I started to test it. apache-rat passed for me, but owasp first failed due to some environment issue:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project parent: Fatal exception(s) analyzing Apache ZooKeeper: One or more exceptions occurred during analysis: [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta [ERROR] No documents exist [ERROR] -> [Help 1] Now I just re-run and this error disappeared, I assume nvd.nist.gov was down for a while. Now the owasp is failing for me with this error: [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project zookeeper: [ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '0.0': [ERROR] [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290 [ERROR] [ERROR] See the dependency-check report for more details. I still continue to test the RC, let me know if it gets cancelled. On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt <ph...@apache.org> wrote: > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli <eolive...@gmail.com> > wrote: > > > Any comments? > > > > owasp is still red - as such I assumed this release candidate is on hold > until that's fixed. Is that not the case? > > Patrick > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli <eolive...@apache.org> ha > > scritto: > > > > > This is a release candidate for 3.8.0. > > > > > > It is a major release and it introduces a lot of new features, most > > > notably: > > > - Migration of the logging framework from Apache Log4j1 to LogBack > > > - Read Key/trust store password from file (and other security related > > > improvements) > > > - Restored support for OSGI > > > - Reduced the performance impact of Prometheus metrics > > > - Official support for JDK17 (all tests are passing) > > > - Updates to all the third party dependencies to get rid of every known > > > CVE. > > > > > > The full release notes is available at: > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12349587 > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 UTC+0. > *** > > > > > > Source files: > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > Maven staging repo: > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > > > The release candidate tag in git to be voted upon: release-3.8.0-0 > > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > The staging version of the website is: > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > > > Should we release this candidate? > > > Enrico Olivelli > > > > > >
