Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exclude Apache Ivy from transitive dependencies #16931

Closed
wants to merge 1 commit into from
Closed

Exclude Apache Ivy from transitive dependencies #16931

wants to merge 1 commit into from

Conversation

ksobolew
Copy link
Contributor

@ksobolew ksobolew commented Apr 7, 2023

Description

We don't use it for anything, so it's only increasing our "attack surface" for vulnerabilities and such.

Additional context and related issues

Release notes

(x) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
( ) Release notes are required, with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

@cla-bot cla-bot bot added the cla-signed label Apr 7, 2023
@ksobolew ksobolew marked this pull request as ready for review April 7, 2023 13:24
hashhar
hashhar approved these changes Apr 7, 2023
View reviewed changes
Copy link
Member

@hashhar hashhar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM % comment

does this deserve a comment, over time it becomes impossible to know why a certain exclusion exists

@github-actions github-actions bot added hive Hive connector tests:hive labels Apr 7, 2023
martint
martint requested changes Apr 7, 2023
View reviewed changes
Copy link
Member

@martint martint left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding exclusions is brittle. It means that every time we update a dependency, we need to check whether the exclusion is valid or not. It can also be included by other artifacts.

If it's not being used by Trino, there's no "attack surface" to increase, and this serves no other than to make security scanners happy. We want to make Trino secure, but it's not a goal to make scanners happy by working around their limitations and false positives.

If the dependency is truly irrelevant, then coral should be updated to not declare it as such.

@ksobolew
Copy link
Contributor Author

#16994 would be the way to go

@ksobolew ksobolew closed this Apr 14, 2023
@ksobolew ksobolew deleted the kudi/ivy branch April 14, 2023 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martint martint martint requested changes

@hashhar hashhar hashhar approved these changes

Assignees
No one assigned
Labels
cla-signed hive Hive connector
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ksobolew @martint @hashhar