[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764784#comment-17764784
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on code in PR #6057:
URL: https://github.com/apache/hadoop/pull/6057#discussion_r1324791220


##
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/CredentialBasedAccessTokenProvider.java:
##
@@ -97,38 +104,37 @@ public synchronized String getAccessToken() throws 
IOException {
   }
 
   void refresh() throws IOException {
-OkHttpClient client = new OkHttpClient.Builder()
-.connectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.readTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.build();
-
-String bodyString = Utils.postBody(CLIENT_SECRET, getCredential(),
-GRANT_TYPE, CLIENT_CREDENTIALS,
-CLIENT_ID, clientId);
-
-RequestBody body = RequestBody.create(bodyString, URLENCODED);
-
-Request request = new Request.Builder()
-.url(refreshURL)
-.post(body)
+final List pairs = new ArrayList<>();
+pairs.add(new BasicNameValuePair(CLIENT_SECRET, getCredential()));
+pairs.add(new BasicNameValuePair(GRANT_TYPE, CLIENT_CREDENTIALS));
+pairs.add(new BasicNameValuePair(CLIENT_ID, clientId));
+final RequestConfig config = RequestConfig.custom()
+.setConnectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+
.setConnectionRequestTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+.setSocketTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
 .build();
-try (Response response = client.newCall(request).execute()) {
-  if (!response.isSuccessful()) {
-throw new IOException("Unexpected code " + response);
-  }
-
-  if (response.code() != HttpStatus.SC_OK) {
-throw new IllegalArgumentException("Received invalid http response: "
-+ response.code() + ", text = " + response.toString());
+try (CloseableHttpClient client =
+ 
HttpClientBuilder.create().setDefaultRequestConfig(config).build()) {
+  final HttpPost httpPost = new HttpPost(refreshURL);
+  httpPost.setEntity(new UrlEncodedFormEntity(pairs, 
StandardCharsets.UTF_8));
+  httpPost.setHeader(HttpHeaders.CONTENT_TYPE, URLENCODED);
+  try (CloseableHttpResponse response = client.execute(httpPost)) {
+final int statusCode = response.getStatusLine().getStatusCode();
+if (statusCode != HttpStatus.SC_OK) {
+  throw new IllegalArgumentException(
+  "Received invalid http response: " + statusCode + ", text = " +
+  EntityUtils.toString(response.getEntity()));
+}
+Map responseBody = JsonSerialization.mapReader().readValue(

Review Comment:
   The pre-existing code did not check the content-type of the return. It is 
not uncommon for an API to return JSON but not to have `application/json` 
Content-Type. I can make the change but I'm worried that the API we call may 
not set the expected content-type on the response.





> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764781#comment-17764781
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on code in PR #6057:
URL: https://github.com/apache/hadoop/pull/6057#discussion_r1324786164


##
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/CredentialBasedAccessTokenProvider.java:
##
@@ -97,38 +104,37 @@ public synchronized String getAccessToken() throws 
IOException {
   }
 
   void refresh() throws IOException {
-OkHttpClient client = new OkHttpClient.Builder()
-.connectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.readTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.build();
-
-String bodyString = Utils.postBody(CLIENT_SECRET, getCredential(),
-GRANT_TYPE, CLIENT_CREDENTIALS,
-CLIENT_ID, clientId);
-
-RequestBody body = RequestBody.create(bodyString, URLENCODED);
-
-Request request = new Request.Builder()
-.url(refreshURL)
-.post(body)
+final List pairs = new ArrayList<>();
+pairs.add(new BasicNameValuePair(CLIENT_SECRET, getCredential()));
+pairs.add(new BasicNameValuePair(GRANT_TYPE, CLIENT_CREDENTIALS));
+pairs.add(new BasicNameValuePair(CLIENT_ID, clientId));
+final RequestConfig config = RequestConfig.custom()
+.setConnectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+
.setConnectionRequestTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+.setSocketTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
 .build();
-try (Response response = client.newCall(request).execute()) {
-  if (!response.isSuccessful()) {
-throw new IOException("Unexpected code " + response);
-  }
-
-  if (response.code() != HttpStatus.SC_OK) {
-throw new IllegalArgumentException("Received invalid http response: "
-+ response.code() + ", text = " + response.toString());
+try (CloseableHttpClient client =
+ 
HttpClientBuilder.create().setDefaultRequestConfig(config).build()) {
+  final HttpPost httpPost = new HttpPost(refreshURL);
+  httpPost.setEntity(new UrlEncodedFormEntity(pairs, 
StandardCharsets.UTF_8));
+  httpPost.setHeader(HttpHeaders.CONTENT_TYPE, URLENCODED);
+  try (CloseableHttpResponse response = client.execute(httpPost)) {
+final int statusCode = response.getStatusLine().getStatusCode();
+if (statusCode != HttpStatus.SC_OK) {
+  throw new IllegalArgumentException(
+  "Received invalid http response: " + statusCode + ", text = " +
+  EntityUtils.toString(response.getEntity()));
+}
+Map responseBody = JsonSerialization.mapReader().readValue(
+EntityUtils.toString(response.getEntity()));
+
+String newExpiresIn = responseBody.get(EXPIRES_IN).toString();
+timer.setExpiresIn(newExpiresIn);
+
+accessToken = responseBody.get(ACCESS_TOKEN).toString();
   }
-
-  Map responseBody = JsonSerialization.mapReader().readValue(
-  response.body().string());
-
-  String newExpiresIn = responseBody.get(EXPIRES_IN).toString();
-  timer.setExpiresIn(newExpiresIn);
-
-  accessToken = responseBody.get(ACCESS_TOKEN).toString();
+} catch (RuntimeException e) {
+  throw new IOException("Unable to obtain access token from credential", 
e);

Review Comment:
   I'm duplicating this because Spotbugs has its weird rules. The pre-existing 
catch already does this - do I change all the catches?





> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764780#comment-17764780
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on code in PR #6057:
URL: https://github.com/apache/hadoop/pull/6057#discussion_r1324784674


##
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/CredentialBasedAccessTokenProvider.java:
##
@@ -97,38 +104,37 @@ public synchronized String getAccessToken() throws 
IOException {
   }
 
   void refresh() throws IOException {
-OkHttpClient client = new OkHttpClient.Builder()
-.connectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.readTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.build();
-
-String bodyString = Utils.postBody(CLIENT_SECRET, getCredential(),
-GRANT_TYPE, CLIENT_CREDENTIALS,
-CLIENT_ID, clientId);
-
-RequestBody body = RequestBody.create(bodyString, URLENCODED);
-
-Request request = new Request.Builder()
-.url(refreshURL)
-.post(body)
+final List pairs = new ArrayList<>();
+pairs.add(new BasicNameValuePair(CLIENT_SECRET, getCredential()));
+pairs.add(new BasicNameValuePair(GRANT_TYPE, CLIENT_CREDENTIALS));
+pairs.add(new BasicNameValuePair(CLIENT_ID, clientId));
+final RequestConfig config = RequestConfig.custom()
+.setConnectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+
.setConnectionRequestTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+.setSocketTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
 .build();
-try (Response response = client.newCall(request).execute()) {
-  if (!response.isSuccessful()) {
-throw new IOException("Unexpected code " + response);
-  }
-
-  if (response.code() != HttpStatus.SC_OK) {
-throw new IllegalArgumentException("Received invalid http response: "
-+ response.code() + ", text = " + response.toString());
+try (CloseableHttpClient client =
+ 
HttpClientBuilder.create().setDefaultRequestConfig(config).build()) {
+  final HttpPost httpPost = new HttpPost(refreshURL);
+  httpPost.setEntity(new UrlEncodedFormEntity(pairs, 
StandardCharsets.UTF_8));
+  httpPost.setHeader(HttpHeaders.CONTENT_TYPE, URLENCODED);
+  try (CloseableHttpResponse response = client.execute(httpPost)) {
+final int statusCode = response.getStatusLine().getStatusCode();
+if (statusCode != HttpStatus.SC_OK) {
+  throw new IllegalArgumentException(
+  "Received invalid http response: " + statusCode + ", text = " +
+  EntityUtils.toString(response.getEntity()));
+}
+Map responseBody = JsonSerialization.mapReader().readValue(
+EntityUtils.toString(response.getEntity()));
+
+String newExpiresIn = responseBody.get(EXPIRES_IN).toString();
+timer.setExpiresIn(newExpiresIn);
+
+accessToken = responseBody.get(ACCESS_TOKEN).toString();
   }
-
-  Map responseBody = JsonSerialization.mapReader().readValue(
-  response.body().string());
-
-  String newExpiresIn = responseBody.get(EXPIRES_IN).toString();
-  timer.setExpiresIn(newExpiresIn);
-
-  accessToken = responseBody.get(ACCESS_TOKEN).toString();
+} catch (RuntimeException e) {
+  throw new IOException("Unable to obtain access token from credential", 
e);
 } catch (Exception e) {

Review Comment:
   Spotbugs is what is making me duplicate the catch. It doesn't like catches 
of Exception and this is one workaround.





> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764776#comment-17764776
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran commented on code in PR #6057:
URL: https://github.com/apache/hadoop/pull/6057#discussion_r1324778866


##
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/CredentialBasedAccessTokenProvider.java:
##
@@ -97,38 +104,37 @@ public synchronized String getAccessToken() throws 
IOException {
   }
 
   void refresh() throws IOException {
-OkHttpClient client = new OkHttpClient.Builder()
-.connectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.readTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.build();
-
-String bodyString = Utils.postBody(CLIENT_SECRET, getCredential(),
-GRANT_TYPE, CLIENT_CREDENTIALS,
-CLIENT_ID, clientId);
-
-RequestBody body = RequestBody.create(bodyString, URLENCODED);
-
-Request request = new Request.Builder()
-.url(refreshURL)
-.post(body)
+final List pairs = new ArrayList<>();
+pairs.add(new BasicNameValuePair(CLIENT_SECRET, getCredential()));
+pairs.add(new BasicNameValuePair(GRANT_TYPE, CLIENT_CREDENTIALS));
+pairs.add(new BasicNameValuePair(CLIENT_ID, clientId));
+final RequestConfig config = RequestConfig.custom()
+.setConnectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+
.setConnectionRequestTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+.setSocketTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
 .build();
-try (Response response = client.newCall(request).execute()) {
-  if (!response.isSuccessful()) {
-throw new IOException("Unexpected code " + response);
-  }
-
-  if (response.code() != HttpStatus.SC_OK) {
-throw new IllegalArgumentException("Received invalid http response: "
-+ response.code() + ", text = " + response.toString());
+try (CloseableHttpClient client =
+ 
HttpClientBuilder.create().setDefaultRequestConfig(config).build()) {
+  final HttpPost httpPost = new HttpPost(refreshURL);
+  httpPost.setEntity(new UrlEncodedFormEntity(pairs, 
StandardCharsets.UTF_8));
+  httpPost.setHeader(HttpHeaders.CONTENT_TYPE, URLENCODED);
+  try (CloseableHttpResponse response = client.execute(httpPost)) {
+final int statusCode = response.getStatusLine().getStatusCode();
+if (statusCode != HttpStatus.SC_OK) {
+  throw new IllegalArgumentException(
+  "Received invalid http response: " + statusCode + ", text = " +
+  EntityUtils.toString(response.getEntity()));
+}
+Map responseBody = JsonSerialization.mapReader().readValue(

Review Comment:
   let's check the return content type too; been burned by both proxies and how 
the abfs oauth failure is 200 + text/html for users.



