From cd699bb7d3a07b8919ef2fb5e8fb4ccd2e622acb Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 7 Aug 2023 16:50:29 -0400 Subject: [PATCH 01/11] Reverse order of setUserInfoInThreadContext and addSecurityRoles to resolve ConcurrentModificationException on bulk request (#3094) ### Description This PR changes the order of `setUserInfoInThreadContext` and `addSecurityRoles` to ensure that `addSecurityRoles` is called before `setUserInfoInThreadContext`. The ConcurrentModificationException would arise in scenarios where the first thread was done with `setUserInfoInThreadContext` and had moved onto `addSecurityRoles` to add the mapped roles into the user's set of security roles. On the first call to `addSecurityRoles` it may be populating the set with data, any subsequent call would be a noop in other threads. If simultaneously there is another thread executing `setUserInfoInThreadContext` while the first thread is in `addSecurityRoles` then a ConcurrentModificationException is thrown inside the `Sets.union(...)` call. By calling `addSecurityRoles` before `setUserInfoInThreadContext`, it can be guaranteed that no ConcurrentModificationException could be thrown because the user's security roles will already be set and any thread that attempts another call will be a noop. * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) Bug fix ### Issues Resolved https://github.com/opensearch-project/security/issues/2263 ### Testing Tested by running a python script to bulk insert 100k documents and using tmux to run the script in multiple shells at once. Before the change the bug is reproducible regularly, but after the change the bug cannot be reproduced. ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Craig Perkins Signed-off-by: Craig Perkins --- .../security/privileges/PrivilegesEvaluator.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index b05b29657d..3ac120b35a 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -38,7 +38,6 @@ import java.util.regex.Pattern; import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Sets; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.greenrobot.eventbus.Subscribe; @@ -202,12 +201,12 @@ public boolean isInitialized() { return configModel != null && configModel.getSecurityRoles() != null && dcm != null; } - private void setUserInfoInThreadContext(User user, Set mappedRoles) { + private void setUserInfoInThreadContext(User user) { if (threadContext.getTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT) == null) { StringJoiner joiner = new StringJoiner("|"); joiner.add(user.getName()); joiner.add(String.join(",", user.getRoles())); - joiner.add(String.join(",", Sets.union(user.getSecurityRoles(), mappedRoles))); + joiner.add(String.join(",", user.getSecurityRoles())); String requestedTenant = user.getRequestedTenant(); if (!Strings.isNullOrEmpty(requestedTenant)) { joiner.add(requestedTenant); @@ -260,9 +259,9 @@ public PrivilegesEvaluatorResponse evaluate( presponse.resolvedSecurityRoles.addAll(mappedRoles); final SecurityRoles securityRoles = getSecurityRoles(mappedRoles); - setUserInfoInThreadContext(user, mappedRoles); // Add the security roles for this user so that they can be used for DLS parameter substitution. user.addSecurityRoles(mappedRoles); + setUserInfoInThreadContext(user); final boolean isDebugEnabled = log.isDebugEnabled(); if (isDebugEnabled) { From 7fd630196b4b487cd10aef00194e58844774589b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Aug 2023 17:09:34 -0400 Subject: [PATCH 02/11] dependabot: bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.7.1 to 2.8.1 (#3109) Bumps com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.7.1 to 2.8.1. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.carrotsearch.randomizedtesting:randomizedtesting-runner&package-manager=gradle&previous-version=2.7.1&new-version=2.8.