xml
  kettle-plugins/hbase/pom.xml
  kettle-plugins/mapreduce/pom.xml
  legacy/pom.xml
  pom.xml

Newly Broken Tests:

org.pentaho.big.data.impl.shim.mapreduce.PentahoMapReduceJobBuilderImplTest.testConfigureFull:

🔴 java.lang.NoClassDefFoundError

java.lang.NoClassDefFoundError: org/xmlpull/v1/XmlPullParserException
    at org.pentaho.big.data.impl.shim.mapreduce.PentahoMapReduceJobBuilderImplTest.testConfigureFull(PentahoMapReduceJobBuilderImplTest.java:593)
Caused by: java.lang.ClassNotFoundException: org.xmlpull.v1.XmlPullParserException
    at org.pentaho.big.data.impl.shim.mapreduce.PentahoMapReduceJobBuilderImplTest.testConfigureFull(PentahoMapReduceJobBuilderImplTest.java:593)

Unit test coverage change

These statistics help you identify how your changes have affected the coverage of the following files. If a file is not in this list, then its coverage was not affected by your changes. To get some help interpreting these metrics, please refer to Jacoco's documentation.

org.pentaho.big.data.impl.shim.mapreduce.MapReduceJobBuilderImpl

• Complexity Change: -2.33%🔻
• Instruction Change: -.71%🔻
• Line Change: -.91%🔻
• Method Change: -4.00%🔻

org.pentaho.big.data.impl.shim.mapreduce.PentahoMapReduceJobBuilderImpl

• Complexity Change: -2.13%🔻
• Instruction Change: -2.77%🔻
• Line Change: -2.81%🔻
• Method Change: -5.88%🔻

[mkambol]

@YuryBY can you investigate the broken test?

[YuryBY]

@mkambol, added explicit dependencies

[wingman-pentaho]

Build Failed

❌ Something went wrong while validating this pull request.

Build Commands

mvn -Dpentaho.resolve.repo=http://nexus.pentaho.org/content/groups/approved -B -fn -DrunITs=true -f pom.xml clean install && mvn -Dpentaho.resolve.repo=http://nexus.pentaho.org/content/groups/approved -B -f pom.xml site

Stdout log

(last 100 lines)

