[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[ https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16095870#comment-16095870 ] Attila Simon edited comment on FLUME-3131 at 7/21/17 6:56 AM: -- Hi [~fszabo], In general I'm fine with any approach which getting us closer to the state that flume is not vulnerable based on our understanding. Indeed it looks like test only. But having a closer look it seems like that activemq (parent dependency of spring and also brings in geronimo) also falls into the same category. I would also consider update the version of the activemq in case it still passes testing and doesn't bring in undesired dependencies transitively. (This in turn might help resolving this ticket by either removing the spring dependency completely or pulling in a "better" one) {noformat} ⏚ [~/ws/apache/flume] trunk ± ag activemq * flume-ng-doc/sphinx/FlumeUserGuide.rst 932:application it should work with any JMS provider but has only been tested with ActiveMQ. 945:**initialContextFactory** -- Inital Context Factory, e.g: org.apache.activemq.jndi.ActiveMQInitialContextFactory 994: a1.sources.r1.initialContextFactory = org.apache.activemq.jndi.ActiveMQInitialContextFactory flume-ng-sources/flume-jms-source/pom.xml 74: org.apache.activemq 75: activemq-core flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java 37:import org.apache.activemq.ActiveMQConnectionFactory; 38:import org.apache.activemq.broker.BrokerPlugin; 39:import org.apache.activemq.broker.BrokerService; 40:import org.apache.activemq.security.AuthenticationUser; 41:import org.apache.activemq.security.SimpleAuthenticationPlugin; 57:public class TestIntegrationActiveMQ { 60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory"; 65: // specific for dynamic queues on ActiveMq 133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, 154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, pom.xml 1081:org.apache.activemq 1082:activemq-core {noformat} was (Author: sati): Hi [~fszabo], In general I'm fine with any approach which getting us closer to the state that flume is not vulnerable based on our understanding. Indeed it looks like test only. But having a closer look it seems like that activemq (parent dependency of geronimo) also falls into the same category. I would also consider update the version of the activemq in case it still passes testing and doesn't bring in undesired dependencies transitively. (This in turn might help resolving this ticket by either removing the spring dependency completely or pulling in a "better" one) {noformat} ⏚ [~/ws/apache/flume] trunk ± ag activemq * flume-ng-doc/sphinx/FlumeUserGuide.rst 932:application it should work with any JMS provider but has only been tested with ActiveMQ. 945:**initialContextFactory** -- Inital Context Factory, e.g: org.apache.activemq.jndi.ActiveMQInitialContextFactory 994: a1.sources.r1.initialContextFactory = org.apache.activemq.jndi.ActiveMQInitialContextFactory flume-ng-sources/flume-jms-source/pom.xml 74: org.apache.activemq 75: activemq-core flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java 37:import org.apache.activemq.ActiveMQConnectionFactory; 38:import org.apache.activemq.broker.BrokerPlugin; 39:import org.apache.activemq.broker.BrokerService; 40:import org.apache.activemq.security.AuthenticationUser; 41:import org.apache.activemq.security.SimpleAuthenticationPlugin; 57:public class TestIntegrationActiveMQ { 60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory"; 65: // specific for dynamic queues on ActiveMq 133:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, 154:ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, pom.xml 1081:org.apache.activemq 1082:activemq-core {noformat} > Upgrade spring framework library dependencies > - > > Key: FLUME-3131 > URL: https://issues.apache.org/jira/browse/FLUME-3131 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Assignee: Ferenc Szabo >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > Attachments: FLUME-3131.patch > > > ||Group||Artifact||Version used||Upgrade target|| > |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,| > Security vulnerability: > https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html >
[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[ https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16093618#comment-16093618 ] Ferenc Szabo edited comment on FLUME-3131 at 7/20/17 11:23 PM: --- [~sati] In this case I would recommend to change the activemq dependency to have a test scope because it is only used in one test, than the vulnerability is not going to be present in production. For the `javax.jms.*` packages use the following dependency: {code} org.apache.geronimo.specs geronimo-jms_1.1_spec 1.1.1 {code} was (Author: fszabo): [~sati] In this case I would recommend to change the activemq dependency to have a test scope because it is only used in one test, than the vulnerability is not going to be present in production. For the `javax.jms.*` packages use the following dependency: {code} javax.jms jms {code} > Upgrade spring framework library dependencies > - > > Key: FLUME-3131 > URL: https://issues.apache.org/jira/browse/FLUME-3131 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Assignee: Ferenc Szabo >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > > ||Group||Artifact||Version used||Upgrade target|| > |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,| > Security vulnerability: > https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html > Maven repositories: > - https://mvnrepository.com/artifact/org.springframework/spring-aop > - https://mvnrepository.com/artifact/org.springframework/spring-context > - https://mvnrepository.com/artifact/org.springframework/spring-core > Please do: > - CVE might be a false alarm or mistake. Please double check. > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) > Excerpt from mvn dependency:tree > {noformat} > org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT > \- org.apache.activemq:activemq-core:jar:5.7.0:provided >+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided >| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (FLUME-3131) Upgrade spring framework library dependencies
[ https://issues.apache.org/jira/browse/FLUME-3131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16093618#comment-16093618 ] Ferenc Szabo edited comment on FLUME-3131 at 7/20/17 10:56 PM: --- [~sati] In this case I would recommend to change the activemq dependency to have a test scope because it is only used in one test, than the vulnerability is not going to be present in production. For the `javax.jms.*` packages use the following dependency: {code} javax.jms jms {code} was (Author: fszabo): [~sati] In this case I would recommend to change the activemq dependency to have a test scope because it is only used in one test, than the vulnerability is not going to be present in production. For the `javax.jms.*` packages use the following dependency: {code} org.apache.geronimo.specs geronimo-jms_1.1_spec 1.1.1 {code} > Upgrade spring framework library dependencies > - > > Key: FLUME-3131 > URL: https://issues.apache.org/jira/browse/FLUME-3131 > Project: Flume > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Attila Simon >Assignee: Ferenc Szabo >Priority: Critical > Labels: dependency > Fix For: 1.8.0 > > > ||Group||Artifact||Version used||Upgrade target|| > |org.springframework|spring-aop|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-context|3.0.7.RELEASE|4.3.9.RELEASE,| > |org.springframework|spring-core|3.0.7.RELEASE|4.3.9.RELEASE,| > Security vulnerability: > https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html > Maven repositories: > - https://mvnrepository.com/artifact/org.springframework/spring-aop > - https://mvnrepository.com/artifact/org.springframework/spring-context > - https://mvnrepository.com/artifact/org.springframework/spring-core > Please do: > - CVE might be a false alarm or mistake. Please double check. > - double check the newest version. > - consider to remove a dependency if better alternative is available. > - check whether the lib change would introduce a backward incompatibility (in > which case please add this label `breaking_change` and fix version should be > the next major) > Excerpt from mvn dependency:tree > {noformat} > org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT > \- org.apache.activemq:activemq-core:jar:5.7.0:provided >+- org.springframework:spring-context:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided >| +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided >| \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)