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index a22a044ba0..863d13b978 100644 --- a/build.gradle +++ b/build.gradle @@ -627,7 +627,7 @@ dependencies { compileOnly "org.opensearch:opensearch:${opensearch_version}" //integration test framework: - integrationTestImplementation('com.carrotsearch.randomizedtesting:randomizedtesting-runner:2.7.1') { + integrationTestImplementation('com.carrotsearch.randomizedtesting:randomizedtesting-runner:2.8.1') { exclude(group: 'junit', module: 'junit') } integrationTestImplementation 'junit:junit:4.13.2' From 24c4884b3fa8dd46387058111877d4bc27bc6ed6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Aug 2023 17:09:52 -0400 Subject: [PATCH 03/11] dependabot: bump com.diffplug.spotless from 6.19.0 to 6.20.0 (#3108) Bumps com.diffplug.spotless from 6.19.0 to 6.20.0. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.diffplug.spotless&package-manager=gradle&previous-version=6.19.0&new-version=6.20.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 863d13b978..4074c5dd84 100644 --- a/build.gradle +++ b/build.gradle @@ -61,7 +61,7 @@ plugins { id 'idea' id 'jacoco' id 'maven-publish' - id 'com.diffplug.spotless' version '6.19.0' + id 'com.diffplug.spotless' version '6.20.0' id 'checkstyle' id 'com.netflix.nebula.ospackage' version "11.3.0" id "org.gradle.test-retry" version "1.5.4" From 155d97e2d714cafd20a2ba2d1728e9106cd1704b Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Mon, 7 Aug 2023 23:10:40 -0500 Subject: [PATCH 04/11] Limit dependabot from automatically creating major version increments (#3116) ### Description Limit dependabot from automatically creating major version increments ### Issues Resolved - Related https://github.com/opensearch-project/security/pull/3107 Signed-off-by: Peter Nied --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3e4e2b7e9b..797b3f81cf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,7 @@ updates: interval: "weekly" commit-message: prefix: "dependabot:" + ignore: + # For all packages, ignore all major versions to minimize breaking issues + - dependency-name: "*" + update-types: ["version-update:semver-major"] From f299a5f9094597648fbb147e74166d48090df6c9 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 8 Aug 2023 06:42:09 -0500 Subject: [PATCH 05/11] Remove log spam for files that are cleaned up (#3118) ### Description Remove log spam for files that are cleaned up ### Check List - [ ] ~New functionality includes testing~ - [ ] ~New functionality has been documented~ - [X] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Peter Nied --- .../opensearch/security/test/helper/cluster/ClusterHelper.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java index 5a175f57f7..344b7cddc2 100644 --- a/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java +++ b/src/test/java/org/opensearch/security/test/helper/cluster/ClusterHelper.java @@ -319,14 +319,12 @@ private void deleteTestsDataDirectory() throws IOException { Files.walkFileTree(testsDataDir.toPath(), new SimpleFileVisitor<>() { @Override public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException { - System.out.println("Deleting file " + file.getFileName()); Files.delete(file); return FileVisitResult.CONTINUE; } @Override public FileVisitResult postVisitDirectory(Path dir, IOException exc) throws IOException { - System.out.println("Deleting directory " + dir.getFileName()); Files.delete(dir); return FileVisitResult.CONTINUE; } From a3d1b496865f4be3bee67d18485857a906296f00 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Aug 2023 15:18:43 -0400 Subject: [PATCH 06/11] dependabot: bump org.xerial.snappy:snappy-java from 1.1.10.1 to 1.1.10.3 (#3106) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [org.xerial.snappy:snappy-java](https://github.com/xerial/snappy-java) from 1.1.10.1 to 1.1.10.3.
Release notes

