[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16070245#comment-16070245 ] Artem Ervits commented on OOZIE-2946: - [~Jan Hentschel] don't forget to add a vote on the OOZIE-2969 jira :). > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Fix For: 5.0.0 > > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16070213#comment-16070213 ] Jan Hentschel commented on OOZIE-2946: -- I would also go with dropping support of 1.7. The public support ended in April 2015, so it should be time to drop it with the next major release. I don't know if there is another minor release planned for Oozie. If there's a plan we probably need to address this one. HBASE-18293 solved this one by using the JDK 1.8 specific profile. As far as I know Oozie doesn't have different profiles for the different Java versions. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Fix For: 5.0.0 > > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068409#comment-16068409 ] Artem Ervits commented on OOZIE-2946: - [~Jan Hentschel] I opened jira to drop JDK 1.7, HBase and Hadoop projects are dropping it with next major release https://issues.apache.org/jira/browse/OOZIE-2969 > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Fix For: 5.0.0 > > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[
https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068367#comment-16068367
]
Andras Piros commented on OOZIE-2946:
-
[~Jan Hentschel] it seems like FindSecBugs maven plugin doesn't like JDK 1.7.0:
{noformat}
bash-3.2$ mvn -version
Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5;
2015-11-10T17:41:47+01:00)
Java version: 1.7.0_80, vendor: Oracle Corporation
...
bash-3.2$ mvn clean install -DskipTests
...
[INFO]
[INFO] Building Apache Oozie Client 5.0.0-SNAPSHOT
[INFO]
...
[INFO] --- findbugs-maven-plugin:3.0.1:findbugs (findbugs) @ oozie-client ---
[INFO] Fork Value is true
[java] Exception in thread "main" java.lang.UnsupportedClassVersionError:
edu/umd/cs/findbugs/FindBugs2 : Unsupported major.minor version 52.0
[java] at java.lang.ClassLoader.defineClass1(Native Method)
[java] at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
[java] at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
[java] at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
[java] at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
[java] at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
[java] at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
[java] at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
[java] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
[java] at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
[java] at
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)
...
[INFO] Apache Oozie Client FAILURE [ 4.409 s]
...
{noformat}
Do you have a plan for JDK 1.7.0?
> Include find-sec-bugs plugin
>
>
> Key: OOZIE-2946
> URL: https://issues.apache.org/jira/browse/OOZIE-2946
> Project: Oozie
> Issue Type: Task
> Components: build, security
>Reporter: Jan Hentschel
>Assignee: Jan Hentschel
>Priority: Minor
> Fix For: 5.0.0
>
> Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch
>
>
> The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for
> security bugs in Java web apps, such as Oozie. This plugin should be included
> in the build process.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052323#comment-16052323 ] Robert Kanter commented on OOZIE-2946: -- Ya, it seems to require an install before it picks up the changes. Presumably once it's committed that shouldn't be a problem. +1 > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16051662#comment-16051662 ] Jan Hentschel commented on OOZIE-2946: -- I'm not sure if the build compares the differences to the master or to previous runs. If I start a Maven build locally via mvn clean install I see the new problems, such as the one found in DistcpMain. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050959#comment-16050959 ] Robert Kanter commented on OOZIE-2946: -- Ok, that seems reasonable to me. One last question: any idea why the latest Jenkins run didn't find any new findbugs problems but the one from Yesterday found a ton (as expected)? > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[
https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050381#comment-16050381
]
Hadoop QA commented on OOZIE-2946:
--
Testing JIRA OOZIE-2946
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
.{color:red}WARNING{color}: the current HEAD has 6 Javadoc warning(s)
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1{color} There are no new bugs found in total.
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.{color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
.{color:green}+1{color} the patch does not modify JPA files
{color:green}+1 TESTS{color}
.Tests run: 1966
.Tests rerun: 64
.Tests failed at first run:
org.apache.oozie.action.hadoop.TestJavaActionExecutor,org.apache.oozie.action.hadoop.TestLauncherAM,
{color:green}+1 DISTRO{color}
.{color:green}+1{color} distro tarball builds with the patch
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
{color:red}. There is at least one warning, please check{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/3894/
> Include find-sec-bugs plugin
>
>
> Key: OOZIE-2946
> URL: https://issues.apache.org/jira/browse/OOZIE-2946
> Project: Oozie
> Issue Type: Task
> Components: build, security
>Reporter: Jan Hentschel
>Assignee: Jan Hentschel
>Priority: Minor
> Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch
>
>
> The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for
> security bugs in Java web apps, such as Oozie. This plugin should be included
> in the build process.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050140#comment-16050140 ] Jan Hentschel commented on OOZIE-2946: -- [~rkanter] I moved the version of findbugs-maven-plugin to the pluginManagement, but I was not able to move findsecbugs to it. It seems that Maven doesn't pick up the version for a dependency of a plugin (had the same problem with the findbugs dependency of the xml-maven-plugin) if you define it in the dependencyManagement or pluginManagement. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[
https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049518#comment-16049518
]
Robert Kanter commented on OOZIE-2946:
--
[~Jan Hentschel], I just noticed that we define a {{}} for the
findbugs-maven-plugin in the {{}} and {{}}
sections. They also don't have the same version. We should define the version
only in {{}}. Can you also fix that while we're adding the
find-sec-bugs plugin; it's kind of related.
