-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HBASE-28089 Upgrade BouncyCastle to fix CVE-2023-33201 #5407
Conversation
NihalJain
commented
Sep 16, 2023
•
edited
Loading
edited
- Upgrades to v1.76, i.e. the latest version
- Replaces bcprov-jdk15on with bcprov-jdk18on and bcpkix-jdk15on with bcpkix-jdk18on
- Excludes bcprov-jdk15on from everywhere else, to avoid conflicts with bcprov-jdk18on
First ran
Next, ran
|
@@ -856,7 +856,7 @@ | |||
<joni.version>2.1.43</joni.version> | |||
<jcodings.version>1.0.57</jcodings.version> | |||
<spy.version>2.12.2</spy.version> | |||
<bouncycastle.version>1.70</bouncycastle.version> | |||
<bouncycastle.version>1.76</bouncycastle.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we add an enforcer rule to ban org.bouncycastle:*-jdk15on
or is this fine?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, will undo this changes if others feel this is not needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verified the ban plugin is working correctly by deleting the explicit exclusion from org.apache.directory.server:apacheds-protocol-ldap
and letting org.bouncycastle:bcprov-jdk15on
dependency come transitively.
Next ran mvn clean verify
and following error is thrown (as expected):
.
.
[INFO]
[INFO] --------------------< org.apache.hbase:hbase-http >---------------------
[INFO] Building Apache HBase - HTTP 4.0.0-alpha-1-SNAPSHOT [16/50]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:3.1.0:clean (default-clean) @ hbase-http ---
[INFO] Deleting /Users/nihaljain/code/os/hbase/hbase-http/target
[INFO]
[INFO] --- flatten-maven-plugin:1.3.0:clean (flatten.clean) @ hbase-http ---
[INFO] Deleting /Users/nihaljain/code/os/hbase/hbase-http/.flattened-pom.xml
[INFO]
[INFO] --- build-helper-maven-plugin:3.0.0:bsh-property (negate-license-bundles-property) @ hbase-http ---
[INFO]
[INFO] --- build-helper-maven-plugin:3.0.0:regex-property (create-license-file-path-property) @ hbase-http ---
[INFO] No match to regex '\\' found in '/Users/nihaljain/code/os/hbase/hbase-http/target/maven-shared-archive-resources/META-INF/LICENSE'. The initial value '/Users/nihaljain/code/os/temp/hbase/hbase-http/target/maven-shared-archive-resources/META-INF/LICENSE' is left as-is...
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce-maven-version) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (hadoop-profile-min-maven-min-java-banned-xerces) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-jsr305) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-scala) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-commons-logging) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-other-logging-framework) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-jetty) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-jersey) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-htrace) @ hbase-http ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.0.0:enforce (banned-bouncycastle-jdk15on) @ hbase-http ---
[WARNING] Rule 0: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Use org.bouncycastle:*-jdk18on instead
Found Banned Dependency: org.bouncycastle:bcprov-jdk15on:jar:1.62
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Apache HBase 4.0.0-alpha-1-SNAPSHOT:
[INFO]
[INFO] Apache HBase ....................................... SUCCESS [ 2.544 s]
[INFO] Apache HBase - Checkstyle .......................... SUCCESS [ 0.653 s]
[INFO] Apache HBase - Annotations ......................... SUCCESS [ 0.916 s]
[INFO] Apache HBase - Build Configuration ................. SUCCESS [ 0.165 s]
[INFO] Apache HBase - Logging ............................. SUCCESS [ 1.251 s]
[INFO] Apache HBase - Shaded Protocol ..................... SUCCESS [ 36.023 s]
[INFO] Apache HBase - Common .............................. SUCCESS [ 9.505 s]
[INFO] Apache HBase - Metrics API ......................... SUCCESS [ 1.602 s]
[INFO] Apache HBase - Metrics Implementation .............. SUCCESS [ 1.717 s]
[INFO] Apache HBase - Hadoop Compatibility ................ SUCCESS [ 3.534 s]
[INFO] Apache HBase - Client .............................. SUCCESS [ 9.969 s]
[INFO] Apache HBase - Zookeeper ........................... SUCCESS [ 2.485 s]
[INFO] Apache HBase - Replication ......................... SUCCESS [ 2.522 s]
[INFO] Apache HBase - Balancer ............................ SUCCESS [ 3.402 s]
[INFO] Apache HBase - Resource Bundle ..................... SUCCESS [ 0.173 s]
