[
https://issues.apache.org/jira/browse/OOZIE-3653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488774#comment-17488774
]
Dénes Bodó commented on OOZIE-3653:
-----------------------------------
https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/70/
{noformat}
20:50:14 Testing JIRA OOZIE-3653
20:50:14
20:50:14 Cleaning local git workspace
20:50:14
20:50:14 ----------------------------
20:50:14
20:50:14 +1 PATCH_APPLIES
20:50:14 +1 CLEAN
20:50:14 -1 RAW_PATCH_ANALYSIS
20:50:14 +1 the patch does not introduce any @author tags
20:50:14 +1 the patch does not introduce any tabs
20:50:14 +1 the patch does not introduce any trailing spaces
20:50:14 +1 the patch does not introduce any star imports
20:50:14 +1 the patch does not introduce any line longer than 132
20:50:14 -1 the patch does not add/modify any testcase
20:50:14 +1 RAT
20:50:14 +1 the patch does not seem to introduce new RAT warnings
20:50:14 +1 JAVADOC
20:50:14 +1 Javadoc generation succeeded with the patch
20:50:14 +1 the patch does not seem to introduce new Javadoc warning(s)
20:50:14 +1 COMPILE
20:50:14 +1 HEAD compiles
20:50:14 +1 patch compiles
20:50:14 +1 the patch does not seem to introduce new javac warnings
20:50:14 -1 There are [23] new bugs found below threshold in total that must be
fixed.
20:50:14 -1 There are [1] new bugs found below threshold in
[sharelib/oozie] that must be fixed.
20:50:14 You can find the SpotBugs diff here (look for the red and orange
ones): sharelib/oozie/findbugs-new.html
20:50:14 The most important SpotBugs errors are:
20:50:14 At ShellMain.java:[line 93]: This usage of
java/lang/ProcessBuilder.<init>(Ljava/util/List;)V can be vulnerable to
Command Injection
20:50:14 At ShellMain.java:[line 91]: At ShellMain.java:[line 90]
20:50:14 At ShellMain.java:[line 92]
20:50:14 +1 There are no new bugs found in [sharelib/git].
20:50:14 +1 There are no new bugs found in [sharelib/sqoop].
20:50:14 +1 There are no new bugs found in [sharelib/pig].
20:50:14 +1 There are no new bugs found in [sharelib/streaming].
20:50:14 +1 There are no new bugs found in [sharelib/spark].
20:50:14 +1 There are no new bugs found in [sharelib/hcatalog].
20:50:14 +1 There are no new bugs found in [sharelib/hive2].
20:50:14 +1 There are no new bugs found in [sharelib/hive].
20:50:14 +1 There are no new bugs found in [sharelib/distcp].
20:50:14 +1 There are no new bugs found in [docs].
20:50:14 +1 There are no new bugs found in [examples].
20:50:14 +1 There are no new bugs found in [fluent-job/fluent-job-api].
20:50:14 +1 There are no new bugs found in [webapp].
20:50:14 +1 There are no new bugs found in [client].
20:50:14 -1 There are [15] new bugs found below threshold in [tools] that
must be fixed, listing only the first [5] ones.
20:50:14 You can find the SpotBugs diff here (look for the red and orange
ones): tools/findbugs-new.html
20:50:14 The top [5] most important SpotBugs errors are:
20:50:14 At OozieDBCLI.java:[line 584]: This use of
java/sql/Statement.executeUpdate(Ljava/lang/String;)I can be vulnerable to SQL
injection
20:50:14 At OozieDBCLI.java:[line 574]: At OozieDBCLI.java:[line 573]
20:50:14 At OozieDBCLI.java:[line 577]: At OozieDBCLI.java:[line 575]
20:50:14 At OozieDBCLI.java:[line 579]: At OozieDBCLI.java:[line 578]
20:50:14 At OozieDBCLI.java:[line 584]: At OozieDBCLI.java:[line 581]
20:50:14 -1 There are [7] new bugs found below threshold in [core] that
must be fixed, listing only the first [5] ones.
20:50:14 You can find the SpotBugs diff here (look for the red and orange
ones): core/findbugs-new.html
20:50:14 The top [5] most important SpotBugs errors are:
20:50:14 At BulkJPAExecutor.java:[line 206]: This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection
20:50:14 At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line
175]
20:50:14 At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line
199]
20:50:14 This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
20:50:14 At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line
127]
20:50:14 +1 There are no new bugs found in [server].
20:50:14 +1 BACKWARDS_COMPATIBILITY
20:50:14 +1 the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
20:50:14 +1 the patch does not modify JPA files
20:50:14 +1 TESTS
20:50:14 Tests run: 3215
20:50:14 Tests failed at first run:
20:50:14
TestPurgeXCommand#testPurgeableBundleUnpurgeableCoordinatorUnpurgebleWorkflowPurgeableSubWorkflow
20:50:14 TestSLADbXOperations#testCreateSlaRegistrationEventMinReqFields
20:50:14 For the complete list of flaky tests, see TEST-SUMMARY-FULL files.
20:50:14 +1 DISTRO
20:50:14 +1 distro tarball builds with the patch
20:50:14 +1 MODERNIZER
20:50:14
20:50:14 ----------------------------
20:50:14 -1 Overall result, please check the reported -1(s) {noformat}
Seems okay to me. +1. If [~asalamon74] accepts it too I'll merge your change.
> Upgrade commons-io to 2.8.0
> ---------------------------
>
> Key: OOZIE-3653
> URL: https://issues.apache.org/jira/browse/OOZIE-3653
> Project: Oozie
> Issue Type: Improvement
> Affects Versions: 5.2.1
> Reporter: Ashutosh Gupta
> Assignee: Ashutosh Gupta
> Priority: Major
> Attachments: OOZIE-3653-001.patch, OOZIE-3653-002.patch
>
>
> Current commons-io is using 2.4 which has the following vulnerabilities
> Direct vulnerabilities:
> [CVE-2021-29425|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425]
> Vulnerabilities from dependencies:
> [CVE-2020-15250|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250]
>
> We can upgrade to 2.8.0
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