##
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/CredentialBasedAccessTokenProvider.java:
##
@@ -97,38 +104,37 @@ public synchronized String getAccessToken() throws 
IOException {
   }
 
   void refresh() throws IOException {
-OkHttpClient client = new OkHttpClient.Builder()
-.connectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.readTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
-.build();
-
-String bodyString = Utils.postBody(CLIENT_SECRET, getCredential(),
-GRANT_TYPE, CLIENT_CREDENTIALS,
-CLIENT_ID, clientId);
-
-RequestBody body = RequestBody.create(bodyString, URLENCODED);
-
-Request request = new Request.Builder()
-.url(refreshURL)
-.post(body)
+final List pairs = new ArrayList<>();
+pairs.add(new BasicNameValuePair(CLIENT_SECRET, getCredential()));
+pairs.add(new BasicNameValuePair(GRANT_TYPE, CLIENT_CREDENTIALS));
+pairs.add(new BasicNameValuePair(CLIENT_ID, clientId));
+final RequestConfig config = RequestConfig.custom()
+.setConnectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+
.setConnectionRequestTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
+.setSocketTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT)
 .build();
-try (Response response = client.newCall(request).execute()) {
-  if (!response.isSuccessful()) {
-throw new IOException("Unexpected code " + response);
-  }
-
-  if (response.code() != HttpStatus.SC_OK) {
-throw new IllegalArgumentException("Received invalid http response: "
-+ response.code() + ", text = " + response.toString());
+try (CloseableHttpClient client =
+ 
HttpClientBuilder.create(

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764775#comment-17764775
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran commented on PR #6057:
URL: https://github.com/apache/hadoop/pull/6057#issuecomment-1717950864

   @rohit-kb what do you think of this? would it suit?




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764743#comment-17764743
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #6057:
URL: https://github.com/apache/hadoop/pull/6057#issuecomment-1717842308

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 59s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  1s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  14m 37s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  36m 42s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  18m 26s |  |  trunk passed with JDK 
Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04  |
   | +1 :green_heart: |  compile  |  16m 41s |  |  trunk passed with JDK 
Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05  |
   | +1 :green_heart: |  checkstyle  |   4m 40s |  |  trunk passed  |
   | +1 :green_heart: |  mvnsite  |  20m 13s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 48s |  |  trunk passed with JDK 
Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 26s |  |  trunk passed with JDK 
Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05  |
   | +0 :ok: |  spotbugs  |   0m 17s |  |  branch/hadoop-project no spotbugs 
output file (spotbugsXml.xml)  |
   | +0 :ok: |  spotbugs  |   0m 19s |  |  
branch/hadoop-client-modules/hadoop-client no spotbugs output file 
(spotbugsXml.xml)  |
   | +1 :green_heart: |  shadedclient  |  68m 50s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 39s |  |  Maven dependency ordering for patch  |
   | -1 :x: |  mvninstall  |   0m 54s | 
[/patch-mvninstall-hadoop-common-project_hadoop-common.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/2/artifact/out/patch-mvninstall-hadoop-common-project_hadoop-common.txt)
 |  hadoop-common in the patch failed.  |
   | -1 :x: |  mvninstall  |   0m 24s | 
[/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-client.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/2/artifact/out/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-client.txt)
 |  hadoop-hdfs-client in the patch failed.  |
   | -1 :x: |  mvninstall  |   0m 17s | 
[/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-httpfs.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/2/artifact/out/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-httpfs.txt)
 |  hadoop-hdfs-httpfs in the patch failed.  |
   | -1 :x: |  mvninstall  |   0m 16s | 
[/patch-mvninstall-hadoop-cloud-storage-project_hadoop-huaweicloud.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/2/artifact/out/patch-mvninstall-hadoop-cloud-storage-project_hadoop-huaweicloud.txt)
 |  hadoop-huaweicloud in the patch failed.  |
   | -1 :x: |  mvninstall  |   1m 12s | 
[/patch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/2/artifact/out/patch-mvninstall-root.txt)
 |  root in the patch failed.  |
   | +1 :green_heart: |  compile  |  17m 35s |  |  the patch passed with JDK 
Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04  |
   | +1 :green_heart: |  javac  |  17m 35s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  16m 38s |  |  the patch passed with JDK 
Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05  |
   | +1 :green_heart: |  javac  |  16m 38s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | -0 :warning: |  checkstyle  |   5m 49s | 
[/results-checkstyle-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/2/artifact/out/results-checkstyle-root.txt)
 |  root: The patch generated 2 new + 0 unchanged - 0 fixed = 2 total (was 0)  |
   | +1 :green_heart: |  mvnsite  |  15m  8s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   8m 44s |  |  the patch passed

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764736#comment-17764736
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #6057:
URL: https://github.com/apache/hadoop/pull/6057#issuecomment-1717813326

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 51s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  1s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  14m 38s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  36m 11s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  18m 48s |  |  trunk passed with JDK 
Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04  |
   | +1 :green_heart: |  compile  |  16m 55s |  |  trunk passed with JDK 
Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05  |
   | +1 :green_heart: |  checkstyle  |   4m 36s |  |  trunk passed  |
   | +1 :green_heart: |  mvnsite  |  20m 47s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 55s |  |  trunk passed with JDK 
Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 39s |  |  trunk passed with JDK 
Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05  |
   | +0 :ok: |  spotbugs  |   0m 17s |  |  branch/hadoop-project no spotbugs 
output file (spotbugsXml.xml)  |
   | +0 :ok: |  spotbugs  |   0m 19s |  |  
branch/hadoop-client-modules/hadoop-client no spotbugs output file 
(spotbugsXml.xml)  |
   | +1 :green_heart: |  shadedclient  |  68m 48s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 41s |  |  Maven dependency ordering for patch  |
   | -1 :x: |  mvninstall  |   0m 57s | 
[/patch-mvninstall-hadoop-common-project_hadoop-common.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/1/artifact/out/patch-mvninstall-hadoop-common-project_hadoop-common.txt)
 |  hadoop-common in the patch failed.  |
   | -1 :x: |  mvninstall  |   0m 24s | 
[/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-client.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/1/artifact/out/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-client.txt)
 |  hadoop-hdfs-client in the patch failed.  |
   | -1 :x: |  mvninstall  |   0m 16s | 
[/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-httpfs.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/1/artifact/out/patch-mvninstall-hadoop-hdfs-project_hadoop-hdfs-httpfs.txt)
 |  hadoop-hdfs-httpfs in the patch failed.  |
   | -1 :x: |  mvninstall  |   0m 17s | 
[/patch-mvninstall-hadoop-cloud-storage-project_hadoop-huaweicloud.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/1/artifact/out/patch-mvninstall-hadoop-cloud-storage-project_hadoop-huaweicloud.txt)
 |  hadoop-huaweicloud in the patch failed.  |
   | -1 :x: |  mvninstall  |   1m 17s | 
[/patch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/1/artifact/out/patch-mvninstall-root.txt)
 |  root in the patch failed.  |
   | +1 :green_heart: |  compile  |  17m 57s |  |  the patch passed with JDK 
Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04  |
   | +1 :green_heart: |  javac  |  17m 57s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  16m 53s |  |  the patch passed with JDK 
Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05  |
   | +1 :green_heart: |  javac  |  16m 53s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | -0 :warning: |  checkstyle  |   5m 56s | 
[/results-checkstyle-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6057/1/artifact/out/results-checkstyle-root.txt)
 |  root: The patch generated 2 new + 0 unchanged - 0 fixed = 2 total (was 0)  |
   | +1 :green_heart: |  mvnsite  |  15m 50s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   8m 52s |  |  the patch passed

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764363#comment-17764363
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning opened a new pull request, #6057:
URL: https://github.com/apache/hadoop/pull/6057

   ### Description of PR
   
   Use Apache HTTPClient instead of OkHTTP to reduce the number of hadoop 
dependencies.
   
