[GitHub] [tomee] github-actions[bot] closed pull request #943: Regenerated BOMs after dependency upgrades
github-actions[bot] closed pull request #943: Regenerated BOMs after dependency upgrades URL: https://github.com/apache/tomee/pull/943 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [HELP] Build times for Infra
Hi, I am starting this test on a virtual machine in our infra now. @all For building main you need to either use a JDK 11 or JDK 17. This information is also relevant as well as the Maven version used to for building. In addition, it might be required to switch the git repo url in the sh script from the ssh-based to the http based version ( https://github.com/apache/tomee.git), so you can run on a dedicated machine in which you do not need to setup private/public key auth. Gruß Richard Am Dienstag, dem 11.10.2022 um 15:05 -0700 schrieb David Blevins: > All, > > I'm collecting some stats on how long it takes to run our full build > exactly as Jenkins does. The goal is to work with them to see if we > can get some better hardware -- I assume that will require donations, > etc. > > If you'd like to help in collecting data, here's the script I'm > running: > > - curl > https://gist.githubusercontent.com/dblevins/b39cc3300bcdd89b426ca33b87b5452b/raw/7c68d4df71e9246c8bf2d0a741f8b145ca5d0820/buildtime.sh > | bash > > Send the time reported in the build.log along with your system > information (os, number of cores, if you disk is an SSD, etc) > > smime.p7s Description: S/MIME cryptographic signature
Re: [VOTE] Apache TomEE 8.0.13 - First Attempt
Hi Alex, I can confirm, that 2.14.0-rc1 fixes the vulnerability as I cherry- picked the related fixes to an upcoming 2.13.4.1 (micro patch version) yesterday. My PR was merged in earlier today. The issue is, that the fix version is set to 2.14.0 in the CVE itself although it is included in 2.14.0-rc1. This is due to the fact, that the jackson people do not want a widespread use of rc1 due to the security vulnerability as it only affectes users if 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. I can add a related sentence to the release notes. In addition, I will add a statement regarding hsqldb 2.7.1, which doesn't show up in grype at all. Gruß Richard Am Mittwoch, dem 12.10.2022 um 08:49 +0200 schrieb Alex The Rocker: > Hello Again, > > Completed some basic tests with TomEE+ 8.0.13 (more complex tests to > come), but also I ran https://github.com/anchore/grype latest version > on TomEE+ 8.0.12 versus this candidate 8.0.13, with focus on Jackson > CVEs, and here's the outcome: > > With TomEE+ 8.0.12, the jackson-databind-2.13.2.2.jar file was found > to have the following vulnerabilities: > CVE-2022-42003 > CVE-2022-42004 > GHSA-jjjh-jjxp-wpff > GHSA-rgv9-q543-rqg4 > > With TomEE+ 8.0.13 candidate release, jackson-databind-2.14.0-rc1.jar > file file was found to have the following vulnerabilities: > CVE-2022-42003 > > which is bizarre because according to > https://nvd.nist.gov/vuln/detail/CVE-2022-42003, 2.14.0-rc1 is > supposed to fix CVE-2022-42003. > > I know that Grype isn't perfect, but problem is that it is widely > used, so if you are sure that this is a false positive, then can you > please provide a statement about it in release notes and/or in > documentation, to avoid users' confusion? > > PS: CVE-2022-42003 is rated 7.5 (High) by > https://nvd.nist.gov/vuln/detail/CVE-2022-42003, so it's not quite > TomEE 8.0.13 could be released without a word about it... > > I will send my vote when I'll have completed my more advanced tests > with 8.0.13 candidate release. > > Thanks, > Alex > > Le mar. 11 oct. 2022 à 22:28, Zowalla, Richard > a écrit : > > Good catch. This is expected: > > > > https://issues.apache.org/jira/browse/TOMEE-4021 > > > > or > > > > https://lists.apache.org/thread/8tky9dr2sf99cs2hrj95j81w1rhrtdfn > > > > Gruß > > Richard > > > > Am Dienstag, dem 11.10.2022 um 22:23 +0200 schrieb Alex The Rocker: > > > okay I probably make a mistake somewhere. > > > Also I see ehcache*.jar is removed in TomEE+ 8.0.13 => is it > > > intentional (I love seeing less JARs;) ? > > > > > > Alex > > > > > > Le mar. 11 oct. 2022 à 22:17, Zowalla, Richard > > > a écrit : > > > > I am currently not on my dev system but I checked via: > > > > > > > > $ gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv- > > > > keys > > > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431 > > > > > > > > $ gpg --verify apache-tomee-8.0.13-plus.tar.gz.asc apache- > > > > tomee- > > > > 8.0.13- > > > > plus.tar.gz > > > > > > > > gpg: Signatur vom Di 11 Okt 2022 13:14:04 CEST > > > > gpg:mittels RSA-Schlüssel > > > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431 > > > > gpg: Korrekte Signatur von "Richard Zowalla (Code Signing Key) > > > > " [unbekannt] > > > > > > > > > > > > Gruß > > > > Richard > > > > > > > > Am Dienstag, dem 11.10.2022 um 22:04 +0200 schrieb Alex The > > > > Rocker: > > > > > Sorry previous mail sent too quickly. > > > > > > > > > > What's wrong here ? > > > > > > > > > > $ gpg --verify /tmp/tomee8013.asc apache-tomee-8.0.13- > > > > > plus.tar.gz > > > > > gpg: Signature made Tue 11 Oct 2022 01:14:04 PM CEST using > > > > > RSA > > > > > key ID > > > > > E5B8A431 > > > > > gpg: Can't check signature: No public key > > > > > > > > > > Le mar. 11 oct. 2022 à 22:03, Alex The Rocker > > > > > > > > > > a écrit : > > > > > > Hum... what's wrong here: > > > > > > > > > > > > Le mar. 11 oct. 2022 à 21:22, Alex The Rocker > > > > > > a écrit : > > > > > > > +1 for more frequent releases (at least based on CVE with > > > > > > > at > > > > > > > least > > > > > > > high severity) > > > > > > > and yes, I have a relatively large test base ; stay > > > > > > > tuned! > > > > > > > > > > > > > > Le mar. 11 oct. 2022 à 21:16, Richard Zowalla > > > > > > > a > > > > > > > écrit : > > > > > > > > Hi Alex, > > > > > > > > > > > > > > > > we can maybe get into the habit of realising more often > > > > > > > > (yes, I > > > > > > > > know: > > > > > > > > we discussed this over and over on the list...). > > > > > > > > > > > > > > > > I was just copying from the VOTE template docs, which > > > > > > > > mention > > > > > > > > to write > > > > > > > > "first attempt" and so on... - so no regrets just copy > > > > > > > > & > > > > > > > > paste. > > > > > > > > > > > > > > > > I don't expect any suprises but we never know: I did > > > > > > > > some > > > > > > > > tests > > > > > > > > on some > > > > > > > > of our projects (jaxrs, jaxws,
Re: [VOTE] Apache TomEE 8.0.13 - First Attempt
Hello Again, Completed some basic tests with TomEE+ 8.0.13 (more complex tests to come), but also I ran https://github.com/anchore/grype latest version on TomEE+ 8.0.12 versus this candidate 8.0.13, with focus on Jackson CVEs, and here's the outcome: With TomEE+ 8.0.12, the jackson-databind-2.13.2.2.jar file was found to have the following vulnerabilities: CVE-2022-42003 CVE-2022-42004 GHSA-jjjh-jjxp-wpff GHSA-rgv9-q543-rqg4 With TomEE+ 8.0.13 candidate release, jackson-databind-2.14.0-rc1.jar file file was found to have the following vulnerabilities: CVE-2022-42003 which is bizarre because according to https://nvd.nist.gov/vuln/detail/CVE-2022-42003, 2.14.0-rc1 is supposed to fix CVE-2022-42003. I know that Grype isn't perfect, but problem is that it is widely used, so if you are sure that this is a false positive, then can you please provide a statement about it in release notes and/or in documentation, to avoid users' confusion? PS: CVE-2022-42003 is rated 7.5 (High) by https://nvd.nist.gov/vuln/detail/CVE-2022-42003, so it's not quite TomEE 8.0.13 could be released without a word about it... I