[
https://issues.apache.org/jira/browse/OOZIE-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640760#comment-17640760
]
Hadoop QA commented on OOZIE-3676:
----------------------------------
Testing JIRA OOZIE-3676
Cleaning local git workspace
----------------------------
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:green}+1 RAW_PATCH_ANALYSIS{color}
. {color:green}+1{color} the patch does not introduce any @author tags
. {color:green}+1{color} the patch does not introduce any tabs
. {color:green}+1{color} the patch does not introduce any trailing spaces
. {color:green}+1{color} the patch does not introduce any star imports
. {color:green}+1{color} the patch does not introduce any line longer than
132
. {color:green}+1{color} the patch adds/modifies 1 testcase(s)
{color:green}+1 RAT{color}
. {color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
. {color:green}+1{color} Javadoc generation succeeded with the patch
. {color:green}+1{color} the patch does not seem to introduce new Javadoc
warning(s)
{color:green}+1 COMPILE{color}
. {color:green}+1{color} HEAD compiles
. {color:green}+1{color} patch compiles
. {color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:red}-1{color} There are [5] new bugs found below threshold in total that
must be fixed.
. {color:green}+1{color} There are no new bugs found in [examples].
. {color:green}+1{color} There are no new bugs found in
[fluent-job/fluent-job-api].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive].
. {color:green}+1{color} There are no new bugs found in [sharelib/hive2].
. {color:green}+1{color} There are no new bugs found in [sharelib/git].
. {color:green}+1{color} There are no new bugs found in [sharelib/distcp].
. {color:green}+1{color} There are no new bugs found in [sharelib/hcatalog].
. {color:green}+1{color} There are no new bugs found in [sharelib/sqoop].
. {color:green}+1{color} There are no new bugs found in [sharelib/spark].
. {color:red}-1{color} There are [1] new bugs found below threshold in
[sharelib/oozie] that must be fixed.
. You can find the SpotBugs diff here (look for the red and orange ones):
sharelib/oozie/findbugs-new.html
. The most important SpotBugs errors are:
. At ShellMain.java:[line 93]: This usage of
java/lang/ProcessBuilder.<init>(Ljava/util/List;)V can be vulnerable to
Command Injection
. At ShellMain.java:[line 91]: At ShellMain.java:[line 90]
. At ShellMain.java:[line 92]
. {color:green}+1{color} There are no new bugs found in [sharelib/pig].
. {color:green}+1{color} There are no new bugs found in [sharelib/streaming].
. {color:green}+1{color} There are no new bugs found in [server].
. {color:green}+1{color} There are no new bugs found in [docs].
. {color:green}+1{color} There are no new bugs found in [webapp].
. {color:red}-1{color} There are [4] new bugs found below threshold in
[core] that must be fixed.
. You can find the SpotBugs diff here (look for the red and orange ones):
core/findbugs-new.html
. The most important SpotBugs errors are:
. At BulkJPAExecutor.java:[line 206]: This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection
. At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line 175]
. At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line 199]
. This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
. At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line 127]
. {color:green}+1{color} There are no new bugs found in [tools].
. {color:green}+1{color} There are no new bugs found in [client].
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
. {color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
. {color:green}+1{color} the patch does not modify JPA files
{color:green}+1 TESTS{color}
. Tests run: 3227
. {color:orange}Tests failed at first run:{color}
TestCLIParser#testCommandParserShowHelpWithOptions
TestLocalOozieClientCoord#testJobsOperations
. For the complete list of flaky tests, see TEST-SUMMARY-FULL files.
{color:green}+1 DISTRO{color}
. {color:green}+1{color} distro tarball builds with the patch
{color:green}+1 MODERNIZER{color}
----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/147/
> Remove all non FIPS compliant encoding algorithms from Oozie or make them
> configurable
> --------------------------------------------------------------------------------------
>
> Key: OOZIE-3676
> URL: https://issues.apache.org/jira/browse/OOZIE-3676
> Project: Oozie
> Issue Type: Task
> Components: core
> Affects Versions: 5.2.1
> Reporter: Janos Makai
> Assignee: Janos Makai
> Priority: Major
> Attachments: OOZIE-3676-001.patch
>
>
> The goal of this Jira is to replace non-FIPS compliant encoding algorithm(s)
> to FIPS compliant algorithm(s) in Oozie.
> At this moment only `org.apache.oozie.action.hadoop.LauncherHelper#getTag`
> has non-FIPS compliant algorithm, namely MD-5.
> In scope of this ticket, this algorithm will be changed to FIPS compliant
> SHA-384.
> ({_}read more about the FIPS compliant algorithms below{_})
> ----
> h2. Using FIPS-Compliant Crypto Libraries
> This should not need much code change. Ensure that when you are performing
> crypto operations (e.g. generating keys, encrypting/decrypting data,
> computing hashes, storing/verifying passwords), you are using either OpenSSL
> or the standard Java crypto API to do so.
> When running in a FIPS environment, the OpenSSL library and Java crypto
> provider will be replaced with their CryptoComply equivalents. This
> replacement should be API-compatible.
> h2. Using FIPS-Approved Algorithms
> Only certain algorithms and key sizes are allowed by FIPS.
> Common allowed algorithms are shown below for convenience:
> Symmetric Algorithms
> * AES
> * 3DES
> Public Key Algorithms
> * RSA
> * ElGamal
> Key Agreement Algorithms
> * DH
> * MQV
> * ECDH
> * ECCDH
> * ECMQV
> SSL/TLS
> * TLS 1.0, 1.1, 1.2
> Hash Functions
> * SHA-1 _(avoid this as it is soon to be deprecated)_
> * SHA-224, SHA-256 {_}(avoid these as they are soon to be deprecated){_},
> SHA-384, SHA-512
> * SHA3-224, SHA3-256, SHA3-384, SHA3-512
> * SHAKE128, SHAKE256
> Message Authentication
> * AES CCM, CMAC, GMAC
> * HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> * 3DES CMAC
> Password Derivation Functions
> * PBKDF2 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> Random Number Generators
> * HASH DRBG
> * HMAC DRBG
> * CTR DRBG
> Signature Algorithms
> * DSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> * ECDSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> * RSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
> Keep in mind that the following common algorithms are *disallowed* and will
> likely cause a crash if invoked in FIPS mode:
> * MD5: use SHA-384 instead
> * RC4 (also called arcfour): use AES-256 instead
> * SSL: use TLS instead
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