   ### How was this patch tested?
   
   Local build and CI build.
   
   ### For code changes:
   
   - [x] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [x] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756951#comment-17756951
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1686459928

   > I think that Hadoop has too many lib dependencies. 
   
   I think hadoop-common has too many, and there are some which are 
particularly troublesome. we should really avoid adding more to -common, and 
elsewhere think hard.




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756040#comment-17756040
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

ashutoshcipher commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1684117467

   Hi
   
   I agree to what you are saying, but it's not really something I introduced
   but was already present before
   
   On Fri, 18 Aug, 2023, 4:52 pm PJ Fanning, ***@***.***> wrote:
   
   > @ashutoshcipher  this might be
   > controversial but I think that Hadoop has too many lib dependencies. I
   > think it would be better to use simpler dependencies like Apache HttpClient
   > than to use very complicated dependencies like okhttp with its Kotlin
   > runtime dependencies.
   >
   > —
   > Reply to this email directly, view it on GitHub
   > , or
   > unsubscribe
   > 

   > .
   > You are receiving this because you were mentioned.Message ID:
   > ***@***.***>
   >
   




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756038#comment-17756038
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1684113240

   @ashutoshcipher this might be controversial but I think that Hadoop has too 
many lib dependencies. I think it would be better to use simpler dependencies 
like Apache HttpClient than to use very complicated dependencies like okhttp 
with its Kotlin runtime dependencies.




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756036#comment-17756036
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1684110678

   This change wasn't working out. I'll close it.




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756037#comment-17756037
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning closed pull request #5139: HADOOP-18496. Upgrade okhttp3 and 
dependencies due to kotlin CVEs
URL: https://github.com/apache/hadoop/pull/5139




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17756026#comment-17756026
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1684096208

   i've just merged this in via #5961. should I revert?




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17649292#comment-17649292
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1357545673

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   1m 16s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  1s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  0s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ branch-3.3 Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 12s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  27m 21s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  compile  |  18m 43s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  mvnsite  |  20m 56s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  javadoc  |   6m 50s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  shadedclient  |  31m  7s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 33s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  30m 24s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  18m  3s |  |  the patch passed  |
   | +1 :green_heart: |  javac  |  18m  3s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  20m 22s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   6m 46s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  31m 57s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 781m  5s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/5/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m  0s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1002m  8s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.yarn.sls.TestReservationSystemInvariants |
   |   | hadoop.yarn.sls.appmaster.TestAMSimulator |
   |   | hadoop.yarn.server.resourcemanager.recovery.TestFSRMStateStore |
   |   | hadoop.hdfs.server.namenode.snapshot.TestOpenFilesWithSnapshot |
   |   | hadoop.hdfs.TestFileLengthOnClusterRestart |
   |   | hadoop.hdfs.server.blockmanagement.TestBlockTokenWithDFSStriped |
   |   | hadoop.hdfs.TestLeaseRecovery2 |
   |   | hadoop.hdfs.server.balancer.TestBalancerWithHANameNodes |
   |   | hadoop.hdfs.server.datanode.TestBPOfferService |
   |   | hadoop.hdfs.server.namenode.ha.TestPipelinesFailover |
   |   | hadoop.hdfs.server.namenode.snapshot.TestSnapshotDeletion |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/5/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5139 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 616119b340d6 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 
18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | branch-3.3 / e653369ceb623ac11337a552eb2f602d2e170876 |
   | Default Java | Private Build-1.8.0_352-8u352-ga-1~18.04-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/5/testReport/ |
   | Max. process+thread count | 2721 (vs. ulimit of 5500) |
   | modules | C: hadoop-project hadoop-common-project/hadoop-common 
hadoop-hdfs-project/hadoop-hdfs-client 
hadoop-client-modules/hadoop-client-runtime . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/5/console |
   | versions | git

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642856#comment-17642856
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1336186528

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |  13m 13s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  0s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ branch-3.3 Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 18s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  27m 29s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  compile  |  19m 52s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  mvnsite  |  22m  8s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  javadoc  |   7m 39s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  shadedclient  |  32m 39s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 38s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  31m 42s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  19m 32s |  |  the patch passed  |
   | +1 :green_heart: |  javac  |  19m 32s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  21m 34s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   7m  5s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  17m  5s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 803m 36s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/4/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m 18s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1030m 15s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | 
hadoop.hdfs.server.namenode.snapshot.TestSnapshotDeletion |
   |   | hadoop.hdfs.server.namenode.ha.TestPipelinesFailover |
   |   | hadoop.hdfs.TestRollingUpgrade |
   |   | hadoop.hdfs.server.datanode.TestBPOfferService |
   |   | hadoop.hdfs.TestFileLengthOnClusterRestart |
   |   | hadoop.hdfs.tools.TestDFSAdmin |
   |   | hadoop.hdfs.TestFileCreation |
   |   | hadoop.hdfs.TestErasureCodingPoliciesWithRandomECPolicy |
   |   | hadoop.hdfs.TestLeaseRecovery2 |
   |   | hadoop.hdfs.server.namenode.snapshot.TestSnapshot |
   |   | hadoop.hdfs.server.namenode.snapshot.TestSnapshotBlocksMap |
   |   | hadoop.hdfs.server.namenode.TestDeleteRace |
   |   | hadoop.yarn.sls.appmaster.TestAMSimulator |
   |   | hadoop.yarn.server.timelineservice.storage.TestTimelineWriterHBaseDown 
|
   |   | hadoop.yarn.server.resourcemanager.recovery.TestFSRMStateStore |
   |   | hadoop.security.ssl.TestReloadingX509TrustManager |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/4/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5139 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux e0ac5df52880 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | branch-3.3 / 4b4f8e0a18e5e859af1d086d9d2d1e0f26f04f5e |
   | Default Java | Private Build-1.8.0_352-8u352-ga-1~18.04-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/4/testReport/ |
   | Max. process+thread count | 2165 (vs. ulimit of 5500) |
   | modules | C: hadoop-project had

