On Thu, Feb 10, 2022 at 12:22 AM Enrico Olivelli <eolive...@gmail.com> wrote:
> Patrick, > If you prefer I can send a patch for. the exclusion of > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > CVE-2021-21290 > > That said, this won't affect the goodness of the RC. > > Our code is safe and the dependencies we use are safe: > - to me it looks like those are false positive or at least not related > to ZooKeeper > - we are not using Netty TC Native features, it is a dependency we > inherit, and probably ZooKeeper works well without it > > Thank you all of taking time to test the release > > NP. My concern is highlighted by this (your) response. You had to say all this to explain why the build is failing on a simple security check. Post-log4shell folks are really sensitive to security issues, as they should be, as we all should be. Its very important that we take security seriously. If I download the release, and run the owasp check it fails. I then have questions in my mind why. All that you explained here, while perfectly reasonable, it won't be available to me at that point. I think rather we should ensure that releases are solid/clean before we push them. This is a simple thing to fix before we go through the entire process of verifying/releasing a new version. Hopefully this explains my concerns. Regards, Patrick > Enrico > > Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté > <szalay.beko.m...@gmail.com> ha scritto: > > > > Thanks Enrico for working on the release candidate! > > > > The RC looks good to me if we are sure that the OWASP problem is a false > > positive and we can skip this netty-tcnative jar check. However, these > CVEs > > are old... Is it possible that we just added this jar by accident with > the > > recent netty upgrade? If we don't need it, should we exclude it? > > > > I wouldn't vote with +1 until we clarify the state of these CVEs. > > > > My RC check: > > > > - apache-rat passed > > - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 > using > > OpenJDK 11.0.13 and maven 3.6.0. > > - all the java unit tests passed eventually. I had 4-8 tests failing in > > each run, but after 4 runs all tests passed at least once. (I used > > -Dsurefire-forkcount=1) We should somehow fix these flakies. There are > > flakies on the CI, but not this many. I executed in docker, maybe this is > > the reason or the CI is using a different java version? > > - checkstyle and spotbugs passed > > - OWASP (CVE check) failed with the mentioned > > netty-tcnative-2.0.48.Final.jar failures. > > - I built the fatjar > > - I executed C client tests. Two of these failed constantly for me: > > Zookeeper_simpleSystem::testIPV6 and > > Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me > > because I execute C unit tests on docker, there might be some issues with > > the IPv6 interface) I see these passed on CI running on the > branch-3.8.0. ( > > > https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true > ) > > - I also built and executed unit tests for zkpython > > - I executed quick rolling-upgrade tests (using > > https://github.com/symat/zk-rolling-upgrade-test): > > - rolling upgrade from 3.5.9 to 3.8.0 > > - rolling upgrade from 3.6.3 to 3.8.0 > > - rolling upgrade from 3.7.0 to 3.8.0 > > - The web page looks OK > > > > Best regards, > > Máté > > > > On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth <cnaur...@apache.org> > wrote: > > > > > Enrico, thank you for putting together a release candidate. > > > > > > I briefly looked at the OWASP check failure. It's flagging multiple old > > > CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how > these are > > > still applicable. This is the newest version of the dependency, so we > don't > > > have another upgrade path we can try. > > > > > > I don't understand it. Unfortunately, I haven't found a solution yet. > > > > > > Chris Nauroth > > > > > > > > > On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > > > szalay.beko.m...@gmail.com> > > > wrote: > > > > > > > I started to test it. apache-rat passed for me, but owasp first > failed > > > due > > > > to some environment issue: > > > > > > > > [ERROR] Failed to execute goal > > > org.owasp:dependency-check-maven:5.3.0:check > > > > (default-cli) on project parent: Fatal exception(s) analyzing Apache > > > > ZooKeeper: One or more exceptions occurred during analysis: > > > > [ERROR] Unable to download meta file: > > > > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > > > > [ERROR] No documents exist > > > > [ERROR] -> [Help 1] > > > > > > > > Now I just re-run and this error disappeared, I assume nvd.nist.gov > was > > > > down for a while. > > > > Now the owasp is failing for me with this error: > > > > > > > > [ERROR] Failed to execute goal > > > org.owasp:dependency-check-maven:5.3.0:check > > > > (default-cli) on project zookeeper: > > > > [ERROR] > > > > [ERROR] One or more dependencies were identified with vulnerabilities > > > that > > > > have a CVSS score greater than or equal to '0.0': > > > > [ERROR] > > > > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, > CVE-2019-16869, > > > > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > > > > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > > > > CVE-2021-21290 > > > > [ERROR] > > > > [ERROR] See the dependency-check report for more details. > > > > > > > > > > > > I still continue to test the RC, let me know if it gets cancelled. > > > > > > > > > > > > On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt <ph...@apache.org> > wrote: > > > > > > > > > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli < > eolive...@gmail.com> > > > > > wrote: > > > > > > > > > > > Any comments? > > > > > > > > > > > > > > > > owasp is still red - as such I assumed this release candidate is on > > > hold > > > > > until that's fixed. Is that not the case? > > > > > > > > > > Patrick > > > > > > > > > > > > > > > > > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli <eolive...@apache.org> > ha > > > > > > scritto: > > > > > > > > > > > > > This is a release candidate for 3.8.0. > > > > > > > > > > > > > > It is a major release and it introduces a lot of new features, > most > > > > > > > notably: > > > > > > > - Migration of the logging framework from Apache Log4j1 to > LogBack > > > > > > > - Read Key/trust store password from file (and other security > > > related > > > > > > > improvements) > > > > > > > - Restored support for OSGI > > > > > > > - Reduced the performance impact of Prometheus metrics > > > > > > > - Official support for JDK17 (all tests are passing) > > > > > > > - Updates to all the third party dependencies to get rid of > every > > > > known > > > > > > > CVE. > > > > > > > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12349587 > > > > > > > > > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 > > > UTC+0. > > > > > *** > > > > > > > > > > > > > > Source files: > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > > > > > > > > Maven staging repo: > > > > > > > > > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > > > > > > > > > > > The release candidate tag in git to be voted upon: > release-3.8.0-0 > > > > > > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > > > > > > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the > > > release: > > > > > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > > > > > > > > > The staging version of the website is: > > > > > > > > > > > > > > > > > > > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > > > > > > > > > > > > > > > Should we release this candidate? > > > > > > > Enrico Olivelli > > > > > > > > > > > > > > > > > > > > > > > > > >
