[PR] BIGTOP-4096: Fix Hadoop critical CVE [bigtop]

Mon, 22 Apr 2024 20:11:24 -0700 


JiaLiangC opened a new pull request, #1259:
URL: https://github.com/apache/bigtop/pull/1259

   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/BIGTOP/How+to+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 
'BIGTOP-3638: Your PR title ...'.
   -->
   
   ### Description of PR
   
   fix commons-configuration2 CVE
   HADOOP-19123. Update to commons-configuration2 2.10.1 due to CVE #6661
   https://github.com/apache/hadoop/pull/6661
   
   fix commons-compress CVE
   HADOOP-19114. Upgrade to commons-compress 1.26.1 due to CVEs. #6636
   https://github.com/apache/hadoop/pull/6636/files
   
   This PR is to resolve the compilation failure issue caused by the 
modification of a CVE.
   HADOOP-18929. Exclude commons-compress module-info.class #6169
   https://github.com/apache/hadoop/pull/6169
   
   This PR aims to solve the inconvenience of having to exclude dependencies 
every time a modification is made, such as after modifying the two CVEs above, 
by excluding all of them.
   HADOOP-18916. Exclude all module-info classes from uber jars (#6131) #6188
   https://github.com/apache/hadoop/pull/6188
   
   
   
   This is divided into two patches. The reason why the two CVEs were combined 
into one patch is that the code merged for the two CVEs is only separated by 
one line (LicenseBinary). After applying the first patch, the second patch 
would report a conflict. The modifications for HADOOP-18929 were reverted in 
HADOOP-18916, which adopted a better implementation, hence HADOOP-18916 is used.
   
   
   ### How was this patch tested?
   manual test ,smoke test
   
   tested on rocky8
   ./docker-hadoop.sh -d -dcp --create 3 --image 
bigtop/puppet:trunk-rockylinux-8 --docker-compose-plugin --memory 8g --repo 
file:///bigtop-home/output --disable-gpg-check --stack hdfs,yarn,mapreduce 
--smoke-tests hdfs,yarn,mapreduce
   
![image](https://github.com/apache/bigtop/assets/18082602/757579f7-6ef8-43ae-9610-853208613b37)
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'BIGTOP-3638. Your PR title ...')?
   - [ ] Make sure that newly added files do not have any licensing issues. 
When in doubt refer to https://www.apache.org/licenses/


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to