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17639666#comment-17639666
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

ayushtkn commented on PR #5140:
URL: https://github.com/apache/hadoop/pull/5140#issuecomment-1328253379

   Ohhk, No worries, kind of addendum. Should be fine then, if we backport both 
together now




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17639664#comment-17639664
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5140:
URL: https://github.com/apache/hadoop/pull/5140#issuecomment-1328248532

   @ayushtkn this is a small tidy up that I missed in HADOOP-18496
   
   It has little to no effect on the build. Is it worth doing reverts, rebuilds 
and new JIRAs for this?




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17639663#comment-17639663
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

ayushtkn commented on PR #5140:
URL: https://github.com/apache/hadoop/pull/5140#issuecomment-1328247661

   @pjfanning you got the jira id wrong?
   HADOOP-18496 is different. :-(, Give a check, let me revert this in that 
case, Please help with the correct id




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17639661#comment-17639661
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

ayushtkn commented on PR #5140:
URL: https://github.com/apache/hadoop/pull/5140#issuecomment-1328247198

   Tests passed locally
   ```
   [INFO] ---
   [INFO]  T E S T S
   [INFO] ---
   [INFO] Running org.apache.hadoop.hdfs.TestRollingUpgrade
   [INFO] Tests run: 16, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 
125.348 s - in org.apache.hadoop.hdfs.TestRollingUpgrade
   [INFO] 
   [INFO] Results:
   [INFO] 
   [INFO] Tests run: 16, Failures: 0, Errors: 0, Skipped: 0
   [INFO] ---
   [INFO]  T E S T S
   [INFO] ---
   [INFO] Running org.apache.hadoop.mapreduce.v2.app.TestRuntimeEstimators
   [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 
23.995 s - in org.apache.hadoop.mapreduce.v2.app.TestRuntimeEstimators
   [INFO] 
   [INFO] Results:
   [INFO] 
   [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0
   
   ```




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17639660#comment-17639660
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

ayushtkn merged PR #5140:
URL: https://github.com/apache/hadoop/pull/5140




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17638749#comment-17638749
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1327798012

   @ashutoshcipher any idea where to go with this PR? I've rerun the build a 
few times and some tests just fail - next run they pass but other ones just 
fail. I don't think any of the issues relate to this PR.




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17637734#comment-17637734
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1325005476

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 55s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  1s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  0s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ branch-3.3 Compile Tests _ |
   | +0 :ok: |  mvndep  |  16m 27s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  26m 58s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  compile  |  19m  8s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  mvnsite  |  21m 17s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  javadoc  |   7m  4s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  shadedclient  |  32m 22s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 39s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  31m 17s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  18m 25s |  |  the patch passed  |
   | +1 :green_heart: |  javac  |  18m 25s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  20m 56s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   6m 56s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  32m 43s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 747m 27s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/3/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m  5s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 973m 43s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.yarn.sls.appmaster.TestAMSimulator |
   |   | hadoop.hdfs.server.namenode.TestAddStripedBlocks |
   |   | hadoop.hdfs.TestFileLengthOnClusterRestart |
   |   | hadoop.hdfs.TestErasureCodingPolicyWithSnapshot |
   |   | hadoop.hdfs.TestLeaseRecovery2 |
   |   | hadoop.hdfs.server.balancer.TestBalancerWithHANameNodes |
   |   | hadoop.hdfs.server.datanode.TestBPOfferService |
   |   | hadoop.hdfs.TestEncryptionZones |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/3/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5139 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 5f667c3a0d39 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | branch-3.3 / e4b390d3344f0d4469f20d6122267bea9f4d19b7 |
   | Default Java | Private Build-1.8.0_352-8u352-ga-1~18.04-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/3/testReport/ |
   | Max. process+thread count | 2313 (vs. ulimit of 5500) |
   | modules | C: hadoop-project hadoop-common-project/hadoop-common 
hadoop-hdfs-project/hadoop-hdfs-client 
hadoop-client-modules/hadoop-client-runtime . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/3/console |
   | versions | git=2.17.1 maven=3.6.0 shellcheck=0.4.6 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> upgrade kotlin-stdlib due to CVEs
> -
>
>   

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17636161#comment-17636161
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1320887377

   @ashutoshcipher I'm not really sure of the test situation. I reran the tests 
and a number of other tests failed - no tests appear to have failed both times.




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17636160#comment-17636160
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1320886471

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 49s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ branch-3.3 Compile Tests _ |
   | +0 :ok: |  mvndep  |  16m 48s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  27m 13s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  compile  |  19m 16s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  mvnsite  |  21m 18s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  javadoc  |   7m  9s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  shadedclient  |  31m 59s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 35s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  30m 55s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  18m 27s |  |  the patch passed  |
   | +1 :green_heart: |  javac  |  18m 27s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  20m 59s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   7m 26s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  32m 52s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 765m 15s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/2/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m 54s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 992m 22s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.yarn.sls.appmaster.TestAMSimulator |
   |   | 
hadoop.yarn.server.resourcemanager.scheduler.capacity.TestCapacitySchedulerAutoQueueCreation
 |
   |   | hadoop.security.ssl.TestReloadingX509KeyManager |
   |   | hadoop.hdfs.server.datanode.TestDataNodeRollingUpgrade |
   |   | hadoop.hdfs.TestLeaseRecovery2 |
   |   | hadoop.hdfs.TestDFSStripedOutputStreamWithFailure |
   |   | hadoop.hdfs.server.mover.TestMover |
   |   | hadoop.hdfs.server.namenode.TestDiskspaceQuotaUpdate |
   |   | hadoop.hdfs.server.balancer.TestBalancerWithHANameNodes |
   |   | hadoop.hdfs.server.datanode.TestBPOfferService |
   |   | hadoop.hdfs.server.sps.TestExternalStoragePolicySatisfier |
   |   | hadoop.hdfs.TestRollingUpgrade |
   |   | hadoop.hdfs.server.namenode.snapshot.TestSnapshotDeletion |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/2/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5139 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 513271bb6f9c 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | branch-3.3 / f70883822bb23063cbdda5aa4d08722850caa842 |
   | Default Java | Private Build-1.8.0_352-8u352-ga-1~18.04-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/2/testReport/ |
   | Max. process+thread count | 2356 (vs. ulimit of 5500) |
   | modules | C: hadoop-project hadoop-common-project/hadoop-common 
hadoop-hdfs-project/hadoop-hdfs-client 
hadoop-client-modules/hadoop-client-runtime . U: . |
   | Co

