[ https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=762312&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-762312 ]
ASF GitHub Bot logged work on HADOOP-18069: ------------------------------------------- Author: ASF GitHub Bot Created on: 26/Apr/22 13:38 Start Date: 26/Apr/22 13:38 Worklog Time Spent: 10m Work Description: hadoop-yetus commented on PR #4229: URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1109809947 :broken_heart: **-1 overall** | Vote | Subsystem | Runtime | Logfile | Comment | |:----:|----------:|--------:|:--------:|:-------:| | +0 :ok: | reexec | 0m 55s | | Docker mode activated. | |||| _ Prechecks _ | | +1 :green_heart: | dupname | 0m 0s | | No case conflicting files found. | | +0 :ok: | codespell | 0m 0s | | codespell was not available. | | +0 :ok: | shelldocs | 0m 1s | | Shelldocs was not available. | | +1 :green_heart: | @author | 0m 0s | | The patch does not contain any @author tags. | | -1 :x: | test4tests | 0m 0s | | The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. | |||| _ trunk Compile Tests _ | | +0 :ok: | mvndep | 15m 38s | | Maven dependency ordering for branch | | +1 :green_heart: | mvninstall | 28m 28s | | trunk passed | | +1 :green_heart: | compile | 24m 55s | | trunk passed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04 | | +1 :green_heart: | compile | 21m 36s | | trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 | | +1 :green_heart: | checkstyle | 4m 31s | | trunk passed | | +1 :green_heart: | mvnsite | 20m 1s | | trunk passed | | -1 :x: | javadoc | 1m 35s | [/branch-javadoc-root-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/branch-javadoc-root-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt) | root in trunk failed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04. | | +1 :green_heart: | javadoc | 8m 24s | | trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 | | +0 :ok: | spotbugs | 0m 27s | | branch/hadoop-project no spotbugs output file (spotbugsXml.xml) | | +1 :green_heart: | shadedclient | 57m 48s | | branch has no errors when building and testing our client artifacts. | |||| _ Patch Compile Tests _ | | +0 :ok: | mvndep | 0m 37s | | Maven dependency ordering for patch | | -1 :x: | mvninstall | 24m 37s | [/patch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/patch-mvninstall-root.txt) | root in the patch failed. | | +1 :green_heart: | compile | 24m 35s | | the patch passed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04 | | -1 :x: | javac | 24m 35s | [/results-compile-javac-root-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/results-compile-javac-root-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt) | root-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04 with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04 generated 2 new + 1815 unchanged - 0 fixed = 1817 total (was 1815) | | +1 :green_heart: | compile | 21m 34s | | the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 | | -1 :x: | javac | 21m 34s | [/results-compile-javac-root-jdkPrivateBuild-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/results-compile-javac-root-jdkPrivateBuild-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07.txt) | root-jdkPrivateBuild-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 generated 2 new + 1690 unchanged - 0 fixed = 1692 total (was 1690) | | +1 :green_heart: | blanks | 0m 0s | | The patch has no blanks issues. | | -0 :warning: | checkstyle | 4m 25s | [/results-checkstyle-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/results-checkstyle-root.txt) | root: The patch generated 3 new + 0 unchanged - 0 fixed = 3 total (was 0) | | +1 :green_heart: | mvnsite | 19m 38s | | the patch passed | | +1 :green_heart: | shellcheck | 0m 0s | | No new issues. | | +1 :green_heart: | xml | 0m 4s | | The patch has no ill-formed XML file. | | -1 :x: | javadoc | 1m 28s | [/patch-javadoc-root-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/patch-javadoc-root-jdkUbuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04.txt) | root in the patch failed with JDK Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04. | | +1 :green_heart: | javadoc | 8m 20s | | the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 | | +0 :ok: | spotbugs | 0m 26s | | hadoop-project has no data from spotbugs | | -1 :x: | spotbugs | 2m 52s | [/new-spotbugs-hadoop-hdfs-project_hadoop-hdfs-client.html](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/new-spotbugs-hadoop-hdfs-project_hadoop-hdfs-client.html) | hadoop-hdfs-project/hadoop-hdfs-client generated 3 new + 0 unchanged - 0 fixed = 3 total (was 0) | | -1 :x: | spotbugs | 35m 38s | [/new-spotbugs-root.html](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/new-spotbugs-root.html) | root generated 3 new + 0 unchanged - 0 fixed = 3 total (was 0) | | -1 :x: | shadedclient | 