Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade scala-library to get rid of CVE-2022-36944 #18021

Merged
merged 1 commit into from
Dec 15, 2022
Merged

[fix][sec] Upgrade scala-library to get rid of CVE-2022-36944 #18021

merged 1 commit into from
Dec 15, 2022

Conversation

nicoloboschi
Copy link
Contributor

@nicoloboschi nicoloboschi commented Oct 12, 2022
edited
Loading

Motivation

scala-library 2.13.3 is vulnerable to CVE-2022-36944.
This lib is used in debezium sources

Modifications

  • Upgrade to 2.13.10

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 12, 2022
@nicoloboschi nicoloboschi mentioned this pull request Oct 12, 2022
Closed
@nicoloboschi nicoloboschi marked this pull request as draft October 14, 2022 08:35
@github-actions
Copy link

The pr had no activity for 30 days, mark with Stale label.

@github-actions github-actions bot added the Stale label Nov 14, 2022
@nicoloboschi nicoloboschi mentioned this pull request Dec 14, 2022
Closed
2 tasks
@nicoloboschi nicoloboschi force-pushed the upgrade-scalalib branch 3 times, most recently from e9d81e6 to add30f2 Compare December 14, 2022 14:18
@nicoloboschi nicoloboschi added this to the 2.12.0 milestone Dec 14, 2022
@nicoloboschi nicoloboschi self-assigned this Dec 14, 2022
@nicoloboschi nicoloboschi marked this pull request as ready for review December 15, 2022 08:25
eolivelli
eolivelli approved these changes Dec 15, 2022
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov-commenter
Copy link

codecov-commenter commented Dec 15, 2022
edited
Loading

Codecov Report

Merging #18021 (42c6536) into master (050b310) will increase coverage by 0.30%.
The diff coverage is 33.33%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #18021      +/-   ##
============================================
+ Coverage     47.35%   47.65%   +0.30%     
- Complexity     9384     9441      +57     
============================================
  Files           623      623              
  Lines         59104    59106       +2     
  Branches       6146     6147       +1     
============================================
+ Hits          27987    28166     +179     
+ Misses        28100    27910     -190     
- Partials       3017     3030      +13
Flag Coverage Δ
unittests 47.65% <33.33%> (+0.30%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...va/org/apache/pulsar/broker/service/ServerCnx.java 49.88% <0.00%> (+1.34%) ⬆️
.../pulsar/broker/service/persistent/SystemTopic.java 92.30% <100.00%> (+0.64%) ⬆️
...he/pulsar/client/impl/PartitionedProducerImpl.java 30.34% <0.00%> (-5.13%) ⬇️
...g/apache/pulsar/broker/lookup/TopicLookupBase.java 50.83% <0.00%> (-2.80%) ⬇️
...sar/broker/service/schema/SchemaRegistryStats.java 71.25% <0.00%> (-1.25%) ⬇️
...rg/apache/pulsar/broker/web/PulsarWebResource.java 57.51% <0.00%> (-1.25%) ⬇️
...va/org/apache/pulsar/client/impl/ProducerImpl.java 15.66% <0.00%> (-1.17%) ⬇️
...apache/pulsar/broker/namespace/OwnershipCache.java 69.47% <0.00%> (-1.06%) ⬇️
...tent/PersistentDispatcherSingleActiveConsumer.java 58.30% <0.00%> (-0.95%) ⬇️
.../pulsar/client/impl/ProducerStatsRecorderImpl.java 84.04% <0.00%> (-0.62%) ⬇️
... and 32 more

@nicoloboschi nicoloboschi merged commit 3011946 into apache:master Dec 15, 2022
nicoloboschi added a commit that referenced this pull request Dec 15, 2022
@nicoloboschi
[fix][sec] Upgrade scala-library to get rid of CVE-2022-36944 (#18021)
e62efbd 
(cherry picked from commit 3011946)
nicoloboschi added a commit that referenced this pull request Dec 15, 2022
@nicoloboschi
[fix][sec] Upgrade scala-library to get rid of CVE-2022-36944 (#18021)
d8fa685 
(cherry picked from commit 3011946)
@tisonkun
Copy link
Member

@nicoloboschi @eolivelli I'm pretty curious where we have a dependency on scala-library explicitly or transitively, lol.

@nicoloboschi
Copy link
Contributor Author

@nicoloboschi @eolivelli I'm pretty curious where we have a dependency on scala-library explicitly or transitively, lol.

Kafka uses scala and kafka is used in the debezium connectors. Actually the whole kafka dependency seems useless, only Kafka connect should be used.
Let's see if integration tests pass even without it nicoloboschi#42

lifepuzzlefun pushed a commit to lifepuzzlefun/pulsar that referenced this pull request Jan 10, 2023
@nicoloboschi @lifepuzzlefun
[fix][sec] Upgrade scala-library to get rid of CVE-2022-36944 (apache…
6258eb3 
…#18021)
coderzc pushed a commit that referenced this pull request Feb 28, 2023
@nicoloboschi @coderzc
[fix][sec] Upgrade scala-library to get rid of CVE-2022-36944 (#18021)
be3bc7e 
(cherry picked from commit 3011946)
@coderzc coderzc added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label Feb 28, 2023
Annavar-satish pushed a commit to pandio-com/pulsar that referenced this pull request Mar 6, 2023
@nicoloboschi
[fix][sec] Upgrade scala-library to get rid of CVE-2022-36944 (apache…
4537cd8 
…#18021)

(cherry picked from commit 3011946)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eolivelli eolivelli eolivelli approved these changes

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@tisonkun tisonkun Awaiting requested review from tisonkun

Assignees

@nicoloboschi nicoloboschi

Labels
cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 cherry-picked/branch-2.11 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.8.5 release/2.9.5 release/2.10.3 release/2.11.0
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@nicoloboschi @codecov-commenter @tisonkun @eolivelli @coderzc