[
https://issues.apache.org/jira/browse/OOZIE-3418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16744995#comment-16744995
]
Andras Salamon commented on OOZIE-3418:
---------------------------------------
As a quick test I bumped up the guava version to {{24.1.1}} and {{27.0}} and
tried to compile Oozie, but it failed:
{noformat}
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:10 min
[INFO] Finished at: 2019-01-17T13:16:40+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-compiler-plugin:3.7.0:compile (default-compile)
on project oozie-core: Compilation failure: Compilation failure:
[ERROR]
/Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java:[1110,27]
no suitable method found for
closeQuietly(org.apache.hadoop.yarn.client.api.YarnClient)
[ERROR] method
com.google.common.io.Closeables.closeQuietly(java.io.InputStream) is not
applicable
[ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient
cannot be converted to java.io.InputStream)
[ERROR] method com.google.common.io.Closeables.closeQuietly(java.io.Reader)
is not applicable
[ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient
cannot be converted to java.io.Reader)
[ERROR]
/Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/action/hadoop/JavaActionExecutor.java:[1874,27]
no suitable method found for
closeQuietly(org.apache.hadoop.yarn.client.api.YarnClient)
[ERROR] method
com.google.common.io.Closeables.closeQuietly(java.io.InputStream) is not
applicable
[ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient
cannot be converted to java.io.InputStream)
[ERROR] method com.google.common.io.Closeables.closeQuietly(java.io.Reader)
is not applicable
[ERROR] (argument mismatch; org.apache.hadoop.yarn.client.api.YarnClient
cannot be converted to java.io.Reader)
[ERROR]
/Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/service/JvmPauseMonitorService.java:[159,28]
constructor Stopwatch in class com.google.common.base.Stopwatch cannot be
applied to given types;
[ERROR] required: com.google.common.base.Ticker
[ERROR] found: no arguments
[ERROR] reason: actual and formal argument lists differ in length
[ERROR]
/Users/andrassalamon/src/oozie/core/src/main/java/org/apache/oozie/service/JvmPauseMonitorService.java:[168,41]
cannot find symbol
[ERROR] symbol: method elapsedMillis()
[ERROR] location: variable sw of type
com.google.common.base.Stopwatch{noformat}
Switching to a new Guava version would require to fix all the incompatibilities
one by one. Probably we can just replace some of the Guava code with standard
java code, for instance {{Closeables.closeQuietly}} has been [removed from
Guava|https://google.github.io/guava/releases/14.0/api/docs/com/google/common/io/Closeables.html]
in favor of try-with-resources:
{noformat}@Deprecated
public static void closeQuietly(@Nullable
Closeable closeable)
Deprecated. Where possible, use the try-with-resources statement if using JDK7
or Closer on JDK6 to close one or more Closeable objects. This method is
deprecated because it is easy to misuse and may swallow IO exceptions that
really should be thrown and handled. See Guava issue 1118 for a more detailed
explanation of the reasons for deprecation and see Closing Resources for more
information on the problems with closing Closeable objects and some of the
preferred solutions for handling it correctly. This method is scheduled to be
removed in Guava 16.0.
Equivalent to calling close(closeable, true), but with no IOException in the
signature.
{noformat}
> Upgrade to Guava 27
> -------------------
>
> Key: OOZIE-3418
> URL: https://issues.apache.org/jira/browse/OOZIE-3418
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 5.1.0
> Reporter: Andras Salamon
> Priority: Major
>
> There is a guava security issue:
> [CVE-2018-10237|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237]
> Currently we use Guava 11.0.2 which is affected. We need to upgrade to at
> least guava 24.1.1. Probably the best would be to use Guava 27.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