[INFO] Apache HBase - HTTP ................................ FAILURE [ 0.702 s]
[INFO] Apache HBase - Asynchronous FileSystem ............. SKIPPED
[INFO] Apache HBase - Procedure ........................... SKIPPED
[INFO] Apache HBase - Server .............................. SKIPPED
[INFO] Apache HBase - MapReduce ........................... SKIPPED
[INFO] Apache HBase - Testing Util ........................ SKIPPED
[INFO] Apache HBase - Thrift .............................. SKIPPED
[INFO] Apache HBase - Shell ............................... SKIPPED
[INFO] Apache HBase - Coprocessor Endpoint ................ SKIPPED
[INFO] Apache HBase - Backup .............................. SKIPPED
[INFO] Apache HBase - Integration Tests ................... SKIPPED
[INFO] Apache HBase - Rest ................................ SKIPPED
[INFO] Apache HBase - Examples ............................ SKIPPED
[INFO] Apache HBase - Shaded .............................. SKIPPED
[INFO] Apache HBase - Shaded - Client (with Hadoop bundled) SKIPPED
[INFO] Apache HBase - Shaded - Client ..................... SKIPPED
[INFO] Apache HBase - Shaded - MapReduce .................. SKIPPED
[INFO] Apache HBase - External Block Cache ................ SKIPPED
[INFO] Apache HBase - HBTop ............................... SKIPPED
[INFO] Apache HBase - Compression ......................... SKIPPED
[INFO] Apache HBase - Compression - Aircompressor ......... SKIPPED
[INFO] Apache HBase - Compression - Brotli ................ SKIPPED
[INFO] Apache HBase - Compression - LZ4 ................... SKIPPED
[INFO] Apache HBase - Compression - Snappy ................ SKIPPED
[INFO] Apache HBase - Compression - XZ .................... SKIPPED
[INFO] Apache HBase - Compression - ZStandard ............. SKIPPED
[INFO] Apache HBase - Assembly ............................ SKIPPED
[INFO] Apache HBase - Shaded - Testing Util ............... SKIPPED
[INFO] Apache HBase - Shaded - Testing Util Tester ........ SKIPPED
[INFO] Apache HBase Shaded Packaging Invariants ........... SKIPPED
[INFO] Apache HBase Shaded Packaging Invariants (with Hadoop bundled) SKIPPED
[INFO] Apache HBase - Archetypes .......................... SKIPPED
[INFO] Apache HBase - Exemplar for hbase-client archetype . SKIPPED
[INFO] Apache HBase - Exemplar for hbase-shaded-client archetype SKIPPED
[INFO] Apache HBase - Archetype builder ................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:18 min
[INFO] Finished at: 2023-09-17T01:38:00+05:30
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (banned-bouncycastle-jdk15on) on project hbase-http: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn <args> -rf :hbase-http
💔 -1 overall
This message was automatically generated. |
💔 -1 overall
This message was automatically generated. |
💔 -1 overall
This message was automatically generated. |
💔 -1 overall
This message was automatically generated. |
💔 -1 overall
This message was automatically generated. |
💔 -1 overall
This message was automatically generated. |
f4bf177
to
455c460
Compare
🎊 +1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
💔 -1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
All checks are green now, will merge this to master and branch-2 by EOD. |
This is a security fix so let's them in all active branches. All branch-2.x are jdk8+ only, so it should be fine. Thanks. |
Thanks for the quick heads up @Apache9. |
- Upgrades to v1.76, i.e. the latest version - Replaces *-jdk15on with *-jdk18on - Excludes *-jdk15on from everywhere else, to avoid conflicts with *-jdk18on Signed-off-by: Duo Zhang <[email protected]> Reviewed-by: Aman Poonia <[email protected]> (cherry picked from commit 8b2ca86)
This change fixes https://github.com/apache/hbase/security/dependabot/56 ! |
- Upgrades to v1.76, i.e. the latest version - Replaces *-jdk15on with *-jdk18on - Excludes *-jdk15on from everywhere else, to avoid conflicts with *-jdk18on Signed-off-by: Duo Zhang <[email protected]> Reviewed-by: Aman Poonia <[email protected]>
- Upgrades to v1.76, i.e. the latest version - Replaces *-jdk15on with *-jdk18on - Excludes *-jdk15on from everywhere else, to avoid conflicts with *-jdk18on Signed-off-by: Duo Zhang <[email protected]> Reviewed-by: Aman Poonia <[email protected]>
- Upgrades to v1.76, i.e. the latest version - Replaces *-jdk15on with *-jdk18on - Excludes *-jdk15on from everywhere else, to avoid conflicts with *-jdk18on Signed-off-by: Duo Zhang <[email protected]> Reviewed-by: Aman Poonia <[email protected]>