Actually I think that I am falling into a rabbit hole. The Contrib packages have many CVEs against third party libraries
https://issues.apache.org/jira/browse/ZOOKEEPER-4663 - OWASP is failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939 https://issues.apache.org/jira/browse/ZOOKEEPER-4664 - OWASP is failing on zookeeper zookeeper-contrib-rest due to some third party dependencies https://issues.apache.org/jira/browse/ZOOKEEPER-4665 - OWASP is failing on zooinspector due to some third party dependencies There is too much work to do at the moment, and we can't blindly upgrade dependencies without proper testing. I am leaning towards creating the RC and ignoring all these problems. They don't affect the core code package, and they are optional modules, not deployed to Maven central or releases as binaries Enrico Il giorno lun 23 gen 2023 alle ore 13:30 Enrico Olivelli <eolive...@gmail.com> ha scritto: > > Unfortunately I missed these OWASP failures on the contrib packages > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > zookeeper-it: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities > that have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] junit-4.13.jar: CVE-2020-15250(5.5) > [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3) > [ERROR] > [ERROR] See the dependency-check report for more details. > > I will send other PRs > > Enrico > > Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli > <eolive...@gmail.com> ha scritto: > > > > I have opened a few PRs, > > please help me review > > > > https://github.com/apache/zookeeper/pull/1972 > > https://github.com/apache/zookeeper/pull/1971 > > https://github.com/apache/zookeeper/pull/1970 > > > > Enrico > > > > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli > > <eolive...@gmail.com> ha scritto: > > > > > > Unfortunately OWASP check is failing on branch-3.8 > > > > > > [ERROR] Failed to execute goal > > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > > zookeeper: > > > [ERROR] > > > [ERROR] One or more dependencies were identified with vulnerabilities > > > that have a CVSS score greater than or equal to '0.0': > > > [ERROR] > > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5) > > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5) > > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), > > > CVE-2022-42004(7.5) > > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5), > > > CVE-2022-24823(5.5), CVE-2022-41881(7.5) > > > [ERROR] > > > [ERROR] See the dependency-check report for more details. > > > [ERROR] > > > > > > I will take a look if there are already patches to be cherry-picked. > > > > > > I guess it will take some time, I hoped to cut the release candidate > > > today :-( > > > > > > Enrico > > > > > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth > > > <cnaur...@apache.org> ha scritto: > > > > > > > > +1 > > > > > > > > Thank you for taking this up, Enrico! > > > > > > > > Chris Nauroth > > > > > > > > > > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eolive...@gmail.com> > > > > wrote: > > > > > > > > > Hello ZooKeepers, > > > > > We have received a few requests to cut a 3.8.1 release. > > > > > > > > > > I will start the release procedure by the end of this week, > > > > > if there anything that blocks the release or that you would like to > > > > > cherry-pick please let me know > > > > > > > > > > Best regards > > > > > Enrico > > > > >
