[
https://issues.apache.org/jira/browse/HDDS-2150?focusedWorklogId=314919&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-314919
]
ASF GitHub Bot logged work on HDDS-2150:
----------------------------------------
Author: ASF GitHub Bot
Created on: 19/Sep/19 09:28
Start Date: 19/Sep/19 09:28
Worklog Time Spent: 10m
Work Description: adoroszlai commented on pull request #1472: HDDS-2150.
Update dependency versions to avoid security vulnerabilities.
URL: https://github.com/apache/hadoop/pull/1472#discussion_r326073658
##########
File path: pom.ozone.xml
##########
@@ -127,6 +127,9 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xs
<jackson.version>1.9.13</jackson.version>
<jackson2.version>2.9.9</jackson2.version>
+ <!-- jaegertracing veresion -->
+ <jaeger.version>1.0.0</jaeger.version>
Review comment:
Jaeger 1.0 depends on newer OpenTracing (0.33), which is not backwards
compatible.
https://github.com/opentracing/opentracing-java/pull/339
https://github.com/opentracing/opentracing-java#deprecated-members-since-031
`hadoop-hdds-common` compiles only due to explicit dependency on
`opentracing-util` 0.31.0. However, it fails at runtime with
[`NoSuchMethodError`](https://github.com/elek/ozone-ci/blob/259712a9df53dd8531786e23676ebed13f527918/pr/pr-hdds-2150-pzdq9/integration/hadoop-ozone/ozonefs/org.apache.hadoop.fs.ozone.contract.ITestOzoneContractDistCp.txt#L6).
For the security fix I think it is enough to upgrade to Jaeger 0.34, which
[updated Apache Thrift to
0.12](https://github.com/jaegertracing/jaeger-client-java/blob/136a849202e8d0a95e007e6faae38f1519cdba55/build.gradle#L22).
[Latest Jaeger Client
release](https://github.com/jaegertracing/jaeger-client-java/releases/latest)
0.35.2 should be OK, too, as it depends on OpenTracing 0.32, which still has
the deprecated methods. In this case OpenTracing version should be changed to
0.32.0.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 314919)
Time Spent: 20m (was: 10m)
> Update dependency versions to avoid security vulnerabilities
> ------------------------------------------------------------
>
> Key: HDDS-2150
> URL: https://issues.apache.org/jira/browse/HDDS-2150
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Reporter: Hanisha Koneru
> Assignee: Hanisha Koneru
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The following dependency versions have known security vulnerabilities. We
> should update them to recent/ later versions.
> * Apache Thrift 0.11.0
> * Apache Zookeeper 3.4.13
> * Jetty Servlet 9.3.24
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
