Il giorno lun 23 gen 2023 alle ore 13:54 Enrico Olivelli <eolive...@gmail.com> ha scritto: > > Actually I think that I am falling into a rabbit hole. > > The Contrib packages have many CVEs against third party libraries > > https://issues.apache.org/jira/browse/ZOOKEEPER-4663 - OWASP is > failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939 > https://issues.apache.org/jira/browse/ZOOKEEPER-4664 - OWASP is > failing on zookeeper zookeeper-contrib-rest due to some third party > dependencies > https://issues.apache.org/jira/browse/ZOOKEEPER-4665 - OWASP is > failing on zooinspector due to some third party dependencies > > There is too much work to do at the moment, and we can't blindly > upgrade dependencies without proper testing. > > I am leaning towards creating the RC and ignoring all these problems. > They don't affect the core code package, and they are optional > modules, not deployed to Maven central or releases as binaries
During the release I have found that we actually stage the artifacts in Maven central but they are not supposed to be consumed from there. This is a minor release, I think it is better to not change the layout. We could improve the list of stuff that we send to Maven central in a next major release Enrico > > Enrico > > Il giorno lun 23 gen 2023 alle ore 13:30 Enrico Olivelli > <eolive...@gmail.com> ha scritto: > > > > Unfortunately I missed these OWASP failures on the contrib packages > > > > [ERROR] Failed to execute goal > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > zookeeper-it: > > [ERROR] > > [ERROR] One or more dependencies were identified with vulnerabilities > > that have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] junit-4.13.jar: CVE-2020-15250(5.5) > > [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3) > > [ERROR] > > [ERROR] See the dependency-check report for more details. > > > > I will send other PRs > > > > Enrico > > > > Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli > > <eolive...@gmail.com> ha scritto: > > > > > > I have opened a few PRs, > > > please help me review > > > > > > https://github.com/apache/zookeeper/pull/1972 > > > https://github.com/apache/zookeeper/pull/1971 > > > https://github.com/apache/zookeeper/pull/1970 > > > > > > Enrico > > > > > > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli > > > <eolive...@gmail.com> ha scritto: > > > > > > > > Unfortunately OWASP check is failing on branch-3.8 > > > > > > > > [ERROR] Failed to execute goal > > > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > > > zookeeper: > > > > [ERROR] > > > > [ERROR] One or more dependencies were identified with vulnerabilities > > > > that have a CVSS score greater than or equal to '0.0': > > > > [ERROR] > > > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5) > > > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5) > > > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), > > > > CVE-2022-42004(7.5) > > > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5), > > > > CVE-2022-24823(5.5), CVE-2022-41881(7.5) > > > > [ERROR] > > > > [ERROR] See the dependency-check report for more details. > > > > [ERROR] > > > > > > > > I will take a look if there are already patches to be cherry-picked. > > > > > > > > I guess it will take some time, I hoped to cut the release candidate > > > > today :-( > > > > > > > > Enrico > > > > > > > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth > > > > <cnaur...@apache.org> ha scritto: > > > > > > > > > > +1 > > > > > > > > > > Thank you for taking this up, Enrico! > > > > > > > > > > Chris Nauroth > > > > > > > > > > > > > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <eolive...@gmail.com> > > > > > wrote: > > > > > > > > > > > Hello ZooKeepers, > > > > > > We have received a few requests to cut a 3.8.1 release. > > > > > > > > > > > > I will start the release procedure by the end of this week, > > > > > > if there anything that blocks the release or that you would like to > > > > > > cherry-pick please let me know > > > > > > > > > > > > Best regards > > > > > > Enrico > > > > > >
