[ https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=765062&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-765062 ]
ASF GitHub Bot logged work on HADOOP-18069: ------------------------------------------- Author: ASF GitHub Bot Created on: 02/May/22 17:51 Start Date: 02/May/22 17:51 Worklog Time Spent: 10m Work Description: aajisaka commented on PR #4229: URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1115177416 > spotbugs still thinks there is a problem. what is it that it is warning about? > I already used try-with-resources for OkHttpClient and added request checks as well. The warning is about NPE case. Reading the source code, `responseBody.body()` is always non-null. However, spotbugs thinks `responseBody.body()` may be null and it warns "need null check". I think it is because Spotbugs failed to analyze the okhttp classes from Kotlin. I think we can simply ignore the warnings. @ashutoshcipher would you add some entries to ignore the spotbugs warning in `hadoop-hdfs-project/hadoop-hdfs-client/dev-support/findbugsExcludeFile.xml`? Issue Time Tracking ------------------- Worklog Id: (was: 765062) Time Spent: 4h 10m (was: 4h) > CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client > ------------------------------------------------------- > > Key: HADOOP-18069 > URL: https://issues.apache.org/jira/browse/HADOOP-18069 > Project: Hadoop Common > Issue Type: Bug > Components: hdfs-client > Affects Versions: 3.3.1 > Reporter: Eugene Shinn (Truveta) > Assignee: Ashutosh Gupta > Priority: Major > Labels: pull-request-available > Time Spent: 4h 10m > Remaining Estimate: 0h > > Our static vulnerability scanner (Fortify On Demand) detected [NVD - > CVE-2021-0341 > (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] > in our application. We traced the vulnerability to a transitive dependency > coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 > ([hadoop/pom.xml at trunk · apache/hadoop > (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]). > To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: > [CVE-2021-0341 · Issue #6724 · square/okhttp > (github.com)|https://github.com/square/okhttp/issues/6724]). -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org