Thanks Enrico for working on the release candidate! The RC looks good to me if we are sure that the OWASP problem is a false positive and we can skip this netty-tcnative jar check. However, these CVEs are old... Is it possible that we just added this jar by accident with the recent netty upgrade? If we don't need it, should we exclude it?
I wouldn't vote with +1 until we clarify the state of these CVEs. My RC check: - apache-rat passed - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 using OpenJDK 11.0.13 and maven 3.6.0. - all the java unit tests passed eventually. I had 4-8 tests failing in each run, but after 4 runs all tests passed at least once. (I used -Dsurefire-forkcount=1) We should somehow fix these flakies. There are flakies on the CI, but not this many. I executed in docker, maybe this is the reason or the CI is using a different java version? - checkstyle and spotbugs passed - OWASP (CVE check) failed with the mentioned netty-tcnative-2.0.48.Final.jar failures. - I built the fatjar - I executed C client tests. Two of these failed constantly for me: Zookeeper_simpleSystem::testIPV6 and Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me because I execute C unit tests on docker, there might be some issues with the IPv6 interface) I see these passed on CI running on the branch-3.8.0. ( https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true) - I also built and executed unit tests for zkpython - I executed quick rolling-upgrade tests (using https://github.com/symat/zk-rolling-upgrade-test): - rolling upgrade from 3.5.9 to 3.8.0 - rolling upgrade from 3.6.3 to 3.8.0 - rolling upgrade from 3.7.0 to 3.8.0 - The web page looks OK Best regards, Máté On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth <[email protected]> wrote: > Enrico, thank you for putting together a release candidate. > > I briefly looked at the OWASP check failure. It's flagging multiple old > CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how these are > still applicable. This is the newest version of the dependency, so we don't > have another upgrade path we can try. > > I don't understand it. Unfortunately, I haven't found a solution yet. > > Chris Nauroth > > > On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < > [email protected]> > wrote: > > > I started to test it. apache-rat passed for me, but owasp first failed > due > > to some environment issue: > > > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:5.3.0:check > > (default-cli) on project parent: Fatal exception(s) analyzing Apache > > ZooKeeper: One or more exceptions occurred during analysis: > > [ERROR] Unable to download meta file: > > https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta > > [ERROR] No documents exist > > [ERROR] -> [Help 1] > > > > Now I just re-run and this error disappeared, I assume nvd.nist.gov was > > down for a while. > > Now the owasp is failing for me with this error: > > > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:5.3.0:check > > (default-cli) on project zookeeper: > > [ERROR] > > [ERROR] One or more dependencies were identified with vulnerabilities > that > > have a CVSS score greater than or equal to '0.0': > > [ERROR] > > [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, > > CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, > > CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, > > CVE-2021-21290 > > [ERROR] > > [ERROR] See the dependency-check report for more details. > > > > > > I still continue to test the RC, let me know if it gets cancelled. > > > > > > On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt <[email protected]> wrote: > > > > > On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli <[email protected]> > > > wrote: > > > > > > > Any comments? > > > > > > > > > > owasp is still red - as such I assumed this release candidate is on > hold > > > until that's fixed. Is that not the case? > > > > > > Patrick > > > > > > > > > > > > > > Il Ven 4 Feb 2022, 12:07 Enrico Olivelli <[email protected]> ha > > > > scritto: > > > > > > > > > This is a release candidate for 3.8.0. > > > > > > > > > > It is a major release and it introduces a lot of new features, most > > > > > notably: > > > > > - Migration of the logging framework from Apache Log4j1 to LogBack > > > > > - Read Key/trust store password from file (and other security > related > > > > > improvements) > > > > > - Restored support for OSGI > > > > > - Reduced the performance impact of Prometheus metrics > > > > > - Official support for JDK17 (all tests are passing) > > > > > - Updates to all the third party dependencies to get rid of every > > known > > > > > CVE. > > > > > > > > > > The full release notes is available at: > > > > > > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12349587 > > > > > > > > > > *** Please download, test and vote by February 7th 2022, 23:59 > UTC+0. > > > *** > > > > > > > > > > Source files: > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ > > > > > > > > > > Maven staging repo: > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ > > > > > > > > > > The release candidate tag in git to be voted upon: release-3.8.0-0 > > > > > https://github.com/apache/zookeeper/tree/release-3.8.0-0 > > > > > > > > > > ZooKeeper's KEYS file containing PGP keys we use to sign the > release: > > > > > https://www.apache.org/dist/zookeeper/KEYS > > > > > > > > > > The staging version of the website is: > > > > > > > > > > > > > > > https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ > > > > > > > > > > > > > > > Should we release this candidate? > > > > > Enrico Olivelli > > > > > > > > > > > > > > >