Sourced from org.xerial.snappy:snappy-java's releases.

v1.1.10.3

What's Changed

🐛 Bug Fixes

🔗 Dependency Updates

New Contributors

Full Changelog: https://github.com/xerial/snappy-java/compare/v1.1.10.2...v1.1.10.3

v1.1.10.2

What's Changed

🐛 Bug Fixes

🔗 Dependency Updates

🛠 Internal Updates

Full Changelog: https://github.com/xerial/snappy-java/compare/v1.1.10.1...v1.1.10.2

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.xerial.snappy:snappy-java&package-manager=gradle&previous-version=1.1.10.1&new-version=1.1.10.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 4074c5dd84..2a6a8adca8 100644 --- a/build.gradle +++ b/build.gradle @@ -432,7 +432,7 @@ configurations { force "io.netty:netty-transport-native-unix-common:${versions.netty}" force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4 force "com.github.luben:zstd-jni:${versions.zstd}" - force "org.xerial.snappy:snappy-java:1.1.10.1" + force "org.xerial.snappy:snappy-java:1.1.10.3" force "com.google.guava:guava:${guava_version}" } } @@ -565,7 +565,7 @@ dependencies { runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.19' runtimeOnly 'org.slf4j:slf4j-api:1.7.30' runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}" - runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.1' + runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.3' runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1' runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}" runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.4.0' From 77772bf6a8f729d0f109f40b203cd5d7b1cde855 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Aug 2023 15:21:35 -0400 Subject: [PATCH 07/11] dependabot: bump net.minidev:json-smart from 2.4.11 to 2.5.0 (#3120) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [net.minidev:json-smart](https://github.com/netplex/json-smart-v2) from 2.4.11 to 2.5.0.
Release notes

Sourced from net.minidev:json-smart's releases.

V 2.5.0

What's Changed

Full Changelog: https://github.com/netplex/json-smart-v2/compare/2.4.11...2.5.0

Commits
  • 54eb6f0 Merge pull request #156 from netplex/add-flag
  • 0a35821 bump the version
  • b50106e remove extra new line
  • da2e833 add flag to drop the limit of json depth
  • 2a7ba6e Bump maven-release-plugin from 3.0.0 to 3.0.1 in /json-smart (#153)
  • 82b9e58 Bump maven-release-plugin from 3.0.0 to 3.0.1 in /json-smart-action (#152)
  • 9c22ee2 Bump maven-source-plugin from 3.2.1 to 3.3.0 in /json-smart-action (#150)
  • a5f9b27 Bump maven-source-plugin from 3.2.1 to 3.3.0 in /json-smart (#151)
  • d30f3cc Bump maven-bundle-plugin from 5.1.8 to 5.1.9 in /json-smart (#149)
  • c3fee67 Bump maven-bundle-plugin from 5.1.8 to 5.1.9 in /json-smart-action (#148)
  • See full diff in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=net.minidev:json-smart&package-manager=gradle&previous-version=2.4.11&new-version=2.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 2a6a8adca8..603685f388 100644 --- a/build.gradle +++ b/build.gradle @@ -511,7 +511,7 @@ dependencies { //JSON path implementation 'com.jayway.jsonpath:json-path:2.8.0' - implementation 'net.minidev:json-smart:2.4.11' + implementation 'net.minidev:json-smart:2.5.0' implementation "org.apache.kafka:kafka-clients:${kafka_version}" From 7219feb8e7cdfea67bd7af7b63ac1902aa6543f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Aug 2023 15:36:18 -0400 Subject: [PATCH 08/11] dependabot: bump org.scala-lang:scala-library from 2.13.9 to 2.13.11 (#3119) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [org.scala-lang:scala-library](https://github.com/scala/scala) from 2.13.9 to 2.13.11.
Release notes

Sourced from org.scala-lang:scala-library's releases.

Scala 2.13.11

The Scala team at Lightbend is pleased to announce the availability of Scala 2.13.11.

The following changes are highlights of this release:

Collections

Compatibility

Align with Scala 3

  • Accept implicit _, implicit (x: Int) in lambdas, like Scala 3 does (#10327 by @​som-snytt)
  • Deprecate infix type args, as they are dropped in Scala 3 (#10255 by @​som-snytt)
  • Allow eta-expansion of methods with dependent types (#10166)
  • Abstract parent copy does not suspend case copy (#10085 by @​som-snytt)
  • Don't GLB binders of type patterns, use the type directly (#10247)
  • Under -Xsource:3, warn that inherited members no longer take precedence over outer definitions in Scala 3 (#10220, #10339)
  • Under -Xsource:3, adjust 2.13.9 change to ignore override type for whitebox macro expansion (#10188 by @​som-snytt)
  • Under -Xsource:3, use narrowest type for pt of override (#10198 by @​som-snytt)
  • Under -Xsource:3, warn about change to parenless lambda parens (#10320 by @​som-snytt)

Lints and warnings

Other notable changes

2.13.11 also includes the changes from Scala 2.12.18. (A few of the most significant, such as those involving JDK 20 and 21 compatibility, are listed above.)