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17635754#comment-17635754
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5140:
URL: https://github.com/apache/hadoop/pull/5140#issuecomment-1319744141

   The tests that failed appear to be intermittent test issues




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17635203#comment-17635203
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5140:
URL: https://github.com/apache/hadoop/pull/5140#issuecomment-1318262432

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 44s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  2s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  2s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  2s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  2s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 39s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  26m 21s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  23m 41s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  20m 52s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  mvnsite  |  19m 17s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 10s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 36s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  35m 33s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 33s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  22m 20s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  23m  1s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  23m  1s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  20m 51s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  javac  |  20m 51s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  19m 11s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   7m 58s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 22s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  37m  8s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 816m 10s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5140/2/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   3m 13s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1088m 26s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.hdfs.TestRollingUpgrade |
   |   | hadoop.mapreduce.v2.app.TestRuntimeEstimators |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5140/2/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5140 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 5f19e1e5da8a 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / 20510621a87a9c4d4f794d628f9877128b7af6ca |
   | Default Java | Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04 
/usr/lib/jvm/java-8-openjdk-amd64:Private 
Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   |  Test Results | 
https://ci-hadoop.apache.org/j

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17635147#comment-17635147
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5139:
URL: https://github.com/apache/hadoop/pull/5139#issuecomment-1318108456

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |  11m  0s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  1s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  0s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ branch-3.3 Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 21s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  27m 11s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  compile  |  19m  8s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  mvnsite  |  21m 18s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  javadoc  |   7m  6s |  |  branch-3.3 passed  |
   | +1 :green_heart: |  shadedclient  |  31m 57s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 34s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  30m 56s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  18m 26s |  |  the patch passed  |
   | +1 :green_heart: |  javac  |  18m 26s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  20m 46s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   7m  7s |  |  the patch passed  |
   | +1 :green_heart: |  shadedclient  |  32m 51s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 708m  2s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/1/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   1m 50s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 942m 28s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.yarn.client.api.impl.TestAMRMClient |
   |   | 
hadoop.yarn.server.resourcemanager.reservation.TestCapacityOverTimePolicy |
   |   | hadoop.hdfs.tools.TestDFSAdmin |
   |   | hadoop.hdfs.server.balancer.TestBalancerWithHANameNodes |
   |   | hadoop.hdfs.server.datanode.TestDirectoryScanner |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/1/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5139 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux d524129cc9f0 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | branch-3.3 / 67d0a12e0f20b821ff4dc2b672e7ce6834beb96e |
   | Default Java | Private Build-1.8.0_352-8u352-ga-1~18.04-b08 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/1/testReport/ |
   | Max. process+thread count | 2286 (vs. ulimit of 5500) |
   | modules | C: hadoop-project hadoop-common-project/hadoop-common 
hadoop-hdfs-project/hadoop-hdfs-client 
hadoop-client-modules/hadoop-client-runtime . U: . |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5139/1/console |
   | versions | git=2.17.1 maven=3.6.0 shellcheck=0.4.6 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634900#comment-17634900
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5140:
URL: https://github.com/apache/hadoop/pull/5140#issuecomment-1317227385

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 53s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  0s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  0s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  0s |  |  xmllint was not available.  |
   | +1 :green_heart: |  @author  |   0m  1s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +1 :green_heart: |  mvninstall  |  39m 43s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |   0m 32s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |   0m 32s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  mvnsite  |   0m 36s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   0m 42s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   0m 32s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  64m 50s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +1 :green_heart: |  mvninstall  |   0m 24s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |   0m 20s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |   0m 20s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |   0m 21s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  javac  |   0m 21s |  |  the patch passed  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |   0m 24s |  |  the patch passed  |
   | +1 :green_heart: |  javadoc  |   0m 23s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   0m 19s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  23m 36s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | +1 :green_heart: |  unit  |   0m 22s |  |  hadoop-project in the patch 
passed.  |
   | +1 :green_heart: |  asflicense  |   0m 41s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   |  93m 35s |  |  |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5140/1/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5140 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint |
   | uname | Linux 001877484bc7 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revision | trunk / c643c45f95132de3c3a816904f8712b07e17b12b |
   | Default Java | Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   | Multi-JDK versions | 
/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04 
/usr/lib/jvm/java-8-openjdk-amd64:Private 
Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 |
   |  Test Results | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5140/1/testReport/ |
   | Max. process+thread count | 701 (vs. ulimit of 5500) |
   | modules | C: hadoop-project U: hadoop-project |
   | Console output | 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5140/1/console |
   | versions | git=2.25.1 maven=3.6.3 |
   | Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
   
   
   This message was automatically generated.
   
   




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/brows

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634862#comment-17634862
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning opened a new pull request, #5140:
URL: https://github.com/apache/hadoop/pull/5140

   
   
   ### Description of PR
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634851#comment-17634851
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning opened a new pull request, #5139:
URL: https://github.com/apache/hadoop/pull/5139

   Backports #5035
   
   Updates okhttp3 and okio so their transitive dependency on Kotlin stdlib is 
free from recent CVEs.
   
   okhttp3:okhttp => 4.10.0
   okio:okio => 3.2.0
   kotlin stdlib => 1.6.20
   
   kotlin CVEs fixed:
CVE-2022-24329
CVE-2020-29582
   
   Contributed by PJ Fanning.
   
