confluent-kafka/8.1.0.22 package update

[octo-sts]

[octo-sts]

🩹 Build Failed: Patch Application Failed

patching file LICENSE-binary
Hunk #1 FAILED at 206.
1 out of 1 hunk FAILED -- saving rejects to file LICENSE-binary.rej

Build Details

Category	Details
Build System	Gradle
Failure Point	patch '-p1' --fuzz=2 --verbose <fix-GHSA-wxr5-93ph-8wr9-force-update-common-beanutils.patch

Root Cause Analysis 🔍

The patch being applied (fix-GHSA-wxr5-93ph-8wr9-force-update-common-beanutils.patch) failed to apply cleanly to the LICENSE-binary file. While the changes to build.gradle and gradle/dependencies.gradle were successfully applied, the hunk for LICENSE-binary failed to apply, causing the entire patch operation to fail with exit status 1.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• Adding VersionStream for kafka-4.0 #48244

Suggested Changes

File: fix-GHSA-wxr5-93ph-8wr9-force-update-common-beanutils.patch

• update at line 206 (Hunk Add binutils-2.39 configuration #1 at line 206 in LICENSE-binary)
  Original:

The section targeting line 206 of LICENSE-binary

Replacement:

Create an updated patch by examining the current LICENSE-binary file and adjusting the hunk to match

Content:

Update the patch file to match the current state of the LICENSE-binary file

File: confluent-kafka.yaml

• modify at line pipeline patch step (pipeline section)
  Original:

  - uses: patch
    with:
      patches: fix-GHSA-wxr5-93ph-8wr9-force-update-common-beanutils.patch

Replacement:

  - uses: patch
    with:
      patches: fix-GHSA-wxr5-93ph-8wr9-force-update-common-beanutils.patch
      options: '--reject-format=unified -f'

Content:

Modify the patch step to use --reject-format=unified and continue on error

File: confluent-kafka.yaml

• add at line after patch step (pipeline section, after patch step)
  Original:

  - uses: patch
    with:
      patches: fix-GHSA-wxr5-93ph-8wr9-force-update-common-beanutils.patch

Replacement:

  - uses: patch
    with:
      patches: fix-GHSA-wxr5-93ph-8wr9-force-update-common-beanutils.patch

  # Manually apply the dependency update in case the patch fails
  - runs: |
      # Force update commons-beanutils dependency to address GHSA-wxr5-93ph-8wr9
      sed -i '/commons-beanutils:commons-beanutils/s/[0-9]\+\.[0-9]\+\.[0-9]\+/1.9.4/g' gradle/dependencies.gradle
      sed -i '/commons-beanutils:commons-beanutils/s/[0-9]\+\.[0-9]\+\.[0-9]\+/1.9.4/g' build.gradle

Content:

Add manual update of common-beanutils dependency after the patch step

Click to expand fix analysis

Analysis

The current build failure involves a patch failing to apply cleanly to the LICENSE-binary file, where the hunk #1 at line 206 failed. This is similar to the example fix where a patch failed to apply to gradle/dependencies.gradle.

In the similar case, the fix didn't involve modifying the patch itself but rather creating a new approach - defining a new package YAML file. This pattern suggests that when patches fail to apply cleanly due to version mismatches or content changes, it's often more reliable to either:

1. Update the patch to match the current file state
2. Create a more direct solution that bypasses the need for the problematic patch

The failure indicates the patch partially applied (successfully modifying build.gradle and gradle/dependencies.gradle) but failed on the LICENSE-binary file.

Click to expand fix explanation

Explanation

The build is failing because a patch to fix security vulnerability GHSA-wxr5-93ph-8wr9 (related to commons-beanutils) isn't applying correctly to the LICENSE-binary file. The patch is likely trying to update the dependency version information in the LICENSE file, but the content or line numbers have changed in the current version of Confluent Kafka.

I'm suggesting three possible solutions:

1. Update the patch file: By examining the current LICENSE-binary file and the rejected patch (in LICENSE-binary.rej), you can create an updated patch that correctly applies to the current file state. This is the most direct fix but requires examining the actual content of both files.

2. Force the patch to apply with options: By adding the -f option to the patch command, it will force the patch to continue despite failures. This won't fix the LICENSE-binary file but will ensure the critical dependency updates in build.gradle and gradle/dependencies.gradle get applied.

3. Manually apply the dependency changes: Instead of relying solely on the patch, we can add a step that uses sed to directly update the commons-beanutils dependency version to 1.9.4 in the build files. This ensures the security fix is applied even if the patch fails.

The root cause appears to be that the patch was created for a specific version of Confluent Kafka, but the version being built now has different file content at the specified locations. This is a common issue when applying security patches across different versions of a package.

Click to expand alternative approaches

Alternative Approaches

• Create a completely new patch file by using the git diff command after manually making the necessary changes to update commons-beanutils to version 1.9.4
• Skip the LICENSE-binary file update entirely if it's not critical to the build process, by creating a modified patch that only includes the build.gradle and gradle/dependencies.gradle changes
• Use Gradle's dependency management to override the commons-beanutils version by adding a resolutionStrategy to the build script without using a patch at all
• Apply a targeted sed command to just update the LICENSE-binary file at the appropriate location rather than using the patch system

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[octo-sts]

superseded by #56161