Enrico, thank you for putting together a release candidate. I briefly looked at the OWASP check failure. It's flagging multiple old CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how these are still applicable. This is the newest version of the dependency, so we don't have another upgrade path we can try.
I don't understand it. Unfortunately, I haven't found a solution yet. Chris Nauroth On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté <szalay.beko.m...@gmail.com> wrote: > I started to test it. apache-rat passed for me, but owasp first failed due > to some environment issue: > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check > (default-cli) on project parent: Fatal exception(s) analyzing Apache > ZooKeeper: One or more exceptions occurred during analysis: > [ERROR] Unable to download meta file: > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > [ERROR] No documents exist > [ERROR] -> [Help 1] > > Now I just re-run and this error disappeared, I assume nvd.nist.gov was > down for a while. > Now the owasp is failing for me with this error: > > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check > (default-cli) on project zookeeper: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > CVE-2021-21290 > [ERROR] > [ERROR] See the dependency-check report for more details. > > > I still continue to test the RC, let me know if it gets cancelled. > > > On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt <ph...@apache.org> wrote: > > > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli <eolive...@gmail.com> > > wrote: > > > > > Any comments? > > > > > > > owasp is still red - as such I assumed this release candidate is on hold > > until that's fixed. Is that not the case? > > > > Patrick > > > > > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli <eolive...@apache.org> ha > > > scritto: > > > > > > > This is a release candidate for 3.8.0. > > > > > > > > It is a major release and it introduces a lot of new features, most > > > > notably: > > > > - Migration of the logging framework from Apache Log4j1 to LogBack > > > > - Read Key/trust store password from file (and other security related > > > > improvements) > > > > - Restored support for OSGI > > > > - Reduced the performance impact of Prometheus metrics > > > > - Official support for JDK17 (all tests are passing) > > > > - Updates to all the third party dependencies to get rid of every > known > > > > CVE. > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12349587 > > > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 UTC+0. > > *** > > > > > > > > Source files: > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > > Maven staging repo: > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > > > > > The release candidate tag in git to be voted upon: release-3.8.0-0 > > > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the release: > > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > > > The staging version of the website is: > > > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > > > > > > Should we release this candidate? > > > > Enrico Olivelli > > > > > > > > > >