   
   
   ### Description of PR
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632681#comment-17632681
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1312489839

   in trunk...lets push through the backport chain as far as we can




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632680#comment-17632680
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran merged PR #5035:
URL: https://github.com/apache/hadoop/pull/5035




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632679#comment-17632679
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1312487838

   yeah, looks like some jvm state thing; they happen. shouldn't, but they do 
and are hard to track down/eliminate
   
   +1, merging




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627751#comment-17627751
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1300562246

   @steveloughran the Yetus results look ok. I can't find anything significant 
in the logs. The TestHttpFSFWithWebhdfsFileSystem test failure looks like an 
intermittent issue (a port already in use issue).




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627327#comment-17627327
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1299130104

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   1m  3s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  1s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 22s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  28m 44s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  25m 38s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  22m 18s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  mvnsite  |  20m 46s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 55s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 30s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  38m 50s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 35s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  31m 17s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  25m  0s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  25m  0s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  23m  6s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  javac  |  23m  6s | 
[/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/7/artifact/out/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt)
 |  root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 generated 5 new + 2612 
unchanged - 1 fixed = 2617 total (was 2613)  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  21m 40s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   9m  1s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   8m 33s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  42m 25s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 1042m 31s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/7/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   1m 52s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1344m  7s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | 
hadoop.fs.http.client.TestHttpFSFWithWebhdfsFileSystem |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/7/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5035 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 52d2d834e882 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | 

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17626873#comment-17626873
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on code in PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#discussion_r1009933930


##
hadoop-common-project/hadoop-common/pom.xml:
##
@@ -382,6 +382,21 @@
   com.squareup.okhttp3
   mockwebserver
   test
+  

Review Comment:
   I've made those changes - a new build is running





> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17626863#comment-17626863
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

steveloughran commented on code in PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#discussion_r1009899456


##
hadoop-common-project/hadoop-common/pom.xml:
##
@@ -382,6 +382,21 @@
   com.squareup.okhttp3
   mockwebserver
   test
+  

Review Comment:
   don't these exclusions get picked up from the hadoop project declaration



##
LICENSE-binary:
##
@@ -241,8 +241,9 @@ com.google.guava:guava:27.0-jre
 com.google.guava:listenablefuture:.0-empty-to-avoid-conflict-with-guava
 com.microsoft.azure:azure-storage:7.0.0
 com.nimbusds:nimbus-jose-jwt:9.8.1
-com.squareup.okhttp3:okhttp:4.9.3
+com.squareup.okhttp3:okhttp:4.10.0
 com.squareup.okio:okio:1.6.0
+com.squareup.okio:okio:3.2.0

Review Comment:
   does the one above need cutting?





> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622459#comment-17622459
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1287376925

   TestRuntimeEstimators runs ok on my laptop




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>  Labels: pull-request-available
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622414#comment-17622414
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1287321099

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 56s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  1s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 37s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  28m 48s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  25m 37s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  22m  7s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  mvnsite  |  20m 33s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 33s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 32s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  38m 42s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 37s |  |  Maven dependency ordering for patch  |
   | +1 :green_heart: |  mvninstall  |  30m 51s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  24m 56s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  24m 56s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  22m 10s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  javac  |  22m 10s | 
[/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/6/artifact/out/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt)
 |  root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 generated 1 new + 2610 
unchanged - 6 fixed = 2611 total (was 2616)  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  20m  9s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   8m 47s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 32s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  40m 38s |  |  patch has no errors 
when building and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 1077m 45s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/6/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m  1s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1374m 34s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.mapreduce.v2.app.TestRuntimeEstimators |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/6/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5035 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 19d6e353dd10 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
   | Build tool | maven |
   | Personality | dev-support/bin/hadoop.sh |
   | git revisi

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17619646#comment-17619646
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1282566516

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 54s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  1s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  16m  3s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  28m 52s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  25m 35s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  22m 11s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  mvnsite  |  20m 21s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 34s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 30s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  39m  3s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 32s |  |  Maven dependency ordering for patch  |
   | -1 :x: |  mvninstall  |  25m  5s | 
[/patch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/3/artifact/out/patch-mvninstall-root.txt)
 |  root in the patch failed.  |
   | +1 :green_heart: |  compile  |  24m 57s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  24m 57s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  22m 16s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  javac  |  22m 16s | 
[/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/3/artifact/out/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt)
 |  root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 generated 1 new + 2610 
unchanged - 6 fixed = 2611 total (was 2616)  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  20m  6s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   8m 19s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 27s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  shadedclient  |  40m  4s |  |  patch has errors when building 
and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 1045m 21s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/3/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m 13s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1338m 48s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.mapreduce.v2.app.TestRuntimeEstimators |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/3/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5035 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs |
   | uname | Linux 9d2a96d70ebd 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 
01:49:29 UTC 2022

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17618951#comment-17618951
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-1281034538

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 54s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  1s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  15m 36s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  28m 37s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  25m 20s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  21m 57s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  mvnsite  |  20m 25s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 28s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 36s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  38m 36s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 36s |  |  Maven dependency ordering for patch  |
   | -1 :x: |  mvninstall  |   1m  4s | 
[/patch-mvninstall-hadoop-common-project_hadoop-common.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/2/artifact/out/patch-mvninstall-hadoop-common-project_hadoop-common.txt)
 |  hadoop-common in the patch failed.  |
   | -1 :x: |  mvninstall  |   1m 31s | 
[/patch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/2/artifact/out/patch-mvninstall-root.txt)
 |  root in the patch failed.  |
   | +1 :green_heart: |  compile  |  24m 53s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  24m 53s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  22m 16s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  javac  |  22m 16s | 
[/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/2/artifact/out/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt)
 |  root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 generated 1 new + 2610 
unchanged - 6 fixed = 2611 total (was 2616)  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  20m  2s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   8m 19s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 33s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  shadedclient  |  21m  6s |  |  patch has errors when building 
and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 1066m  2s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/2/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   1m 54s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1315m  0s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.mapreduce.v2.app.TestRuntimeEstimators |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/2/artifact/out/Dockerfile
 |
   | GITHUB PR | https://githu

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17618286#comment-17618286
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

hadoop-yetus commented on PR #5035:
URL: https://github.com/apache/hadoop/pull/5035#issuecomment-128722