[INFO] ------------------------------------------------------------------------
[INFO] Building Pentaho Community Edition Project: pentaho-hadoop-shims-mapr-osgi-jaas 7.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- build-helper-maven-plugin:1.5:remove-project-artifact (default-cli) @ pentaho-hadoop-shims-mapr-osgi-jaas ---
[INFO] /home/buildguy/.m2/repository/pentaho/pentaho-hadoop-shims-mapr-osgi-jaas removed.
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building pentaho-big-data-assemblies 7.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- build-helper-maven-plugin:1.5:remove-project-artifact (default-cli) @ pentaho-big-data-assemblies ---
[INFO] /home/buildguy/.m2/repository/pentaho/pentaho-big-data-assemblies removed.
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building pentaho-big-data-plugin-osgi 7.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- build-helper-maven-plugin:1.5:remove-project-artifact (default-cli) @ pentaho-big-data-plugin-osgi ---
[INFO] /home/buildguy/.m2/repository/pentaho-karaf-features/pentaho-big-data-plugin-osgi removed.
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building pentaho-big-data-plugin-samples 7.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- build-helper-maven-plugin:1.5:remove-project-artifact (default-cli) @ pentaho-big-data-plugin-samples ---
[INFO] /home/buildguy/.m2/repository/pentaho/pentaho-big-data-plugin-samples removed.
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building pentaho-big-data-assemblies-pmr-libraries 7.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- build-helper-maven-plugin:1.5:remove-project-artifact (default-cli) @ pentaho-big-data-assemblies-pmr-libraries ---
[INFO] /home/buildguy/.m2/repository/pentaho/pentaho-big-data-assemblies-pmr-libraries removed.
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building pentaho-big-data-plugin 7.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- build-helper-maven-plugin:1.5:remove-project-artifact (default-cli) @ pentaho-big-data-plugin ---
[INFO] /home/buildguy/.m2/repository/pentaho/pentaho-big-data-plugin removed.
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] Pentaho Community Edition Project: pentaho-big-data-bundles SUCCESS [  0.223 s]
[INFO] pentaho-big-data-legacy ............................ SUCCESS [  0.012 s]
[INFO] pentaho-big-data-api ............................... SUCCESS [  0.005 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-runtimeTest SUCCESS [  0.005 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-cluster SUCCESS [  0.006 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-initializer SUCCESS [  0.004 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-cluster-service-locator SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-hdfs SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-mapreduce SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-pig SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-oozie SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-hbase SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-api-sqoop SUCCESS [  0.002 s]
[INFO] pentaho-big-data-api-jdbc .......................... SUCCESS [  0.005 s]
[INFO] pentaho-big-data-impl .............................. SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-cluster SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-clusterTests SUCCESS [  0.003 s]
[INFO] pentaho-big-data-impl-shim ......................... SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-common SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-initializer SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-hdfs SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-hive SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-mapreduce SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-pig SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-oozie SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-hbase SUCCESS [  0.003 s]
[INFO] pentaho-big-data-kettle-plugins .................... SUCCESS [  0.002 s]
[INFO] pentaho-big-data-kettle-plugins-common ............. SUCCESS [  0.001 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-common-ui SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-common-job SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-hdfs SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-sqoop SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-shim-shimTests SUCCESS [  0.002 s]
[INFO] pentaho-big-data-impl-vfs .......................... SUCCESS [  0.001 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-impl-vfs-hdfs SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-common-named-cluster-bridge SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-mapreduce SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-pig SUCCESS [  0.002 s]
[INFO] pentaho-big-data-kettle-plugins-guiTestActionHandlers SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-oozie SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-hbase SUCCESS [  0.003 s]
[INFO] Pentaho Community Edition Project: pentaho-big-data-kettle-plugins-sqoop SUCCESS [  0.002 s]
[INFO] pentaho-big-data-kettle-plugins-hive ............... SUCCESS [  0.002 s]
[INFO] Pentaho Community Edition Project: pentaho-hadoop-shims-mapr-osgi-jaas SUCCESS [  0.002 s]
[INFO] pentaho-big-data-assemblies ........................ SUCCESS [  0.002 s]
[INFO] pentaho-big-data-plugin-osgi ....................... SUCCESS [  0.015 s]
[INFO] pentaho-big-data-plugin-samples .................... SUCCESS [  0.002 s]
[INFO] pentaho-big-data-assemblies-pmr-libraries .......... SUCCESS [  0.051 s]
[INFO] pentaho-big-data-plugin ............................ SUCCESS [  0.004 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.877 s
[INFO] Finished at: 2016-07-01T14:03:52+00:00
[INFO] Final Memory: 24M/602M
[INFO] ------------------------------------------------------------------------

Stderr log

(last 100 lines)

java.lang.Exception: org.pentaho.build.buddy.bundles.orchestrator.OrchestratorImpl$BuildException: java.io.IOException: Head build returned with code 1
    at org.pentaho.build.buddy.bundles.orchestrator.OrchestratorImpl.orchestrate(OrchestratorImpl.java:360)
    at Proxycd07261c_ead4_40ee_a439_1f0c6a35874d.orchestrate(Unknown Source)
    at org.pentaho.build.buddy.bundles.rest.OrchestratorRestService$1.write(OrchestratorRestService.java:62)
    at org.apache.cxf.jaxrs.provider.BinaryDataProvider.writeTo(BinaryDataProvider.java:172)
    at org.apache.cxf.jaxrs.utils.JAXRSUtils.writeMessageBody(JAXRSUtils.java:1381)
    at org.apache.cxf.jaxrs.interceptor.JAXRSOutInterceptor.serializeMessage(JAXRSOutInterceptor.java:244)
    at org.apache.cxf.jaxrs.interceptor.JAXRSOutInterceptor.processResponse(JAXRSOutInterceptor.java:120)
    at org.apache.cxf.jaxrs.interceptor.JAXRSOutInterceptor.handleMessage(JAXRSOutInterceptor.java:83)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
    at org.apache.cxf.interceptor.OutgoingChainInterceptor.handleMessage(OutgoingChainInterceptor.java:83)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:253)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
    at org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:70)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:271)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:499)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.pentaho.build.buddy.bundles.orchestrator.OrchestratorImpl$BuildException: java.io.IOException: Head build returned with code 1
    at org.pentaho.build.buddy.bundles.orchestrator.OrchestratorImpl.doOrchestrate(OrchestratorImpl.java:483)
    at org.pentaho.build.buddy.bundles.orchestrator.OrchestratorImpl.orchestrate(OrchestratorImpl.java:342)
    ... 41 more
Caused by: java.io.IOException: Head build returned with code 1
    ... 43 more

[YuryBY]

@hudak, @pamval the PR is updated.