I agree with Pat. Though adding exclusions doesn’t make any difference in the quality of our code, but a build is a build. It’s either green or red (not green). No excuse.
Andor > On 2022. Feb 10., at 16:51, Patrick Hunt <ph...@apache.org> wrote: > > On Thu, Feb 10, 2022 at 12:22 AM Enrico Olivelli <eolive...@gmail.com> > wrote: > >> Patrick, >> If you prefer I can send a patch for. the exclusion of >> [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, CVE-2019-16869, >> CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, >> CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, >> CVE-2021-21290 >> >> That said, this won't affect the goodness of the RC. >> >> Our code is safe and the dependencies we use are safe: >> - to me it looks like those are false positive or at least not related >> to ZooKeeper >> - we are not using Netty TC Native features, it is a dependency we >> inherit, and probably ZooKeeper works well without it >> >> Thank you all of taking time to test the release >> >> > NP. My concern is highlighted by this (your) response. You had to say all > this to explain why the build is failing on a simple security check. > Post-log4shell folks are really sensitive to security issues, as they > should be, as we all should be. Its very important that we take security > seriously. If I download the release, and run the owasp check it fails. I > then have questions in my mind why. All that you explained here, while > perfectly reasonable, it won't be available to me at that point. I think > rather we should ensure that releases are solid/clean before we push them. > This is a simple thing to fix before we go through the entire process of > verifying/releasing a new version. > > Hopefully this explains my concerns. > > Regards, > > Patrick > > >> Enrico >> >> Il giorno gio 10 feb 2022 alle ore 09:13 Szalay-Bekő Máté >> <szalay.beko.m...@gmail.com> ha scritto: >>> >>> Thanks Enrico for working on the release candidate! >>> >>> The RC looks good to me if we are sure that the OWASP problem is a false >>> positive and we can skip this netty-tcnative jar check. However, these >> CVEs >>> are old... Is it possible that we just added this jar by accident with >> the >>> recent netty upgrade? If we don't need it, should we exclude it? >>> >>> I wouldn't vote with +1 until we clarify the state of these CVEs. >>> >>> My RC check: >>> >>> - apache-rat passed >>> - I built the source code (-Pfull-build) on dockerized Ubuntu 18.04.6 >> using >>> OpenJDK 11.0.13 and maven 3.6.0. >>> - all the java unit tests passed eventually. I had 4-8 tests failing in >>> each run, but after 4 runs all tests passed at least once. (I used >>> -Dsurefire-forkcount=1) We should somehow fix these flakies. There are >>> flakies on the CI, but not this many. I executed in docker, maybe this is >>> the reason or the CI is using a different java version? >>> - checkstyle and spotbugs passed >>> - OWASP (CVE check) failed with the mentioned >>> netty-tcnative-2.0.48.Final.jar failures. >>> - I built the fatjar >>> - I executed C client tests. Two of these failed constantly for me: >>> Zookeeper_simpleSystem::testIPV6 and >>> Zookeeper_SASLAuth::testClientSASLOverIPv6. (I think these fail for me >>> because I execute C unit tests on docker, there might be some issues with >>> the IPv6 interface) I see these passed on CI running on the >> branch-3.8.0. ( >>> >> https://github.com/apache/zookeeper/runs/5048875668?check_suite_focus=true >> ) >>> - I also built and executed unit tests for zkpython >>> - I executed quick rolling-upgrade tests (using >>> https://github.com/symat/zk-rolling-upgrade-test): >>> - rolling upgrade from 3.5.9 to 3.8.0 >>> - rolling upgrade from 3.6.3 to 3.8.0 >>> - rolling upgrade from 3.7.0 to 3.8.0 >>> - The web page looks OK >>> >>> Best regards, >>> Máté >>> >>> On Wed, Feb 9, 2022 at 8:04 PM Chris Nauroth <cnaur...