Actually I think that I am falling into a rabbit hole. The Contrib packages have many CVEs against third party libraries
https://issues.apache.org/jira/browse/ZOOKEEPER-4663 - OWASP is failing on loggraph due to yui-min.js: CVE-2013-4940, CVE-2013-4939 https://issues.apache.org/jira/browse/ZOOKEEPER-4664 - OWASP is failing on zookeeper zookeeper-contrib-rest due to some third party dependencies https://issues.apache.org/jira/browse/ZOOKEEPER-4665 - OWASP is failing on zooinspector due to some third party dependencies There is too much work to do at the moment, and we can't blindly upgrade dependencies without proper testing. I am leaning towards creating the RC and ignoring all these problems. They don't affect the core code package, and they are optional modules, not deployed to Maven central or releases as binaries Enrico Il giorno lun 23 gen 2023 alle ore 13:30 Enrico Olivelli <[email protected]> ha scritto: > > Unfortunately I missed these OWASP failures on the contrib packages > > [ERROR] Failed to execute goal > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > zookeeper-it: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities > that have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] junit-4.13.jar: CVE-2020-15250(5.5) > [ERROR] junit-platform-engine-1.6.2.jar: CVE-2022-31514(9.3) > [ERROR] > [ERROR] See the dependency-check report for more details. > > I will send other PRs > > Enrico > > Il giorno gio 19 gen 2023 alle ore 12:07 Enrico Olivelli > <[email protected]> ha scritto: > > > > I have opened a few PRs, > > please help me review > > > > https://github.com/apache/zookeeper/pull/1972 > > https://github.com/apache/zookeeper/pull/1971 > > https://github.com/apache/zookeeper/pull/1970 > > > > Enrico > > > > Il giorno gio 19 gen 2023 alle ore 11:43 Enrico Olivelli > > <[email protected]> ha scritto: > > > > > > Unfortunately OWASP check is failing on branch-3.8 > > > > > > [ERROR] Failed to execute goal > > > org.owasp:dependency-check-maven:7.1.0:check (default-cli) on project > > > zookeeper: > > > [ERROR] > > > [ERROR] One or more dependencies were identified with vulnerabilities > > > that have a CVSS score greater than or equal to '0.0': > > > [ERROR] > > > [ERROR] commons-cli-1.4.jar: CVE-2021-37533(6.5) > > > [ERROR] commons-io-2.11.0.jar: CVE-2021-37533(6.5) > > > [ERROR] jackson-databind-2.13.2.1.jar: CVE-2022-42003(7.5), > > > CVE-2022-42004(7.5) > > > [ERROR] netty-transport-4.1.76.Final.jar: CVE-2022-41915(6.5), > > > CVE-2022-24823(5.5), CVE-2022-41881(7.5) > > > [ERROR] > > > [ERROR] See the dependency-check report for more details. > > > [ERROR] > > > > > > I will take a look if there are already patches to be cherry-picked. > > > > > > I guess it will take some time, I hoped to cut the release candidate > > > today :-( > > > > > > Enrico > > > > > > Il giorno mar 17 gen 2023 alle ore 23:06 Chris Nauroth > > > <[email protected]> ha scritto: > > > > > > > > +1 > > > > > > > > Thank you for taking this up, Enrico! > > > > > > > > Chris Nauroth > > > > > > > > > > > > On Tue, Jan 17, 2023 at 9:24 AM Enrico Olivelli <[email protected]> > > > > wrote: > > > > > > > > > Hello ZooKeepers, > > > > > We have received a few requests to cut a 3.8.1 release. > > > > > > > > > > I will start the release procedure by the end of this week, > > > > > if there anything that blocks the release or that you would like to > > > > > cherry-pick please let me know > > > > > > > > > > Best regards > > > > > Enrico > > > > >
