[ https://issues.apache.org/jira/browse/OOZIE-3418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16744995#comment-16744995 ]
Andras Salamon commented on OOZIE-3418: --------------------------------------- As a quick test I bumped up the guava version to {{24.1.1}} and {{27.0}} and tried to compile Oozie, but it failed: {noformat} [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 01:10 min [INFO] Finished at: 2019-01-17T13:16:40+01:00 [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.7.0:compile (default-compile) on project oozie-core: Compilation failure: Compilation failure: [ERROR] /Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java:[1110,27] no suitable method found for closeQuietly(org.apache.hadoop.yarn.client.api.YarnClient) [ERROR] method com.google.common.io.Closeables.closeQuietly(java.io.InputStream) is not applicable [ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient cannot be converted to java.io.InputStream) [ERROR] method com.google.common.io.Closeables.closeQuietly(java.io.Reader) is not applicable [ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient cannot be converted to java.io.Reader) [ERROR] /Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java:[1874,27] no suitable method found for closeQuietly(org.apache.hadoop.yarn.client.api.YarnClient) [ERROR] method com.google.common.io.Closeables.closeQuietly(java.io.InputStream) is not applicable [ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient cannot be converted to java.io.InputStream) [ERROR] method com.google.common.io.Closeables.closeQuietly(java.io.Reader) is not applicable [ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient cannot be converted to java.io.Reader) [ERROR] /Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/service/JvmPauseMonitorService.java:[159,28] constructor Stopwatch in class com.google.common.base.Stopwatch cannot be applied to given types; [ERROR] required: com.google.common.base.Ticker [ERROR] found: no arguments [ERROR] reason: actual and formal argument lists differ in length [ERROR] /Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/service/JvmPauseMonitorService.java:[168,41] cannot find symbol [ERROR] symbol: method elapsedMillis() [ERROR] location: variable sw of type com.google.common.base.Stopwatch{noformat} Switching to a new Guava version would require to fix all the incompatibilities one by one. Probably we can just replace some of the Guava code with standard java code, for instance {{Closeables.closeQuietly}} has been [removed from Guava|https://google.github.io/guava/releases/14.0/api/docs/com/google/common/io/Closeables.html] in favor of try-with-resources: {noformat}@Deprecated public static void closeQuietly(@Nullable Closeable closeable) Deprecated. Where possible, use the try-with-resources statement if using JDK7 or Closer on JDK6 to close one or more Closeable objects. This method is deprecated because it is easy to misuse and may swallow IO exceptions that really should be thrown and handled. See Guava issue 1118 for a more detailed explanation of the reasons for deprecation and see Closing Resources for more information on the problems with closing Closeable objects and some of the preferred solutions for handling it correctly. This method is scheduled to be removed in Guava 16.0. Equivalent to calling close(closeable, true), but with no IOException in the signature. {noformat} > Upgrade to Guava 27 > ------------------- > > Key: OOZIE-3418 > URL: https://issues.apache.org/jira/browse/OOZIE-3418 > Project: Oozie > Issue Type: Bug > Affects Versions: 5.1.0 > Reporter: Andras Salamon > Priority: Major > > There is a guava security issue: > [CVE-2018-10237|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237] > Currently we use Guava 11.0.2 which is affected. We need to upgrade to at > least guava 24.1.1. Probably the best would be to use Guava 27. -- This message was sent by Atlassian JIRA (v7.6.3#76005)