zhiheng123 opened a new pull request, #4401: URL: https://github.com/apache/bookkeeper/pull/4401
`integrate-tests` module depends on `arquillian-cube`, which are updates infrequently. Lastly release was in 2018, and it depends on a lot of dependency with CVEs, like `bcprov-jdk15on-1.64.jar` etc. But it still merging code frequently, my team will trying to ask for new release, I think we can remove tests module from owasp check for now. I run the check locally, fix 7 error, and no new errors generated compared to daily build result. ``` [ERROR] amqp-client-5.5.3.jar: CVE-2023-46120(7.5) [ERROR] jetcd-core-0.7.7.jar: CVE-2020-15113(7.1) [ERROR] jetcd-grpc-0.7.7.jar: CVE-2023-44487(7.5), CVE-2017-8359(9.8), CVE-2023-33953(7.5), CVE-2020-15113(7.1), CVE-2020-7768(9.8), CVE-2017-7861(9.8), CVE-2017-9431(9.8), CVE-2017-7860(9.8) [ERROR] okio-3.2.0.jar: CVE-2023-3635(7.5) ``` After refresh the suppression list(jetcd required jdk11, amqp is independent dependency from dropwizard metrics. There is only, I think we can fix it though upgrading OTEL version. ``` [ERROR] okio-3.2.0.jar: CVE-2023-3635(7.5) ``` ``` Error: amqp-client-5.5.3.jar: CVE-2023-46120(7.5) Error: bcprov-jdk15on-1.64.jar: CVE-2024-29857(7.5), CVE-2024-34447(7.699999809265137) Error: jetcd-core-0.7.7.jar: CVE-2020-151[13](https://github.com/apache/bookkeeper/actions/runs/9239112134/job/25417858696#step:5:14)(7.1) Error: jetcd-grpc-0.7.7.jar: CVE-2023-44487(7.5), CVE-2017-8359(9.8), CVE-2023-33953(7.5), CVE-2020-15113(7.1), CVE-2020-7768(9.8), CVE-2017-7861(9.8), CVE-2017-9431(9.8), CVE-2017-7860(9.8) Error: okio-3.2.0.jar: CVE-2023-3635(7.5) Error: plexus-cipher-2.0.jar: CVE-2022-4244(7.5) Error: plexus-classworlds-2.7.0.jar: CVE-2022-4244(7.5) Error: plexus-component-annotations-2.1.0.jar: CVE-2022-4244(7.5) Error: plexus-interpolation-1.26.jar: CVE-2022-4244(7.5) Error: plexus-sec-dispatcher-2.0.jar: CVE-2022-4244(7.5) Error: snakeyaml-1.19.jar: CVE-20[17](https://github.com/apache/bookkeeper/actions/runs/9239112134/job/25417858696#step:5:18)-18640(7.5), CVE-2022-25857(7.5) ``` Signed-off-by: ZhangJian He <[email protected]> (cherry picked from commit f81dcea37d25a0da53206d533f11b75a8ea4982d) Conflicts: .github/workflows/bk-ci.yml .github/workflows/owasp-daily-build.yml src/owasp-dependency-check-suppressions.xml Descriptions of the changes in this PR: <!-- Either this PR fixes an issue, --> Fix #xyz <!-- or this PR is one task of an issue --> Main Issue: #xyz <!-- If the PR belongs to a BP, please add the BP link here --> BP: #xyz ### Motivation (Explain: why you're making that change, what is the problem you're trying to solve) ### Changes (Describe: what changes you have made) > --- > In order to uphold a high standard for quality for code contributions, Apache BookKeeper runs various precommit > checks for pull requests. A pull request can only be merged when it passes precommit checks. > > --- > Be sure to do all the following to help us incorporate your contribution > quickly and easily: > > If this PR is a BookKeeper Proposal (BP): > > - [ ] Make sure the PR title is formatted like: > `<BP-#>: Description of bookkeeper proposal` > `e.g. BP-1: 64 bits ledger is support` > - [ ] Attach the master issue link in the description of this PR. > - [ ] Attach the google doc link if the BP is written in Google Doc. > > Otherwise: > > - [ ] Make sure the PR title is formatted like: > `<Issue #>: Description of pull request` > `e.g. Issue 123: Description ...` > - [ ] Make sure tests pass via `mvn clean apache-rat:check install spotbugs:check`. > - [ ] Replace `<Issue #>` in the title with the actual Issue number. > > --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
