[ https://issues.apache.org/jira/browse/OOZIE-3663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544611#comment-17544611 ]
Hadoop QA commented on OOZIE-3663: ---------------------------------- Testing JIRA OOZIE-3663 Cleaning local git workspace ---------------------------- {color:green}+1 PATCH_APPLIES{color} {color:green}+1 CLEAN{color} {color:red}-1 RAW_PATCH_ANALYSIS{color} . {color:green}+1{color} the patch does not introduce any @author tags . {color:green}+1{color} the patch does not introduce any tabs . {color:green}+1{color} the patch does not introduce any trailing spaces . {color:green}+1{color} the patch does not introduce any star imports . {color:green}+1{color} the patch does not introduce any line longer than 132 . {color:red}-1{color} the patch does not add/modify any testcase {color:green}+1 RAT{color} . {color:green}+1{color} the patch does not seem to introduce new RAT warnings {color:green}+1 JAVADOC{color} . {color:green}+1{color} Javadoc generation succeeded with the patch . {color:green}+1{color} the patch does not seem to introduce new Javadoc warning(s) {color:green}+1 COMPILE{color} . {color:green}+1{color} HEAD compiles . {color:green}+1{color} patch compiles . {color:green}+1{color} the patch does not seem to introduce new javac warnings {color:red}-1{color} There are [7] new bugs found below threshold in total that must be fixed. . {color:green}+1{color} There are no new bugs found in [examples]. . {color:green}+1{color} There are no new bugs found in [fluent-job/fluent-job-api]. . {color:green}+1{color} There are no new bugs found in [sharelib/hive]. . {color:green}+1{color} There are no new bugs found in [sharelib/hive2]. . {color:green}+1{color} There are no new bugs found in [sharelib/git]. . {color:green}+1{color} There are no new bugs found in [sharelib/distcp]. . {color:green}+1{color} There are no new bugs found in [sharelib/hcatalog]. . {color:green}+1{color} There are no new bugs found in [sharelib/sqoop]. . {color:green}+1{color} There are no new bugs found in [sharelib/spark]. . {color:red}-1{color} There are [1] new bugs found below threshold in [sharelib/oozie] that must be fixed. . You can find the SpotBugs diff here (look for the red and orange ones): sharelib/oozie/findbugs-new.html . The most important SpotBugs errors are: . At ShellMain.java:[line 93]: This usage of java/lang/ProcessBuilder.<init>(Ljava/util/List;)V can be vulnerable to Command Injection . At ShellMain.java:[line 91]: At ShellMain.java:[line 90] . At ShellMain.java:[line 92] . {color:green}+1{color} There are no new bugs found in [sharelib/pig]. . {color:green}+1{color} There are no new bugs found in [sharelib/streaming]. . {color:green}+1{color} There are no new bugs found in [server]. . {color:green}+1{color} There are no new bugs found in [docs]. . {color:green}+1{color} There are no new bugs found in [webapp]. . {color:red}-1{color} There are [6] new bugs found below threshold in [core] that must be fixed, listing only the first [5] ones. . You can find the SpotBugs diff here (look for the red and orange ones): core/findbugs-new.html . The top [5] most important SpotBugs errors are: . At BulkJPAExecutor.java:[line 206]: This use of javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query; can be vulnerable to SQL/JPQL injection . At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175] . At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199] . This use of javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query; can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206] . At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127] . {color:green}+1{color} There are no new bugs found in [tools]. . {color:green}+1{color} There are no new bugs found in [client]. {color:green}+1 BACKWARDS_COMPATIBILITY{color} . {color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations . {color:green}+1{color} the patch does not modify JPA files {color:red}-1 TESTS{color} . Tests run : 3218 . Tests failed : 7 . Tests in error : 0 . Tests timed out : 0 {color:red}-1{color} [ERROR] There are [7] test failures in [core]. Listing only the first [5] ones testDryrunInvalidXml:org.apache.oozie.command.wf.TestSubmitXCommand Check console output for the full list of errors/failures . {color:orange}Tests failed at first run:{color} TestZKUUIDService#testResetSequence_withMultiThread . For the complete list of flaky tests, see TEST-SUMMARY-FULL files. {color:green}+1 DISTRO{color} . {color:green}+1{color} distro tarball builds with the patch {color:green}+1 MODERNIZER{color} ---------------------------- {color:red}*-1 Overall result, please check the reported -1(s)*{color} The full output of the test-patch run is available at . https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/88/ > Upgrade Apache Xerces Java to 2.12.2 > ------------------------------------ > > Key: OOZIE-3663 > URL: https://issues.apache.org/jira/browse/OOZIE-3663 > Project: Oozie > Issue Type: Improvement > Reporter: Ashutosh Gupta > Assignee: Ashutosh Gupta > Priority: Major > Attachments: OOZIE-3663-001.patch > > > Description > [https://github.com/advisories/GHSA-h65f-jvqw-m9fj] > There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser > when handling specially crafted XML document payloads. This causes, the > XercesJ XML parser to wait in an infinite loop, which may sometimes consume > system resources for prolonged duration. This vulnerability is present within > XercesJ version 2.12.1 and the previous versions. > References > [https://nvd.nist.gov/vuln/detail/CVE-2022-23437] > [https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl] > [http://www.openwall.com/lists/oss-security/2022/01/24/3] > [https://www.oracle.com/security-alerts/cpuapr2022.html] > h4. -- This message was sent by Atlassian Jira (v8.20.7#820007)