58m 40s | | patch has errors when building and testing our client artifacts. | |||| _ Other Tests _ | | -1 :x: | unit | 1046m 0s | [/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/patch-unit-root.txt) | root in the patch passed. | | +1 :green_heart: | asflicense | 2m 17s | | The patch does not generate ASF License warnings. | | | | 1411m 21s | | | | Reason | Tests | |-------:|:------| | SpotBugs | module:hadoop-hdfs-project/hadoop-hdfs-client | | | Possible null pointer dereference in org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at ConfRefreshTokenBasedAccessTokenProvider.java:org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at ConfRefreshTokenBasedAccessTokenProvider.java:[line 127] | | | Exception is caught when Exception is not thrown in org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() At ConfRefreshTokenBasedAccessTokenProvider.java:is not thrown in org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() At ConfRefreshTokenBasedAccessTokenProvider.java:[line 135] | | | Possible null pointer dereference in org.apache.hadoop.hdfs.web.oauth2.CredentialBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at CredentialBasedAccessTokenProvider.java:org.apache.hadoop.hdfs.web.oauth2.CredentialBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at CredentialBasedAccessTokenProvider.java:[line 123] | | SpotBugs | module:root | | | Possible null pointer dereference in org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at ConfRefreshTokenBasedAccessTokenProvider.java:org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at ConfRefreshTokenBasedAccessTokenProvider.java:[line 127] | | | Exception is caught when Exception is not thrown in org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() At ConfRefreshTokenBasedAccessTokenProvider.java:is not thrown in org.apache.hadoop.hdfs.web.oauth2.ConfRefreshTokenBasedAccessTokenProvider.refresh() At ConfRefreshTokenBasedAccessTokenProvider.java:[line 135] | | | Possible null pointer dereference in org.apache.hadoop.hdfs.web.oauth2.CredentialBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at CredentialBasedAccessTokenProvider.java:org.apache.hadoop.hdfs.web.oauth2.CredentialBasedAccessTokenProvider.refresh() due to return value of called method Dereferenced at CredentialBasedAccessTokenProvider.java:[line 123] | | Failed junit tests | hadoop.mapred.TestLocalDistributedCacheManager | | | hadoop.fs.http.TestHttpFileSystem | | Subsystem | Report/Notes | |----------:|:-------------| | Docker | ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/artifact/out/Dockerfile | | GITHUB PR | https://github.com/apache/hadoop/pull/4229 | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell xml spotbugs checkstyle shellcheck shelldocs | | uname | Linux 54c2c813a5f0 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | dev-support/bin/hadoop.sh | | git revision | trunk / 9d7ef78778661e103c31159a91bc206511e8fcb9 | | Default Java | Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 | | Multi-JDK versions | /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.14.1+1-Ubuntu-0ubuntu1.20.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07 | | Test Results | https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/testReport/ | | Max. process+thread count | 3137 (vs. ulimit of 5500) | | modules | C: hadoop-project hadoop-hdfs-project/hadoop-hdfs-client hadoop-tools/hadoop-azure-datalake . U: . | | Console output | https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4229/5/console | | versions | git=2.25.1 maven=3.6.3 shellcheck=0.7.0 spotbugs=4.2.2 | | Powered by | Apache Yetus 0.14.0-SNAPSHOT https://yetus.apache.org | This message was automatically generated. Issue Time Tracking ------------------- Worklog Id: (was: 762312) Time Spent: 2h (was: 1h 50m) > CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client > ------------------------------------------------------- > > Key: HADOOP-18069 > URL: https://issues.apache.org/jira/browse/HADOOP-18069 > Project: Hadoop Common > Issue Type: Bug > Components: hdfs-client > Affects Versions: 3.3.1 > Reporter: Eugene Shinn (Truveta) > Priority: Major > Labels: pull-request-available > Time Spent: 2h > Remaining Estimate: 0h > > Our static vulnerability scanner (Fortify On Demand) detected [NVD - > CVE-2021-0341 > (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] > in our application. We traced the vulnerability to a transitive dependency > coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 > ([hadoop/pom.xml at trunk · apache/hadoop > (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]). > To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: > [CVE-2021-0341 · Issue #6724 · square/okhttp > (github.com)|https://github.com/square/okhttp/issues/6724]). -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org