Force newer version of transitive (spotless) eclipse dependency #175
Conversation
Signed-off-by: Daniel Widdis <[email protected]>
dbwiddis
requested review from
owaiskazi19,
joshpalis,
ohltyler,
amitgalitz and
jackiehanyang
as code owners
|
looks like spotless check failed now: |
Signed-off-by: Daniel Widdis <[email protected]>
Yeah, apparently the newer Eclipse core dependency requires JDK17+ for running spotless:
|
Signed-off-by: Daniel Widdis <[email protected]>
* Force newer version of transitive (spotless) eclipse dependency Signed-off-by: Daniel Widdis <[email protected]> * Non-impacted Eclipse Core dependency requires JDK17+ for spotless Signed-off-by: Daniel Widdis <[email protected]> * Don't do spotless check during build as its already done Signed-off-by: Daniel Widdis <[email protected]> --------- Signed-off-by: Daniel Widdis <[email protected]> (cherry picked from commit 2dcfc9c) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
Interestingly, I submitted a similar PR on security repo that says the current version is still vulnerable: https://github.com/opensearch-project/security/pull/3737/checks?check_run_id=18799318680 In which case there's nothing we can do until a newer version comes out... |
|
But per https://www.cve.org/CVERecord?id=CVE-2023-4218 "before" means 3.29.0 should be good. We'll see if the issue gets regenerated.
|
…ependency (#176) Force newer version of transitive (spotless) eclipse dependency (#175) * Force newer version of transitive (spotless) eclipse dependency * Non-impacted Eclipse Core dependency requires JDK17+ for spotless * Don't do spotless check during build as its already done --------- (cherry picked from commit 2dcfc9c) Signed-off-by: Daniel Widdis <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
joshpalis
added
backport feature/agent_framework
and removed
backport feature/agent_framework
labels
Description
Spotless brings in a transitive dependency on a CVE-impacted Eclipse Core dependency. This forces the newest version.
The non-impacted Eclipse dependency requires JDK17+ so I've also updated CI to use JDK17 for the spotless check and remove the spotless check from the subsequent build (allowing it to run on JDK11).
Issues Resolved
Resolves #160
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.