Issue-281: Updates dependencies version to fix CVE-2023-2976 #282
Conversation
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
|
ran schema registry build 171 and it ran successful |
Please create an issue and tag the PR with that |
| @@ -86,7 +86,7 @@ public CompletableFuture<Void> updateEntries(List<Entry<Integer>> updates) { | |||
| TableKey key = update.getKey(); | |||
| Integer version = update.getVersion(); | |||
| Value<TableValue, Integer> val = table.get(key); | |||
| return version == null || (val != null && version.equals(val.getVersion())); | |||
| return version == null || val != null && version.equals(val.getVersion()); | |||
There was a problem hiding this comment.
Didn't get the reason behind this change
There was a problem hiding this comment.
As we are changing the Checkstyle version it was claimed by that, it was claiming that redundant Pair of parenthesis
| */ | ||
| public static StoreExceptions create(final Type type, final Throwable cause, final String errorMessage) { | ||
| Preconditions.checkArgument(cause != null || (errorMessage != null && !errorMessage.isEmpty()), | ||
| Preconditions.checkArgument(cause != null || errorMessage != null && !errorMessage.isEmpty(), |
There was a problem hiding this comment.
why is this change required?
There was a problem hiding this comment.
As we are changing the Checkstyle version it was claimed by that, it was claiming that redundant Pair of parenthesis
| @@ -153,6 +153,7 @@ public static <T extends GeneratedMessageV3> ProtobufSchema<GeneratedMessageV3> | |||
| * | |||
| * @param schemaInfo Schema Info | |||
| * @return {@link ProtobufSchema} with generic type {@link DynamicMessage} that captures protobuf schema. | |||
| * @throws IllegalArgumentException | |||
There was a problem hiding this comment.
method signature needs to be changed too?
There was a problem hiding this comment.
As this method is throwing this exception, claimed by checkstylel.
There was a problem hiding this comment.
if this method is throwing the exception, this should be added to the method signature as well. And how are we handling that exception?
There was a problem hiding this comment.
Actually this method was already throwing IllegalArgumentException as this is a unchecked so it was not added in method signature.
Check style was claiming if we are not showing this in Doc.
There was a problem hiding this comment.
This is a unchecked exception so doesn't require a throws clause, so why are we mentioning it in docs? Why check style is mandating to place this exception in docs ?
There was a problem hiding this comment.
Checkstyle is mandating it because InvalidProtocolBufferException this exception is raising its throwing null pointer exception.
other I there is a way we can hide this from documentation by using hyphen after the exception, what it will do while generating doc it will remove this exception from the doc.
but i am not getting a way in which i just remove this throws from the method doc.
either checked or unchecked its being thrown by the method.
| @@ -74,7 +74,8 @@ private JSONSchema(SchemaInfo schemaInfo, String schemaString, Class<T> derived) | |||
| * | |||
| * @param tClass Class whose object's schema is used. | |||
| * @param <T> Type of the Java class. | |||
| * @return {@link JSONSchema} with generic type T that extracts and captures the json schema. | |||
| * @return {@link JSONSchema} with generic type T that extracts and captures the json schema. | |||
| * @throws IllegalArgumentException | |||
There was a problem hiding this comment.
method signature needs to be changed too?
There was a problem hiding this comment.
As this method is throwing this exception, claimed by checkstylel.
| @@ -96,7 +97,8 @@ public static <T> JSONSchema<T> of(Class<T> tClass) { | |||
| * @param schema Schema to use. | |||
| * @param tClass class for the type of object | |||
| * @param <T> Type of object | |||
| * @return Returns an JSONSchema with {@link Object} type. | |||
| * @return Returns an JSONSchema with {@link Object} type. | |||
| * @throws IllegalArgumentException | |||
There was a problem hiding this comment.
claimed by checkstyle
| * @return Returns an JsonSchema of type T. | ||
| * @param <T> Type of base class. | ||
| * @return Returns an JsonSchema of type T. | ||
| * @throws IllegalArgumentException |
There was a problem hiding this comment.
claimed by checkstyle
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
| @@ -39,10 +39,10 @@ nettyBoringSSLVersion=2.0.54.Final | |||
| jacocoVersion=0.8.5 | |||
| protobufGradlePlugin=0.8.15 | |||
| protobufProtocVersion=3.21.7 | |||
| protobufUtilVersion=3.19.4 | |||
| protobufUtilVersion=3.24.3 | |||
There was a problem hiding this comment.
I see there is a PR on Pravega too for similar issue. Can we check the versions and try to keep them in sync just in order to avoid backward-forward incompatibility issue at a later stage?
There was a problem hiding this comment.
protobufUtilVersion is not being used in pravega.
There was a problem hiding this comment.
protobufGradlePlugin=0.8.15
protobufProtocVersion=3.21.7
already syncing
| <property name="allowMissingJavadoc" value="true"/> <!--TODO: this should be enabled at one point. --> | ||
| <property name="ignoreMethodNamesRegex" value="^get.*$"/> <!--It would be nice if we could allow checking that the doc exists without also verifying the @returns is there also, but checkstyle does not allow that. --> | ||
| <property name="ignoreMethodNamesRegex" value="^has.*$"/> <!-- accessor for boolean e.g. hasVersion --> | ||
| <property name="suppressLoadErrors" value="false"/> |
There was a problem hiding this comment.
Why are these javaDocsMethod checkstyle properties removed?
There was a problem hiding this comment.
These all are deprecated in new checkStyle version
checkstyle/spotbugs-exclude.xml
Outdated
| <Match> <!-- fromBytes was not reporting this warning in earlier version of checkstyle --> | ||
| <Bug pattern="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE" /> | ||
| <Method name="fromBytes" /> | ||
| </Match> |
There was a problem hiding this comment.
Do new version force us to add this suppression ?
There was a problem hiding this comment.
fromBytes method is returning some value from some map and that map we are already building on the top of the class you can see here
now there is no way that it could get NULL from the map
but The bugs still reported by newer version of the checkstyle.
and becuases of that we are suppressing this.
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
…6dulaleem/schema-registry into issue-281-update-guava-version
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
| val versionSerializer = SERIALIZERS_BY_KEY_TYPE.get(keyClass); | ||
| if ( versionSerializer == null ) { | ||
| throw new SerializationException(String.format("No serializer found for the class %s", keyClass.toGenericString())); | ||
| } | ||
| return (T) SERIALIZERS_BY_KEY_TYPE.get(keyClass).deserialize(bytes); |
There was a problem hiding this comment.
@a6dulaleem Can we use versionSerializer at line 430
Signed-off-by: a6dulaleem <abdul.aleem1@dell.com>
| @@ -74,7 +74,7 @@ private JSONSchema(SchemaInfo schemaInfo, String schemaString, Class<T> derived) | |||
| * | |||
| * @param tClass Class whose object's schema is used. | |||
| * @param <T> Type of the Java class. | |||
| * @return {@link JSONSchema} with generic type T that extracts and captures the json schema. | |||
| * @return {@link JSONSchema} with generic type T that extracts and captures the json schema. | |||
There was a problem hiding this comment.
Please Ignore these spaces are automatically removed by IntelliJ.
a6dulaleem
changed the title
Problem description
Upgrade dependencies in Schema registry which could have possible CVEs
Problem location
gradle.properties
Suggestions for an improvement
Purpose of the change Fix #281upgrade lib versions to suggested versions to mitigate the CVEs.