[jira] [Commented] (OOZIE-3671) Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored
[
https://issues.apache.org/jira/browse/OOZIE-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632388#comment-17632388
]
Janos Makai commented on OOZIE-3671:
Unfortunately looks like there are more than 700 similar issues to be fixed,
which I did not notice at first. Hence I've opened a ticket to track them all
here: OOZIE-3672
> Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily
> until it gets refactored
>
>
> Key: OOZIE-3671
> URL: https://issues.apache.org/jira/browse/OOZIE-3671
> Project: Oozie
> Issue Type: Task
> Components: core
>Affects Versions: 5.2.1
>Reporter: Janos Makai
>Assignee: Janos Makai
>Priority: Major
> Attachments: OOZIE-3671-001.patch
>
>
> Currently the SpotBugs tool indicates the following issues for every new
> patches:
> {code:java}
> {color:#FF}-1{color} There are [5] new bugs found below threshold in
> [core] that must be fixed.
> . You can find the SpotBugs diff here (look for the red and orange ones):
> core/findbugs-new.html
> . The most important SpotBugs errors are:
> . At BulkJPAExecutor.java:[line 206]: This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection
> . At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175]
> . At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199]
> . This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
> . At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127]
> {code}
> The goal of this Jira is to exclude the JPA injection pattern
> (SQL_INJECTION_JPA) from Oozie core until the corresponding code gets
> refactored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3671) Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored
[
https://issues.apache.org/jira/browse/OOZIE-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632346#comment-17632346
]
Hadoop QA commented on OOZIE-3671:
--
Testing JIRA OOZIE-3671
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any star imports
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} Javadoc generation succeeded with the patch
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warning(s)
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:red}-1{color} There are [4] new bugs found below threshold in total that
must be fixed.
.{color:green}+1{color} There are no new bugs found in [examples].
.{color:green}+1{color} There are no new bugs found in
[fluent-job/fluent-job-api].
.{color:green}+1{color} There are no new bugs found in [sharelib/hive].
.{color:green}+1{color} There are no new bugs found in [sharelib/hive2].
.{color:green}+1{color} There are no new bugs found in [sharelib/git].
.{color:green}+1{color} There are no new bugs found in [sharelib/distcp].
.{color:green}+1{color} There are no new bugs found in [sharelib/hcatalog].
.{color:green}+1{color} There are no new bugs found in [sharelib/sqoop].
.{color:green}+1{color} There are no new bugs found in [sharelib/spark].
.{color:red}-1{color} There are [1] new bugs found below threshold in
[sharelib/oozie] that must be fixed.
.You can find the SpotBugs diff here (look for the red and orange ones):
sharelib/oozie/findbugs-new.html
.The most important SpotBugs errors are:
.At ShellMain.java:[line 93]: This usage of
java/lang/ProcessBuilder.(Ljava/util/List;)V can be vulnerable to
Command Injection
.At ShellMain.java:[line 91]: At ShellMain.java:[line 90]
.At ShellMain.java:[line 92]
.{color:green}+1{color} There are no new bugs found in [sharelib/pig].
.{color:green}+1{color} There are no new bugs found in [sharelib/streaming].
.{color:green}+1{color} There are no new bugs found in [server].
.{color:green}+1{color} There are no new bugs found in [docs].
.{color:green}+1{color} There are no new bugs found in [webapp].
.{color:red}-1{color} There are [3] new bugs found below threshold in
[core] that must be fixed.
.You can find the SpotBugs diff here (look for the red and orange ones):
core/findbugs-new.html
.The most important SpotBugs errors are:
.At AuthorizationService.java:[line 192]:
java/io/File.(Ljava/lang/String;Ljava/lang/String;)V reads a file
whose location might be specified by user input
.At AuthorizationService.java:[line 191]: At
AuthorizationService.java:[line 189]
.At ShareLibService.java:[line 695]: Unsafe comparison of hash that are
susceptible to timing attack
.At ShareLibService.java:[line 691]: At ShareLibService.java:[line 689]
.Possible injection that can lead to Source spoofing, header override and
email body injection.: At ShareLibService.java:[line 693]
.{color:green}+1{color} There are no new bugs found in [tools].
.{color:green}+1{color} There are no new bugs found in [client].
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:green}+1 TESTS{color}
.Tests run: 3224
.{color:orange}Tests failed at first run:{color}
TestCoordActionInputCheckXCommand#testNone
TestCoordMaterializeTriggerService#testCoordMaterializeTriggerService3
.For the complete list of flaky tests, see TEST-SUMMARY-FULL files.