... (truncated)

Commits
  • f113b1a Merge pull request #10417 from SethTisue/revert-pr-10148
  • 3fdd091 revert pull request #10148 in its entirety
  • fd209dc Merge pull request #10409 from SethTisue/scala-3.3.1-RC1
  • 6a5318d Scala 3.3.1-RC1 (enable TastyTest on JDK 21)
  • 5df41be Merge pull request #10408 from ckipp01/elidedNote
  • 263eb47 Merge pull request #10148 from tgodzik/correct-by-name
  • a521eac remove unused field in CompletionCandidate
  • f125f82 slight tweak to completion logic, bringing code in line with intention
  • 124dbff bugfix: Matcher should be able to match on name exactly
  • a901a60 Merge pull request #10407 from SethTisue/scala-3.3.0
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.scala-lang:scala-library&package-manager=gradle&previous-version=2.13.9&new-version=2.13.11)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 603685f388..442cd414ad 100644 --- a/build.gradle +++ b/build.gradle @@ -420,7 +420,7 @@ configurations { resolutionStrategy { force 'commons-codec:commons-codec:1.16.0' force 'org.slf4j:slf4j-api:1.7.30' - force 'org.scala-lang:scala-library:2.13.9' + force 'org.scala-lang:scala-library:2.13.11' force "com.fasterxml.jackson:jackson-bom:${versions.jackson}" force "com.fasterxml.jackson.core:jackson-core:${versions.jackson}" force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}" @@ -614,7 +614,7 @@ dependencies { testRuntimeOnly ('org.springframework:spring-core:5.3.27') { exclude(group:'org.springframework', module: 'spring-jcl' ) } - testRuntimeOnly 'org.scala-lang:scala-library:2.13.9' + testRuntimeOnly 'org.scala-lang:scala-library:2.13.11' testRuntimeOnly 'com.yammer.metrics:metrics-core:2.2.0' testRuntimeOnly 'com.typesafe.scala-logging:scala-logging_3:3.9.5' testRuntimeOnly 'org.apache.zookeeper:zookeeper:3.7.1' From f77cc03f476c1434e502b740fb3afe9e81307d4d Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Wed, 9 Aug 2023 07:24:24 -0500 Subject: [PATCH 09/11] Switch CodeQL to assemble artifacts using the same build as the rest of CI (#3132) ### Description Switch CodeQL to assemble artifacts using the same build as the rest of CI - Bump CodeQL action version from v1 to v2 ### Issues Resolved - Resolves https://github.com/opensearch-project/security/issues/3131 ### Check List - [ ] ~New functionality includes testing~ - [ ] ~New functionality has been documented~ - [X] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Peter Nied --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a6cd5b141..66919ab87e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -126,11 +126,11 @@ jobs: - uses: actions/setup-java@v1 with: java-version: 11 - - uses: github/codeql-action/init@v1 + - uses: github/codeql-action/init@v2 with: languages: java - - run: ./gradlew clean build -Dbuild.snapshot=false -x test -x integrationTest - - uses: github/codeql-action/analyze@v1 + - run: ./gradlew clean assemble + - uses: github/codeql-action/analyze@v2 build-artifact-names: runs-on: ubuntu-latest From 5f7efa5a7ba40bcf5fbf629b84967a4aa8cc46b5 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Wed, 9 Aug 2023 08:31:05 -0500 Subject: [PATCH 10/11] Only run the backport job on merged pull requests (#3134) ### Description Only run the backport job on merged pull requests ### Issues Resolved From the GitHub Action log, we'd see an error about branch_name not being used, and the error that backports should only run on merged PRs. This should reduce noisy failures in our logs. ``` Warning: Unexpected input(s) 'branch_name', valid inputs are ['body_template', 'files_to_skip', 'github_token', 