Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force version of logback-core and logback-classic to 1.2.13 #11521

Merged
merged 2 commits into from
Dec 7, 2023
Merged

Force version of logback-core and logback-classic to 1.2.13 #11521

merged 2 commits into from
Dec 7, 2023

Conversation

mch2
Copy link
Member

@mch2 mch2 commented Dec 7, 2023
edited
Loading

Description

hdfs-fixture has more vulnerable dependencies brought in from hadoop-minicluster. This time logback-core and logback-classic - https://nvd.nist.gov/vuln/detail/CVE-2023-6378.

This forces the version to 1.2.13 to resolve the CVE.

Related Issues

Resolves https://nvd.nist.gov/vuln/detail/CVE-2023-6378

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@mch2
force version of logback-core and logback-classic to 1.2.13
96cf53b 
Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
@mch2 mch2 added backport 1.x backport 2.x Backport to 2.x branch labels Dec 7, 2023
@mch2
add changelog
574bb9d 
Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 7, 2023
edited
Loading

Compatibility status:

Checks if related components are compatible with change 574bb9d

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/sql.git]

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 7, 2023

❌ Gradle check result for 574bb9d: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 7, 2023

❕ Gradle check result for 96cf53b: UNSTABLE

  • TEST FAILURES:
      1 org.opensearch.remotestore.RemoteIndexPrimaryRelocationIT.testPrimaryRelocationWhileIndexing

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

@codecov Codecov
Copy link

codecov bot commented Dec 7, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (effc9bc) 71.46% compared to head (96cf53b) 71.25%.
Report is 6 commits behind head on main.

❗ Current head 96cf53b differs from pull request most recent head 574bb9d. Consider uploading reports for the commit 574bb9d to get more accurate results

Additional details and impacted files 
@@             Coverage Diff              @@
##               main   #11521      +/-   ##
============================================
- Coverage     71.46%   71.25%   -0.21%     
+ Complexity    59176    59058     -118     
============================================
  Files          4903     4903              
  Lines        277987   277990       +3     
  Branches      40382    40383       +1     
============================================
- Hits         198662   198091     -571     
- Misses        62805    63422     +617     
+ Partials      16520    16477      -43

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mch2
Copy link
Member Author

mch2 commented Dec 7, 2023

Gc passes here though reported as a failure

@mch2 mch2 merged commit c1b3a73 into opensearch-project:main Dec 7, 2023
28 of 29 checks passed
@mch2 mch2 deleted the logback branch December 7, 2023 22:58
@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-1.x 1.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-1.x
# Create a new branch
git switch --create backport/backport-11521-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c1b3a731013cee38d43ee6b02b7f97b4978246f6
# Push it to GitHub
git push --set-upstream origin backport/backport-11521-to-1.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-11521-to-1.x.

@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-11521-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c1b3a731013cee38d43ee6b02b7f97b4978246f6
# Push it to GitHub
git push --set-upstream origin backport/backport-11521-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-11521-to-2.x.

mch2 added a commit to mch2/OpenSearch that referenced this pull request Dec 8, 2023
@mch2
Force version of logback-core and logback-classic to 1.2.13 (opensear…
88b96b7 
…ch-project#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
@mch2 mch2 mentioned this pull request Dec 8, 2023
Closed
mch2 added a commit to mch2/OpenSearch that referenced this pull request Dec 8, 2023
@mch2
Force version of logback-core and logback-classic to 1.2.13 (opensear…
e6a9656 
…ch-project#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
@mch2 mch2 mentioned this pull request Dec 8, 2023
Merged
mch2 added a commit that referenced this pull request Dec 8, 2023
@mch2
Force version of logback-core and logback-classic to 1.2.13 (#11521) (#…
e314b42 
…11536)

* force version of logback-core and logback-classic to 1.2.13



* add changelog



---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
mch2 added a commit to mch2/OpenSearch that referenced this pull request Dec 8, 2023
@mch2
Force version of logback-core and logback-classic to 1.2.13 (opensear…
df3f4ff 
…ch-project#11521) (opensearch-project#11536)

* force version of logback-core and logback-classic to 1.2.13

* add changelog

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
mch2 added a commit that referenced this pull request Dec 8, 2023
@mch2
Force version of logback-core and logback-classic to 1.2.13 (#11521) (#…
b26fa98 
…11536) (#11542)

* force version of logback-core and logback-classic to 1.2.13

* add changelog

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
deshsidd pushed a commit to deshsidd/OpenSearch that referenced this pull request Dec 11, 2023
@mch2 @deshsidd
Force version of logback-core and logback-classic to 1.2.13 (opensear…
cb31c0a 
…ch-project#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
kotwanikunal pushed a commit to kotwanikunal/OpenSearch that referenced this pull request Feb 6, 2024
@mch2 @kotwanikunal
Force version of logback-core and logback-classic to 1.2.13 (opensear…
05f7094 
…ch-project#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
kotwanikunal pushed a commit to kotwanikunal/OpenSearch that referenced this pull request Feb 6, 2024
@mch2 @kotwanikunal
Force version of logback-core and logback-classic to 1.2.13 (opensear…
b8f026f 
…ch-project#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
Signed-off-by: Kunal Kotwani <kkotwani@amazon.com>
kotwanikunal added a commit that referenced this pull request Feb 6, 2024
@kotwanikunal @mch2
[Backport 2.x] Fix CVE 2023 39410 (#12198)
bf83859 
* Force version of logback-core and logback-classic to 1.2.13 (#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
Signed-off-by: Kunal Kotwani <kkotwani@amazon.com>

* Bump jetty version in hdfs-fixture to 9.4.53.v20231009 (#11539)

* Bump jetty version in hdfs-fixture to 9.4.53.v20231009

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* fix changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
Signed-off-by: Kunal Kotwani <kkotwani@amazon.com>

* Exclude apache avro version included with hadoop-minicluster (#11564)

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
Signed-off-by: Kunal Kotwani <kkotwani@amazon.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
Signed-off-by: Kunal Kotwani <kkotwani@amazon.com>
Co-authored-by: Marc Handalian <handalm@amazon.com>
@BrewTestBot BrewTestBot mentioned this pull request Feb 21, 2024
Merged
rayshrey pushed a commit to rayshrey/OpenSearch that referenced this pull request Mar 18, 2024
@mch2 @rayshrey
Force version of logback-core and logback-classic to 1.2.13 (opensear…
4635ac8 
…ch-project#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
@mch2 @shiv0408
Force version of logback-core and logback-classic to 1.2.13 (opensear…
aca2cc6 
…ch-project#11521)

* force version of logback-core and logback-classic to 1.2.13

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

* add changelog

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>

---------

Signed-off-by: Marc Handalian <marc.handalian@gmail.com>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

@kotwanikunal kotwanikunal kotwanikunal approved these changes

@abbashus abbashus Awaiting requested review from abbashus

@adnapibar adnapibar Awaiting requested review from adnapibar

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock is a code owner

@dbwiddis dbwiddis Awaiting requested review from dbwiddis dbwiddis is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@kartg kartg Awaiting requested review from kartg

@msfroh msfroh Awaiting requested review from msfroh msfroh is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 is a code owner

@peternied peternied Awaiting requested review from peternied

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale is a code owner

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@setiah setiah Awaiting requested review from setiah

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@sohami sohami Awaiting requested review from sohami sohami is a code owner

@tlfeng tlfeng Awaiting requested review from tlfeng

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

Assignees
No one assigned
Labels
backport 1.x backport 2.x Backport to 2.x branch backport-failed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mch2 @reta @kotwanikunal