Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates Guava versions to address CVE #292

Merged
merged 2 commits into from
Feb 16, 2022
Merged

Updates Guava versions to address CVE #292

merged 2 commits into from
Feb 16, 2022

Conversation

jmazanec15
Copy link
Member

Description

Upgrades guava dependency as well as checkstyle dependency (which has a guava dependency as well) to address CVE.

Issues Resolved

#283 #282

Check List

  • Commits are signed as per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@jmazanec15
Updates Guava versions to address CVE
1c0ef74 
Updates direct Guava dependency to 30.0. Also, updates check style to
8.29 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
@jmazanec15 jmazanec15 added backport 1.x security fix Security fix generated by WhiteSource labels Feb 16, 2022
@jmazanec15 jmazanec15 requested a review from a team February 16, 2022 19:38
VijayanB
VijayanB previously approved these changes Feb 16, 2022
View reviewed changes
vamshin
vamshin reviewed Feb 16, 2022
View reviewed changes
checkstyle/checkstyle.xml
Comment on lines -244 to -248
<property name="allowMissingThrowsTags" value="true"/>
<property name="allowMissingReturnTag" value="true"/>
<property name="minLineCount" value="2"/>
<property name="allowedAnnotations" value="Override, Test"/>
<property name="allowThrowsTagsForSubclasses" value="true"/>
Copy link
Member

@vamshin vamshin Feb 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are these properties removed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They break checkstyle upgrade.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to make sure - are we making our requirements stricter by removing those rules?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it will be stricter. I think it is okay because, currently, we do not enforce the checkstyle checks.

In the future, we should migrate to spotless, as this is what OpenSearch does: opensearch-project/OpenSearch#1370. I will create an issue for this.

junqiu-lei
junqiu-lei previously approved these changes Feb 16, 2022
View reviewed changes
@jmazanec15
Update checkstyle to 9.3
2c78f02 
Signed-off-by: John Mazanec <[email protected]>
@jmazanec15 jmazanec15 dismissed stale reviews from junqiu-lei and VijayanB via 2c78f02 February 16, 2022 19:50
@codecov-commenter
Copy link

codecov-commenter commented Feb 16, 2022
edited
Loading

Codecov Report

Merging #292 (2c78f02) into main (cb1a7d8) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##               main     #292   +/-   ##
=========================================
  Coverage     83.38%   83.38%           
  Complexity      885      885           
=========================================
  Files           127      127           
  Lines          3834     3834           
  Branches        361      361           
=========================================
  Hits           3197     3197           
  Misses          475      475           
  Partials        162      162

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cb1a7d8...2c78f02. Read the comment docs.

@jmazanec15 jmazanec15 merged commit e77ef78 into opensearch-project:main Feb 16, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Feb 16, 2022
@jmazanec15 @github-actions
Updates Guava versions to address CVE (#292)
b811e21 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
(cherry picked from commit e77ef78)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Feb 16, 2022
Closed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-292-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e77ef78775ab6414d67dd240de9d01b85c0373b8
# Push it to GitHub
git push --set-upstream origin backport/backport-292-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-292-to-1.x.

opensearch-trigger-bot bot pushed a commit that referenced this pull request Feb 16, 2022
@jmazanec15 @github-actions
Updates Guava versions to address CVE (#292)
9008f59 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
(cherry picked from commit e77ef78)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Feb 16, 2022
Merged
jmazanec15 added a commit that referenced this pull request Feb 16, 2022
@jmazanec15
Updates Guava versions to address CVE (#292)
dde19db 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
jmazanec15 pushed a commit that referenced this pull request Feb 16, 2022
@opensearch-trigger-bot
Updates Guava versions to address CVE (#292) (#295)
1995c95 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 7, 2022
@opensearch-trigger-bot @martin-gaievski
Updates Guava versions to address CVE (opensearch-project#292) (opens…
caa9310 
…earch-project#295)

Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 7, 2022
@opensearch-trigger-bot @martin-gaievski
Updates Guava versions to address CVE (opensearch-project#292) (opens…
045c8c5 
…earch-project#295)

Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
Signed-off-by: Martin Gaievski <[email protected]>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 30, 2022
@jmazanec15
Updates Guava versions to address CVE (opensearch-project#292)
8c53f45 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 31, 2022
@opensearch-trigger-bot
Updates Guava versions to address CVE (opensearch-project#292) (opens…
83e09bb 
…earch-project#295)

Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martin-gaievski martin-gaievski martin-gaievski approved these changes

@Shivamdhar Shivamdhar Shivamdhar approved these changes

@vamshin vamshin Awaiting requested review from vamshin vamshin is a code owner

@junqiu-lei junqiu-lei Awaiting requested review from junqiu-lei junqiu-lei is a code owner

@VijayanB VijayanB Awaiting requested review from VijayanB VijayanB is a code owner

Assignees
No one assigned
Labels
backport 1.x security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jmazanec15 @codecov-commenter @Shivamdhar @VijayanB @vamshin @junqiu-lei @martin-gaievski