'head_template', 'label_pattern', 'labels_template', 'title_template', 'failure_labels'] Run VachaShah/backport@v[2](https://github.com/opensearch-project/security/actions/runs/5802658423/job/15729398925?pr=3132#step:3:2).2.0 Error: Error: For security reasons, this action should only run on merged PRs. ``` Example [[workflow failure]](https://github.com/opensearch-project/security/actions/runs/5802658423/job/15729398925?pr=3132), see more [[failures]](https://github.com/opensearch-project/security/actions/workflows/backport.yml). ### Check List - [ ] ~New functionality includes testing~ - [ ] ~New functionality has been documented~ - [X] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Peter Nied --- .github/workflows/backport.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index ab835cbe9a..6472a968d8 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -7,6 +7,7 @@ on: jobs: backport: + if: github.event.pull_request.merged == true runs-on: ubuntu-latest permissions: contents: write @@ -25,6 +26,5 @@ jobs: uses: VachaShah/backport@v2.2.0 with: github_token: ${{ steps.github_app_token.outputs.token }} - branch_name: backport/backport-${{ github.event.number }} head_template: backport/backport-<%= number %>-to-<%= base %> failure_labels: backport-failed From 46989b57d9cdf969be9473d1ca6bcb61c7923135 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com> Date: Wed, 9 Aug 2023 11:06:11 -0400 Subject: [PATCH 11/11] Updates integTestRemote task to dynamically fetch common-utils version from build.gradle (#3122) Fixes integTestRemote task to dynamically fetch common-utils version from build.gradle instead of hard-coding it in the shell script * Category : Refactoring * Why these changes are required? A temporary fix (#3018) was added to resolve CI failures in RC generation caused due to out-of-date common-utils version being used in the sanity test. ### Issues Resolved Related to comment: https://github.com/opensearch-project/security/pull/3018#issuecomment-1638612650 **This changes addresses the issue permanently by modifying integTestRemote task to fetch the common-utils version dynamically from build.gradle, and prevent blocking RC builds in future due to such issue** Signed-off-by: Darshit Chanpura --- scripts/integtest.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/scripts/integtest.sh b/scripts/integtest.sh index 0401d00fa0..98ee40fbd6 100755 --- a/scripts/integtest.sh +++ b/scripts/integtest.sh @@ -20,7 +20,6 @@ function usage() { echo -e "-v OPENSEARCH_VERSION\t, no defaults" echo -e "-n SNAPSHOT\t, defaults to false" echo -e "-m CLUSTER_NAME\t, defaults to docker-cluster" - echo -e "-u COMMON_UTILS_VERSION\t, defaults to 3.0.0.0-SNAPSHOT" echo "--------------------------------------------------------------------------" } @@ -99,12 +98,8 @@ if [ -z "$CLUSTER_NAME" ] then CLUSTER_NAME="docker-cluster" fi -if [ -z "$COMMON_UTILS_VERSION" ] -then - COMMON_UTILS_VERSION="3.0.0.0-SNAPSHOT" -fi USERNAME=`echo $CREDENTIAL | awk -F ':' '{print $1}'` PASSWORD=`echo $CREDENTIAL | awk -F ':' '{print $2}'` -./gradlew integTestRemote -Dtests.rest.cluster="$BIND_ADDRESS:$BIND_PORT" -Dtests.cluster="$BIND_ADDRESS:$BIND_PORT" -Dsecurity_enabled=$SECURITY_ENABLED -Dtests.clustername=$CLUSTER_NAME -Dhttps=true -Duser=$USERNAME -Dpassword=$PASSWORD -Dcommon_utils.version=$COMMON_UTILS_VERSION +./gradlew integTestRemote -Dtests.rest.cluster="$BIND_ADDRESS:$BIND_PORT" -Dtests.cluster="$BIND_ADDRESS:$BIND_PORT" -Dsecurity_enabled=$SECURITY_ENABLED -Dtests.clustername=$CLUSTER_NAME -Dhttps=true -Duser=$USERNAME -Dpassword=$PASSWORD