   :broken_heart: **-1 overall**
   
   
   
   
   
   
   | Vote | Subsystem | Runtime |  Logfile | Comment |
   |::|--:|:|::|:---:|
   | +0 :ok: |  reexec  |   0m 54s |  |  Docker mode activated.  |
    _ Prechecks _ |
   | +1 :green_heart: |  dupname  |   0m  0s |  |  No case conflicting files 
found.  |
   | +0 :ok: |  codespell  |   0m  1s |  |  codespell was not available.  |
   | +0 :ok: |  detsecrets  |   0m  1s |  |  detect-secrets was not available.  
|
   | +0 :ok: |  xmllint  |   0m  1s |  |  xmllint was not available.  |
   | +0 :ok: |  shelldocs  |   0m  1s |  |  Shelldocs was not available.  |
   | +1 :green_heart: |  @author  |   0m  0s |  |  The patch does not contain 
any @author tags.  |
   | -1 :x: |  test4tests  |   0m  0s |  |  The patch doesn't appear to include 
any new or modified tests. Please justify why no new tests are needed for this 
patch. Also please list what manual steps were performed to verify this patch.  
|
    _ trunk Compile Tests _ |
   | +0 :ok: |  mvndep  |  16m  4s |  |  Maven dependency ordering for branch  |
   | +1 :green_heart: |  mvninstall  |  28m 49s |  |  trunk passed  |
   | +1 :green_heart: |  compile  |  25m 34s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  compile  |  22m 10s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  mvnsite  |  20m 26s |  |  trunk passed  |
   | +1 :green_heart: |  javadoc  |   8m 33s |  |  trunk passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 30s |  |  trunk passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | +1 :green_heart: |  shadedclient  |  38m 51s |  |  branch has no errors 
when building and testing our client artifacts.  |
    _ Patch Compile Tests _ |
   | +0 :ok: |  mvndep  |   0m 36s |  |  Maven dependency ordering for patch  |
   | -1 :x: |  mvninstall  |   1m 34s | 
[/patch-mvninstall-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/1/artifact/out/patch-mvninstall-root.txt)
 |  root in the patch failed.  |
   | +1 :green_heart: |  compile  |  24m 59s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javac  |  24m 59s |  |  the patch passed  |
   | +1 :green_heart: |  compile  |  22m 10s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  javac  |  22m 10s | 
[/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/1/artifact/out/results-compile-javac-root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07.txt)
 |  root-jdkPrivateBuild-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07 generated 1 new + 2610 
unchanged - 6 fixed = 2611 total (was 2616)  |
   | +1 :green_heart: |  blanks  |   0m  0s |  |  The patch has no blanks 
issues.  |
   | +1 :green_heart: |  mvnsite  |  19m 57s |  |  the patch passed  |
   | +1 :green_heart: |  shellcheck  |   0m  0s |  |  No new issues.  |
   | +1 :green_heart: |  javadoc  |   8m 19s |  |  the patch passed with JDK 
Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04  |
   | +1 :green_heart: |  javadoc  |   7m 32s |  |  the patch passed with JDK 
Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07  |
   | -1 :x: |  shadedclient  |  21m 10s |  |  patch has errors when building 
and testing our client artifacts.  |
    _ Other Tests _ |
   | -1 :x: |  unit  | 1037m  1s | 
[/patch-unit-root.txt](https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/1/artifact/out/patch-unit-root.txt)
 |  root in the patch passed.  |
   | +1 :green_heart: |  asflicense  |   2m  1s |  |  The patch does not 
generate ASF License warnings.  |
   |  |   | 1285m 32s |  |  |
   
   
   | Reason | Tests |
   |---:|:--|
   | Failed junit tests | hadoop.mapreduce.v2.app.TestRuntimeEstimators |
   |   | 
hadoop.hdfs.server.federation.router.TestRouterRPCMultipleDestinationMountTableResolver
 |
   
   
   | Subsystem | Report/Notes |
   |--:|:-|
   | Docker | ClientAPI=1.41 ServerAPI=1.41 base: 
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5035/1/artifact/out/Dockerfile
 |
   | GITHUB PR | https://github.com/apache/hadoop/pull/5035 |
   | Optional Tests | dupname asflicense compile javac javadoc mvninstall 
mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelld

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17618153#comment-17618153
 ] 

ASF GitHub Bot commented on HADOOP-18496:
-

pjfanning opened a new pull request, #5035:
URL: https://github.com/apache/hadoop/pull/5035

   
   
   ### Description of PR
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [ ] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   




> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[Steve Loughran (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617724#comment-17617724
 ] 

Steve Loughran commented on HADOOP-18496:
-

yes; needs to be in sync. and need to run tests of whatever uses okhttp

> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[PJ Fanning (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617623#comment-17617623
 ] 

PJ Fanning commented on HADOOP-18496:
-

[~ste...@apache.org] looks like the kotlin dependencies were brought in because 
of okhttp3.

Hadoop trunk uses okhttp3 4.9.3 and the kotlin version used in Hadoop matches 
what okhttp3 4.9.3 needs.

If we were to upgrade kotlin due to the CVEs, we would probably need to upgrade 
to okhttp3 4.10.0 which relies on kotlin-stdlib 1.6.20.

> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-18496) upgrade kotlin-stdlib due to CVEs

[Steve Loughran (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17617604#comment-17617604
 ] 

Steve Loughran commented on HADOOP-18496:
-

what was the reason we added it? it came with the upgrade of something else, 
which it may need to stay in sync with. it is not used directly, AFAIK

> upgrade kotlin-stdlib due to CVEs
> -
>
> Key: HADOOP-18496
> URL: https://issues.apache.org/jira/browse/HADOOP-18496
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: PJ Fanning
>Priority: Major
>
> I'm not an expert on Kotlin but dependabot show these 2 CVEs with the version 
> of kotlin-stdlib used in Hadoop.
>  * [https://github.com/advisories/GHSA-cqj8-47ch-rvvq]
>  * [https://github.com/advisories/GHSA-2qp4-g3q3-f92w]
> kotlin-stlib 1.6.0 is the minimum version needed to fix both. It might be 
> better to use latest v1.6 jar (currently 1.6.21) or even use latest jar 
> altogether (currently 1.7.20).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org