[jira] [Commented] (YARN-11356) Upgrade DataTables to 1.11.5 to fix CVEs

ASF GitHub Bot (Jira) Fri, 21 Oct 2022 20:02:03 -0700


    [ 
https://issues.apache.org/jira/browse/YARN-11356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622540#comment-17622540
 ]


ASF GitHub Bot commented on YARN-11356:
---------------------------------------

hadoop-yetus commented on PR #5052:
URL: https://github.com/apache/hadoop/pull/5052#issuecomment-1287594841

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |:----:|----------:|--------:|:--------:|:-------:|
   | +0 :ok: |  reexec  |   0m 45s |  |  Docker mode activated.  |
   |||| _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  1s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  jshint  |   0m  0s |  |  jshint was not available.  |
   | +0 :ok: |  jsonlint  |   0m  0s |  |  jsonlint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  0s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
   |||| _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  16m  2s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  29m 18s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  24m 53s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  22m 44s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  checkstyle  |   4m 19s |  |  trunk passed  |
   | +1 :green_heart: |  mvnsite  |  21m 55s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 53s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   8m  8s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +0 :ok: |  spotbugs  |   0m 24s |  |  
branch/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui no spotbugs output file 
(spotbugsXml.xml)  |
   | +1 :green_heart: |  shadedclient  |  56m 25s |  |  branch has no errors 
when building and testing our client artifacts.  |
   |||| _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 32s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  23m 17s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  23m  5s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  23m  5s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  21m  0s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  javac  |  21m  0s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  checkstyle  |   4m  3s |  |  the patch passed  |
   | +1 :green_heart: |  mvnsite  |  18m 52s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   7m 58s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 31s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +0 :ok: |  spotbugs  |   0m 33s |  |  
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui has no data from spotbugs  |
   | +1 :green_heart: |  shadedclient  |  53m 35s |  |  patch has no errors 
when building and testing our client artifacts.  |
   |||| _ Other Tests _ |
   | +1 :green_heart: |  unit  | 802m 15s |  |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m 14s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1168m 39s |  |  |
   
   
   | Subsystem | Report/Notes |
   |----------:|:-------------|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5052/2/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5052 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle 
jshint jsonlint shellcheck shelldocs |
   | uname | Linux a17669095556 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / e5b96b5fc44d216e0ac2178fe4aadd3c90df6237 |
   | Default Java | Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04 
/usr/lib/jvm/java-8-openjdk-amd64:Private 
Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5052/2/testReport/ |
   | Max. process+thread count | 3934 (vs. ulimit of 5500) |
   | modules | C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common 
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5052/2/console |
   | versions | git=2.25.1 maven=3.6.3 spotbugs=4.2.2 shellcheck=0.7.0 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> Upgrade DataTables to 1.11.5 to fix CVEs
> ----------------------------------------
>
>                 Key: YARN-11356
>                 URL: https://issues.apache.org/jira/browse/YARN-11356
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.3.4
>            Reporter: Bence Kosztolnik
>            Assignee: Bence Kosztolnik
>            Priority: Major
>              Labels: pull-request-available
>
> This ticket is intended to fix the following CVEs in the *DataTables.net* 
> lib, by upgrading the lib to 1.11.5 
> *CVE-2020-28458 (HIGH severity)* - All versions of package datatables.net are 
> vulnerable to Prototype Pollution due to an incomplete fix for 
> [https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806].
> [https://nvd.nist.gov/vuln/detail/CVE-2020-28458]
> *CVE-2021-23445 (MEDIUM severity)* - This affects the package datatables.net 
> before 1.11.3. If an array is passed to the HTML escape entities function it 
> would not have its contents escaped.
> [https://nvd.nist.gov/vuln/detail/CVE-2021-23445]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (YARN-11356) Upgrade DataTables to 1.11.5 to fix CVEs

Reply via email to