will send my vote when I'll have completed my more advanced tests with 8.0.13 candidate release. Thanks, Alex Le mar. 11 oct. 2022 à 22:28, Zowalla, Richard a écrit : > > Good catch. This is expected: > > https://issues.apache.org/jira/browse/TOMEE-4021 > > or > > https://lists.apache.org/thread/8tky9dr2sf99cs2hrj95j81w1rhrtdfn > > Gruß > Richard > > Am Dienstag, dem 11.10.2022 um 22:23 +0200 schrieb Alex The Rocker: > > okay I probably make a mistake somewhere. > > Also I see ehcache*.jar is removed in TomEE+ 8.0.13 => is it > > intentional (I love seeing less JARs;) ? > > > > Alex > > > > Le mar. 11 oct. 2022 à 22:17, Zowalla, Richard > > a écrit : > > > > > > I am currently not on my dev system but I checked via: > > > > > > $ gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys > > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431 > > > > > > $ gpg --verify apache-tomee-8.0.13-plus.tar.gz.asc apache-tomee- > > > 8.0.13- > > > plus.tar.gz > > > > > > gpg: Signatur vom Di 11 Okt 2022 13:14:04 CEST > > > gpg:mittels RSA-Schlüssel > > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431 > > > gpg: Korrekte Signatur von "Richard Zowalla (Code Signing Key) > > > " [unbekannt] > > > > > > > > > Gruß > > > Richard > > > > > > Am Dienstag, dem 11.10.2022 um 22:04 +0200 schrieb Alex The Rocker: > > > > Sorry previous mail sent too quickly. > > > > > > > > What's wrong here ? > > > > > > > > $ gpg --verify /tmp/tomee8013.asc apache-tomee-8.0.13-plus.tar.gz > > > > gpg: Signature made Tue 11 Oct 2022 01:14:04 PM CEST using RSA > > > > key ID > > > > E5B8A431 > > > > gpg: Can't check signature: No public key > > > > > > > > Le mar. 11 oct. 2022 à 22:03, Alex The Rocker > > > > > > > > a écrit : > > > > > > > > > > Hum... what's wrong here: > > > > > > > > > > Le mar. 11 oct. 2022 à 21:22, Alex The Rocker > > > > > a écrit : > > > > > > > > > > > > +1 for more frequent releases (at least based on CVE with at > > > > > > least > > > > > > high severity) > > > > > > and yes, I have a relatively large test base ; stay tuned! > > > > > > > > > > > > Le mar. 11 oct. 2022 à 21:16, Richard Zowalla > > > > > > a > > > > > > écrit : > > > > > > > > > > > > > > Hi Alex, > > > > > > > > > > > > > > we can maybe get into the habit of realising more often > > > > > > > (yes, I > > > > > > > know: > > > > > > > we discussed this over and over on the list...). > > > > > > > > > > > > > > I was just copying from the VOTE template docs, which > > > > > > > mention > > > > > > > to write > > > > > > > "first attempt" and so on... - so no regrets just copy & > > > > > > > paste. > > > > > > > > > > > > > > I don't expect any suprises but we never know: I did some > > > > > > > tests > > > > > > > on some > > > > > > > of our projects (jaxrs, jaxws, batche, ...) but I have no > > > > > > > possibility > > > > > > > to do large scale tests as you can do them ;-) - so happy > > > > > > > to > > > > > > > get some > > > > > > > feedback. > > > > > > > > > > > > > > The CXF cleanup might be a candidate for regressions as we > > > > > > > shipped > > > > > > > older code under the covers of newer cxf versions and > > > > > > > didn't > > > > > > > notice > > > > > > > that for some time now. > > > > > > > > > > > > > > Gruß > > > > > > > Richard > > > > > > > > > > > > > > > > > > > > > > > > > > > > Am Dienstag, dem 11.10.2022 um 21:05 +0200 schrieb Alex The > > > > > > > Rocker: > > > > > > > > Hi Richard, > > > > > > > > > > > > > > > > Thanks for this quick TomEE 8.0.3 release after not so > > > > > > > > long > > > > > > > > discussions! > > > > > > > > I'll run some tests ASAP and then give my vote (non- > > > > > > > > binding). > > > > > > > > Why do you mention "1st attempt"? Any regrets ? > > > > > > > > > > > > > > > > Alex > > > > > > > > > > > > > > > > Le mar. 11 oct. 2022 à 20:01,