@apache.org> >> wrote: >>> >>>> Enrico, thank you for putting together a release candidate. >>>> >>>> I briefly looked at the OWASP check failure. It's flagging multiple old >>>> CVEs against netty-tcnative-2.0.48.Final.jar. I can't imagine how >> these are >>>> still applicable. This is the newest version of the dependency, so we >> don't >>>> have another upgrade path we can try. >>>> >>>> I don't understand it. Unfortunately, I haven't found a solution yet. >>>> >>>> Chris Nauroth >>>> >>>> >>>> On Wed, Feb 9, 2022 at 2:05 AM Szalay-Bekő Máté < >>>> szalay.beko.m...@gmail.com> >>>> wrote: >>>> >>>>> I started to test it. apache-rat passed for me, but owasp first >> failed >>>> due >>>>> to some environment issue: >>>>> >>>>> [ERROR] Failed to execute goal >>>> org.owasp:dependency-check-maven:5.3.0:check >>>>> (default-cli) on project parent: Fatal exception(s) analyzing Apache >>>>> ZooKeeper: One or more exceptions occurred during analysis: >>>>> [ERROR] Unable to download meta file: >>>>> https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta >>>>> [ERROR] No documents exist >>>>> [ERROR] -> [Help 1] >>>>> >>>>> Now I just re-run and this error disappeared, I assume nvd.nist.gov >> was >>>>> down for a while. >>>>> Now the owasp is failing for me with this error: >>>>> >>>>> [ERROR] Failed to execute goal >>>> org.owasp:dependency-check-maven:5.3.0:check >>>>> (default-cli) on project zookeeper: >>>>> [ERROR] >>>>> [ERROR] One or more dependencies were identified with vulnerabilities >>>> that >>>>> have a CVSS score greater than or equal to '0.0': >>>>> [ERROR] >>>>> [ERROR] netty-tcnative-2.0.48.Final.jar: CVE-2021-43797, >> CVE-2019-16869, >>>>> CVE-2015-2156, CVE-2021-37136, CVE-2014-3488, CVE-2021-37137, >>>>> CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2021-21409, >>>>> CVE-2021-21290 >>>>> [ERROR] >>>>> [ERROR] See the dependency-check report for more details. >>>>> >>>>> >>>>> I still continue to test the RC, let me know if it gets cancelled. >>>>> >>>>> >>>>> On Tue, Feb 8, 2022 at 9:52 PM Patrick Hunt <ph...@apache.org> >> wrote: >>>>> >>>>>> On Tue, Feb 8, 2022 at 12:36 PM Enrico Olivelli < >> eolive...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Any comments? >>>>>>> >>>>>> >>>>>> owasp is still red - as such I assumed this release candidate is on >>>> hold >>>>>> until that's fixed. Is that not the case? >>>>>> >>>>>> Patrick >>>>>> >>>>>> >>>>>>> >>>>>>> Il Ven 4 Feb 2022, 12:07 Enrico Olivelli <eolive...@apache.org> >> ha >>>>>>> scritto: >>>>>>> >>>>>>>> This is a release candidate for 3.8.0. >>>>>>>> >>>>>>>> It is a major release and it introduces a lot of new features, >> most >>>>>>>> notably: >>>>>>>> - Migration of the logging framework from Apache Log4j1 to >> LogBack >>>>>>>> - Read Key/trust store password from file (and other security >>>> related >>>>>>>> improvements) >>>>>>>> - Restored support for OSGI >>>>>>>> - Reduced the performance impact of Prometheus metrics >>>>>>>> - Official support for JDK17 (all tests are passing) >>>>>>>> - Updates to all the third party dependencies to get rid of >> every >>>>> known >>>>>>>> CVE. >>>>>>>> >>>>>>>> The full release notes is available at: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12349587 >>>>>>>> >>>>>>>> *** Please download, test and vote by February 7th 2022, 23:59 >>>> UTC+0. >>>>>> *** >>>>>>>> >>>>>>>> Source files: >>>>>>>> >> https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/ >>>>>>>> >>>>>>>> Maven staging repo: >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >> https://repository.apache.org/content/repositories/orgapachezookeeper-1072/ >>>>>>>> >>>>>>>> The release candidate tag in git to be voted upon: >> release-3.8.0-0 >>>>>>>> https://github.com/apache/zookeeper/tree/release-3.8.0-0 >>>>>>>> >>>>>>>> ZooKeeper's KEYS file containing PGP keys we use to sign the >>>> release: >>>>>>>> https://www.apache.org/dist/zookeeper/KEYS >>>>>>>> >>>>>>>> The staging version of the website is: >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >> https://people.apache.org/~eolivelli/zookeeper-3.8.0-candidate-0/website/ >>>>>>>> >>>>>>>> >>>>>>>> Should we release this candidate? >>>>>>>> Enrico Olivelli