{color:green}+1 DISTRO{color}
.{color:green}+1{color} distro tarball builds with the patch
{color:green}+1 MODERNIZER{color}
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/99/
> Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily
> until it gets refactored
> ---
[jira] [Commented] (OOZIE-3671) Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored
[
https://issues.apache.org/jira/browse/OOZIE-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632265#comment-17632265
]
Janos Makai commented on OOZIE-3671:
Yes, I agree, thank you for the remark.
If the SpotBugs result indeed turns green, I'll go ahead opening a Jira for the
fix.
> Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily
> until it gets refactored
>
>
> Key: OOZIE-3671
> URL: https://issues.apache.org/jira/browse/OOZIE-3671
> Project: Oozie
> Issue Type: Task
> Components: core
>Affects Versions: 5.2.1
>Reporter: Janos Makai
>Assignee: Janos Makai
>Priority: Major
> Attachments: OOZIE-3671-001.patch
>
>
> Currently the SpotBugs tool indicates the following issues for every new
> patches:
> {code:java}
> {color:#FF}-1{color} There are [5] new bugs found below threshold in
> [core] that must be fixed.
> . You can find the SpotBugs diff here (look for the red and orange ones):
> core/findbugs-new.html
> . The most important SpotBugs errors are:
> . At BulkJPAExecutor.java:[line 206]: This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection
> . At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175]
> . At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199]
> . This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
> . At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127]
> {code}
> The goal of this Jira is to exclude the JPA injection pattern
> (SQL_INJECTION_JPA) from Oozie core until the corresponding code gets
> refactored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3671) Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored
[
https://issues.apache.org/jira/browse/OOZIE-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632262#comment-17632262
]
Hadoop QA commented on OOZIE-3671:
--
PreCommit-OOZIE-Build started
> Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily
> until it gets refactored
>
>
> Key: OOZIE-3671
> URL: https://issues.apache.org/jira/browse/OOZIE-3671
> Project: Oozie
> Issue Type: Task
> Components: core
>Affects Versions: 5.2.1
>Reporter: Janos Makai
>Assignee: Janos Makai
>Priority: Major
> Attachments: OOZIE-3671-001.patch
>
>
> Currently the SpotBugs tool indicates the following issues for every new
> patches:
> {code:java}
> {color:#FF}-1{color} There are [5] new bugs found below threshold in
> [core] that must be fixed.
> . You can find the SpotBugs diff here (look for the red and orange ones):
> core/findbugs-new.html
> . The most important SpotBugs errors are:
> . At BulkJPAExecutor.java:[line 206]: This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection
> . At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175]
> . At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199]
> . This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
> . At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127]
> {code}
> The goal of this Jira is to exclude the JPA injection pattern
> (SQL_INJECTION_JPA) from Oozie core until the corresponding code gets
> refactored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (OOZIE-3671) Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily until it gets refactored
[
https://issues.apache.org/jira/browse/OOZIE-3671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632263#comment-17632263
]
Dénes Bodó commented on OOZIE-3671:
---
Hey [~jmakai]
Thanks for trying to fix this issue. I agree with your approach because it
would be better if we didn't have to manually override the Jenkins build
results.
But disabling a security check is never the best idea. Because the issue is
present for long I accept to turn off the validation. BUT: in that case please
open another Jira to track fixing the JPA bug and turn the spotbugs check back
on.
Do you agree?
> Exclude JPA injection issue pattern from SpotBugs in Oozie Core temporarily
> until it gets refactored
>
>
> Key: OOZIE-3671
> URL: https://issues.apache.org/jira/browse/OOZIE-3671
> Project: Oozie
> Issue Type: Task
> Components: core
>Affects Versions: 5.2.1
>Reporter: Janos Makai
>Assignee: Janos Makai
>Priority: Major
> Attachments: OOZIE-3671-001.patch
>
>
> Currently the SpotBugs tool indicates the following issues for every new
> patches:
> {code:java}
> {color:#FF}-1{color} There are [5] new bugs found below threshold in
> [core] that must be fixed.
> . You can find the SpotBugs diff here (look for the red and orange ones):
> core/findbugs-new.html
> . The most important SpotBugs errors are:
> . At BulkJPAExecutor.java:[line 206]: This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection
> . At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175]
> . At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199]
> . This use of
> javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
> can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
> . At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127]
> {code}
> The goal of this Jira is to exclude the JPA injection pattern
> (SQL_INJECTION_JPA) from Oozie core until the corresponding code gets
> refactored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
