[
https://issues.apache.org/jira/browse/YETUS-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16566197#comment-16566197
]
Allen Wittenauer commented on YETUS-441:
----------------------------------------
Here's what a patch looks like:
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 16m
24s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The source tree does not contain any @author tags.
{color} |
| {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m
0s{color} | {color:red} The patch doesn't appear to include any new or modified
tests. Please justify why no new tests are needed for this patch. Also please
list what manual steps were performed to verify this patch. {color} |
|| || || || {color:brown} trunk Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 5m
41s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 25m
20s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 29m
11s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 19m
33s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} shadedclient {color} | {color:green}
10m 46s{color} | {color:green} branch has no errors when building and testing
our client artifacts. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 5m
34s{color} | {color:green} trunk passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m
33s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 25m
48s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 27m
30s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 27m
30s{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} dependency_check {color} | {color:red} 5m
36s{color} | {color:red} The patch generated 8 new + 23 unchanged - 4 fixed =
31 total (was 27) {color} |
| {color:red}-1{color} | {color:red} hadolint {color} | {color:red} 0m
2s{color} | {color:red} The patch generated 1 new + 31 unchanged - 1 fixed = 32
total (was 32) {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 19m
17s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} shellcheck {color} | {color:green} 0m
0s{color} | {color:green} There were no new shellcheck issues. {color} |
| {color:green}+1{color} | {color:green} shelldocs {color} | {color:green} 0m
11s{color} | {color:green} There were no new shelldocs issues. {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m
0s{color} | {color:red} The patch has 6 line(s) that end in whitespace. Use git
apply --whitespace=fix <<patch_file>>. Refer https://git-scm.com/docs/git-apply
{color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m
1s{color} | {color:green} The patch has no ill-formed XML file. {color} |
| {color:green}+1{color} | {color:green} shadedclient {color} | {color:green}
10m 11s{color} | {color:green} patch has no errors when building and testing
our client artifacts. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 5m
17s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:red}-1{color} | {color:red} unit {color} | {color:red}160m 54s{color}
| {color:red} root in the patch failed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
55s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black}370m 9s{color} |
{color:black} {color} |
\\
\\
|| Reason || Tests ||
| CVE | Severity Dependency |
| CVE-2016-1905 | Medium aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-eks:1.11.375) |
| CVE-2016-1906 | High aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-eks:1.11.375) |
| CVE-2015-8768 | High aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-iot1clickprojects:1.11.375) |
| CVE-2015-8768 | High aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-iot1clickdevices:1.11.375) |
| CVE-2006-4711 | Medium aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-sagemaker:1.11.375) |
| CVE-2007-0896 | Medium aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-sagemaker:1.11.375) |
| CVE-2015-3362 | Low aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-kinesisvideo:1.11.375) |
| CVE-2015-8559 | Medium aws-java-sdk-bundle-1.11.375.jar (shaded:
com.amazonaws:aws-java-sdk-opsworkscm:1.11.375) |
| Failed junit tests | hadoop.hdfs.web.TestWebHdfsTimeouts |
| | hadoop.hdfs.client.impl.TestBlockReaderLocal |
| | hadoop.hdfs.TestDFSStripedOutputStreamWithFailureWithRandomECPolicy |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hadoop:ba1ab08 |
| JIRA Issue | HADOOP-15647 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12933955/HADOOP-15647.00.patch
|
| Optional Tests | asflicense hadolint shellcheck shelldocs compile javac
javadoc mvninstall mvnsite unit shadedclient dependency_check xml |
| uname | Linux 054b934d05fd 4.4.0-130-generic #156-Ubuntu SMP Thu Jun 14
08:53:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/patchprocess/precommit/personality/provided.sh |
| git revision | trunk / 603a574 |
| maven | version: Apache Maven 3.3.9 |
| Default Java | 1.8.0_171 |
| dependency_check | version: 3.3.0 |
| shellcheck | v0.4.6 |
| dependency_check | Full Report:
https://builds.apache.org/job/PreCommit-HADOOP-Build-Test/1/artifact/out/dependency-check-report.html
|
| hadolint |
https://builds.apache.org/job/PreCommit-HADOOP-Build-Test/1/artifact/out/diff-patch-hadolint.txt
|
| whitespace |
https://builds.apache.org/job/PreCommit-HADOOP-Build-Test/1/artifact/out/whitespace-eol.txt
|
| unit |
https://builds.apache.org/job/PreCommit-HADOOP-Build-Test/1/artifact/out/patch-unit-root.txt
|
| Test Results |
https://builds.apache.org/job/PreCommit-HADOOP-Build-Test/1/testReport/ |
| Max. process+thread count | 3813 (vs. ulimit of 10000) |
| modules | C: hadoop-project hadoop-tools/hadoop-aws . U: . |
| Console output |
https://builds.apache.org/job/PreCommit-HADOOP-Build-Test/1/console |
| Powered by | Apache Yetus 0.8.0-SNAPSHOT http://yetus.apache.org |
This message was automatically generated.
> Add a precommit check for known CVEs from dependencies
> ------------------------------------------------------
>
> Key: YETUS-441
> URL: https://issues.apache.org/jira/browse/YETUS-441
> Project: Yetus
> Issue Type: New Feature
> Components: Test Patch
> Reporter: Sean Busbey
> Assignee: Sean Busbey
> Priority: Major
> Fix For: 0.8.0
>
> Attachments: YETUS-441.0.patch, YETUS-441.004.patch,
> YETUS-441.005.patch, YETUS-441.006.patch, YETUS-441.007.patch,
> YETUS-441.008.patch, YETUS-441.1.patch, YETUS-441.2.patch, YETUS-441.3.patch,
> dependency-check-suppression.xml
>
>
> Add in a precommit test that makes use of [The OWASP Dependency
> Check|https://www.owasp.org/index.php/OWASP_Dependency_Check] to look for
> known bad dependencies.
> there's a maven plugin, ant task, and command line tool. So we should be able
> to build similar support to what we have for RAT.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
