Skip to content

Updates Guava versions to address CVE#292

Merged
jmazanec15 merged 2 commits intoopensearch-project:mainfrom
jmazanec15:cve-guava
Feb 16, 2022
Merged

Updates Guava versions to address CVE#292
jmazanec15 merged 2 commits intoopensearch-project:mainfrom
jmazanec15:cve-guava

Conversation

@jmazanec15
Copy link
Copy Markdown
Member

@jmazanec15 jmazanec15 commented Feb 16, 2022

Description

Upgrades guava dependency as well as checkstyle dependency (which has a guava dependency as well) to address CVE.

Issues Resolved

#283 #282

Check List

  • Commits are signed as per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@jmazanec15
Updates Guava versions to address CVE
1c0ef74 
Updates direct Guava dependency to 30.0. Also, updates check style to
8.29 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
@jmazanec15 jmazanec15 added backport 1.x security fix Security fix generated by WhiteSource labels Feb 16, 2022
@jmazanec15 jmazanec15 requested a review from a team February 16, 2022 19:38
VijayanB
VijayanB previously approved these changes Feb 16, 2022
View reviewed changes
vamshin
vamshin reviewed Feb 16, 2022
View reviewed changes
Comment thread checkstyle/checkstyle.xml
Comment on lines -244 to -248
<property name="allowMissingThrowsTags" value="true"/>
<property name="allowMissingReturnTag" value="true"/>
<property name="minLineCount" value="2"/>
<property name="allowedAnnotations" value="Override, Test"/>
<property name="allowThrowsTagsForSubclasses" value="true"/>
Copy link
Copy Markdown
Member

@vamshin vamshin Feb 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are these properties removed?

Copy link
Copy Markdown
Member Author

@jmazanec15 jmazanec15 Feb 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They break checkstyle upgrade.

Copy link
Copy Markdown
Member

@martin-gaievski martin-gaievski Feb 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to make sure - are we making our requirements stricter by removing those rules?

Copy link
Copy Markdown
Member Author

@jmazanec15 jmazanec15 Feb 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it will be stricter. I think it is okay because, currently, we do not enforce the checkstyle checks.

In the future, we should migrate to spotless, as this is what OpenSearch does: opensearch-project/OpenSearch#1370. I will create an issue for this.

junqiu-lei
junqiu-lei previously approved these changes Feb 16, 2022
View reviewed changes
@jmazanec15
Update checkstyle to 9.3
2c78f02 
Signed-off-by: John Mazanec <jmazane@amazon.com>
@jmazanec15 jmazanec15 dismissed stale reviews from junqiu-lei and VijayanB via 2c78f02 February 16, 2022 19:50
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 16, 2022
edited
Loading

Codecov Report

Merging #292 (2c78f02) into main (cb1a7d8) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##               main     #292   +/-   ##
=========================================
  Coverage     83.38%   83.38%           
  Complexity      885      885           
=========================================
  Files           127      127           
  Lines          3834     3834           
  Branches        361      361           
=========================================
  Hits           3197     3197           
  Misses          475      475           
  Partials        162      162

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cb1a7d8...2c78f02. Read the comment docs.

@jmazanec15 jmazanec15 merged commit e77ef78 into opensearch-project:main Feb 16, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Feb 16, 2022
@jmazanec15 @github-actions
Updates Guava versions to address CVE (#292)
b811e21 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
(cherry picked from commit e77ef78)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Feb 16, 2022
Closed
@opensearch-trigger-bot
Copy link
Copy Markdown
Contributor

opensearch-trigger-bot bot commented Feb 16, 2022

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-292-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e77ef78775ab6414d67dd240de9d01b85c0373b8
# Push it to GitHub
git push --set-upstream origin backport/backport-292-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-292-to-1.x.

opensearch-trigger-bot bot pushed a commit that referenced this pull request Feb 16, 2022
@jmazanec15 @github-actions
Updates Guava versions to address CVE (#292)
9008f59 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
(cherry picked from commit e77ef78)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Feb 16, 2022
Merged
jmazanec15 added a commit that referenced this pull request Feb 16, 2022
@jmazanec15
Updates Guava versions to address CVE (#292)
dde19db 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
jmazanec15 pushed a commit that referenced this pull request Feb 16, 2022
@opensearch-trigger-bot
Updates Guava versions to address CVE (#292) (#295)
1995c95 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 7, 2022
@opensearch-trigger-bot @martin-gaievski
Updates Guava versions to address CVE (opensearch-project#292) (opens…
caa9310 
…earch-project#295)

Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 7, 2022
@opensearch-trigger-bot @martin-gaievski
Updates Guava versions to address CVE (opensearch-project#292) (opens…
045c8c5 
…earch-project#295)

Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
Signed-off-by: Martin Gaievski <gaievski@amazon.com>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 30, 2022
@jmazanec15
Updates Guava versions to address CVE (opensearch-project#292)
8c53f45 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
martin-gaievski pushed a commit to martin-gaievski/k-NN that referenced this pull request Mar 31, 2022
@opensearch-trigger-bot
Updates Guava versions to address CVE (opensearch-project#292) (opens…
83e09bb 
…earch-project#295)

Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
jingqimao77-spec pushed a commit to jingqimao77-spec/k-NN that referenced this pull request Mar 15, 2026
@jmazanec15
Updates Guava versions to address CVE (opensearch-project#292)
9fb1102 
Updates direct Guava dependency to 30.0. Also, updates check style to
9.3 to inherent Guava fix. Remove deprecated features from check style
  xml config file.

Signed-off-by: John Mazanec <jmazane@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martin-gaievski martin-gaievski martin-gaievski approved these changes

@vamshin vamshin Awaiting requested review from vamshin vamshin is a code owner

@junqiu-lei junqiu-lei Awaiting requested review from junqiu-lei junqiu-lei is a code owner

@VijayanB VijayanB Awaiting requested review from VijayanB VijayanB is a code owner

+1 more reviewer

@Shivamdhar Shivamdhar Shivamdhar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport 1.x security fix Security fix generated by WhiteSource

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@jmazanec15 @codecov-commenter @Shivamdhar @VijayanB @vamshin @junqiu-lei @martin-gaievski