[
https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=762537&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-762537
]
ASF GitHub Bot logged work on HADOOP-18069:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 26/Apr/22 20:48
Start Date: 26/Apr/22 20:48
Worklog Time Spent: 10m
Work Description: ashutoshcipher commented on PR #4229:
URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1110235192
> commented.
>
> * checkstyle needs to be happy, along with javac.
> * spotbugs still thinks there is a problem. what is it that it is warning
about?
>
> i'm worried about adding kotlin everywhere. looking at the mvnrepo
declarations it is (a) not optional and (b) about 1.5MB including transitive
dependencies. so nothing much. my main concern is what pain does it cause
downstream. we've had to tag this as an incompatible change just to add in the
release notes about where it is used/needed
- Checkstyle would be happy with my last commit.
- Javac -
1. `hadoop-hdfs-project/hadoop-hdfs
client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/CredentialBasedAccessTokenProvider.java:109:36:[deprecation]
create(MediaType,String) in RequestBody has been deprecated `- Handled this
in latest commit.
2.
`hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/server/namenode/ha/RequestHedgingProxyProvider.java:229:76:[unchecked]
unchecked cast` -I believe this is not due this change, can see the same cast
warning in my local on trunk as well. May be we can create a separate JIRA to
handle this.
- spotbugs still thinks there is a problem. what is it that it is warning
about?
I already used try-with-resources for OkHttpClient and added request checks
as well. The warning is about NPE case.
- I agree with your view on Kotlin.
Issue Time Tracking
-------------------
Worklog Id: (was: 762537)
Time Spent: 2h 20m (was: 2h 10m)
> CVE-2021-0341 in [email protected] detected in hdfs-client
> -------------------------------------------------------
>
> Key: HADOOP-18069
> URL: https://issues.apache.org/jira/browse/HADOOP-18069
> Project: Hadoop Common
> Issue Type: Bug
> Components: hdfs-client
> Affects Versions: 3.3.1
> Reporter: Eugene Shinn (Truveta)
> Priority: Major
> Labels: pull-request-available
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD -
> CVE-2021-0341
> (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection]
> in our application. We traced the vulnerability to a transitive dependency
> coming from hadoop-hdfs-client, which depends on [email protected]
> ([hadoop/pom.xml at trunk · apache/hadoop
> (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
> To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref:
> [CVE-2021-0341 · Issue #6724 · square/okhttp
> (github.com)|https://github.com/square/okhttp/issues/6724]).
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
