Patrick, If you prefer I can send a patch for. the exclusion of [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290
That said, this won't affect the goodness of the RC. Our code is safe and the dependencies we use are safe: - to me it looks like those are false positive or at least not related to ZooKeeper - we are not using Netty TC Native features, it is a dependency we inherit, and probably ZooKeeper works well without it Thank you all of taking time to test the release Enrico Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté <szalay.beko.m...@gmail.com> ha scritto: > > Thanks Enrico for working on the release candidate! > > The RC looks good to me if we are sure that the OWASP problem is a false > positive and we can skip this netty-tcnative jar check. However, these CVEs > are old... Is it possible that we just added this jar by accident with the > recent netty upgrade? If we don't need it, should we exclude it? > > I wouldn't vote with +1 until we clarify the state of these CVEs. > > My RC check: > > - apache-rat passed > - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 using > OpenJDK 11.0.13 and maven 3.6.0. > - all the java unit tests passed eventually. I had 4-8 tests failing in > each run, but after 4 runs all tests passed at least once. (I used > -Dsurefire-forkcount=1) We should somehow fix these flakies. There are > flakies on the CI, but not this many. I executed in docker, maybe this is > the reason or the CI is using a different java version? > - checkstyle and spotbugs passed > - OWASP (CVE check) failed with the mentioned > netty-tcnative-2.0.48.Final.jar failures. > - I built the fatjar > - I executed C client tests. Two of these failed constantly for me: > Zookeeper_simpleSystem::testIPV6 and > Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me > because I execute C unit tests on docker, there might be some issues with > the IPv6 interface) I see these passed on CI running on the branch-3.8.0. ( > https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true) > - I also built and executed unit tests for zkpython > - I executed quick rolling-upgrade tests (using > https://github.com/symat/zk-rolling-upgrade-test): > - rolling upgrade from 3.5.9 to 3.8.0 > - rolling upgrade from 3.6.3 to 3.8.0 > - rolling upgrade from 3.7.0 to 3.8.0 > - The web page looks OK > > Best regards, > Máté > > On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth <cnaur...@apache.org> wrote: > > > Enrico, thank you for putting together a release candidate. > > > > I briefly looked at the OWASP check failure. It's flagging multiple old > > CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how these are > > still applicable. This is the newest version of the dependency, so we don't > > have another upgrade path we can try. > > > > I don't understand it. Unfortunately, I haven't found a solution yet. > > > > Chris Nauroth > > > > > > On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > > szalay.beko.m...@gmail.com> > > wrote: > > > > > I started to test it. apache-rat passed for me, but owasp first failed > > due > > > to some environment issue: > > > > > > [ERROR] Failed to execute goal > > org.owasp:dependency-check-maven:5.3.0:check > > > (default-cli) on project parent: Fatal exception(s) analyzing Apache > > > ZooKeeper: One or more exceptions occurred during analysis: > > > [ERROR] Unable to download meta file: > > > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > > > [ERROR] No documents exist > > > [ERROR] -> [Help 1] > > > > > > Now I just re-run and this error disappeared, I assume nvd.nist.gov was > > > down for a while. > > > Now the owasp is failing for me with this error: > > > > > > [ERROR] Failed to execute goal > > org.owasp:dependency-check-maven:5.3.0:check > > > (default-cli) on project zookeeper: > > > [ERROR] > > > [ERROR] One or more dependencies were identified with vulnerabilities > > that > > > have a CVSS score greater than or equal to '0.0': > > > [ERROR] > > > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > > > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > > > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > > > CVE-2021-21290 > > > [ERROR] > > > [ERROR] See the dependency-check report for more details. > > > > > > > > > I still continue to test the RC, let me know if it gets cancelled. > > > > > > > > > On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt <ph...@apache.org> wrote: > > > > > > > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli <eolive...@gmail.com> > > > > wrote: > > > > > > > > > Any comments? > > > > > > > > > > > > > owasp is still red - as such I assumed this release candidate is on > > hold > > > > until that's fixed. Is that not the case? > > > > > > > > Patrick > > > > > > > > > > > > > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli <eolive...@apache.org> ha > > > > > scritto: > > > > > > > > > > > This is a release candidate for 3.8.0. > > > > > > > > > > > > It is a major release and it introduces a lot of new features, most > > > > > > notably: > > > > > > - Migration of the logging framework from Apache Log4j1 to LogBack > > > > > > - Read Key/trust store password from file (and other security > > related > > > > > > improvements) > > > > > > - Restored support for OSGI > > > > > > - Reduced the performance impact of Prometheus metrics > > > > > > - Official support for JDK17 (all tests are passing) > > > > > > - Updates to all the third party dependencies to get rid of every > > > known > > > > > > CVE. > > > > > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12349587 > > > > > > > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 > > UTC+0. > > > > *** > > > > > > > > > > > > Source files: > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > > > > > > Maven staging repo: > > > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > > > > > > > > > The release candidate tag in git to be voted upon: release-3.8.0-0 > > > > > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the > > release: > > > > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > > > > > > > The staging version of the website is: > > > > > > > > > > > > > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > > > > > > > > > > > > Should we release this candidate? > > > > > > Enrico Olivelli > > > > > > > > > > > > > > > > > > > >