Also, the version for {{com.h3xstream.findsecbugs}} should be defined in the
{{}} as well.
> Include find-sec-bugs plugin
>
>
> Key: OOZIE-2946
> URL: https://issues.apache.org/jira/browse/OOZIE-2946
> Project: Oozie
> Issue Type: Task
> Components: build, security
>Reporter: Jan Hentschel
>Assignee: Jan Hentschel
>Priority: Minor
> Attachments: OOZIE-2946-1.patch
>
>
> The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for
> security bugs in Java web apps, such as Oozie. This plugin should be included
> in the build process.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049032#comment-16049032 ] Jan Hentschel commented on OOZIE-2946: -- The Findbugs problems are expected due to the nature of the patch. Solving the new warnings should be part of another ticket. The failed tests seem to be flaky. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[
https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049030#comment-16049030
]
Hadoop QA commented on OOZIE-2946:
--
Testing JIRA OOZIE-2946
Cleaning local git workspace
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.{color:green}+1{color} the patch does not introduce any @author tags
.{color:green}+1{color} the patch does not introduce any tabs
.{color:green}+1{color} the patch does not introduce any trailing spaces
.{color:green}+1{color} the patch does not introduce any line longer than
132
.{color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.{color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
.{color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
.{color:red}WARNING{color}: the current HEAD has 6 Javadoc warning(s)
{color:green}+1 COMPILE{color}
.{color:green}+1{color} HEAD compiles
.{color:green}+1{color} patch compiles
.{color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:red}-1{color} There are [106] new bugs found below threshold in total
that must be fixed.
. {color:red}-1{color} There are [1] new bugs found below threshold in [server]
that must be fixed.
. You can find the FindBugs diff here (look for the red and orange ones):
server/findbugs-new.html
. The most important FindBugs errors are:
. At JspHandlerProvider.java:[line 43]: File(...) reads a file whose location
might be specified by user input
. At JspHandlerProvider.java:[line 43]
. {color:red}-1{color} There are [8] new bugs found below threshold in [client]
that must be fixed, listing only the first [5] ones.
. You can find the FindBugs diff here (look for the red and orange ones):
client/findbugs-new.html
. The top [5] most important FindBugs errors are:
. At OozieCLI.java:[line 840]: File(...) reads a file whose location might be
specified by user input
. FileInputStream(...) reads a file whose location might be specified by user
input: At OozieCLI.java:[line 838]
. At OozieCLI.java:[line 838]: At OozieCLI.java:[line 848]
. At OozieCLI.java:[line 875]: File(...) reads a file whose location might be
specified by user input
. File(...) reads a file whose location might be specified by user input: At
OozieCLI.java:[line 870]
. {color:green}+1{color} There are no new bugs found in [docs].
. {color:red}-1{color} There are [3] new bugs found below threshold in
[sharelib/hive] that must be fixed.
. You can find the FindBugs diff here (look for the red and orange ones):
sharelib/hive/findbugs-new.html
. The most important FindBugs errors are:
. At HiveMain.java:[line 336]: FileReader(...) reads a file whose location
might be specified by user input
. At HiveMain.java:[line 245]: At HiveMain.java:[line 226]
. At HiveMain.java:[line 229]: File(...) reads a file whose location might be
specified by user input
. FileOutputStream(...) writes to a file whose location might be specified by
user input: At HiveMain.java:[line 226]
. At HiveMain.java:[line 172]: At HiveMain.java:[line 173]
. {color:red}-1{color} There are [5] new bugs found below threshold in
[sharelib/spark] that must be fixed.
. You can find the FindBugs diff here (look for the red and orange ones):
sharelib/spark/findbugs-new.html
. The most important FindBugs errors are:
. At SparkMain.java:[line 129]: File(...) reads a file whose location might be
specified by user input
. File(...) reads a file whose location might be specified by user input: At
SparkMain.java:[line 129]
. At SparkMain.java:[line 162]: At SparkMain.java:[line 169]
. FileOutputStream(...) writes to a file whose location might be specified by
user input: At SparkMain.java:[line 168]
. At SparkMain.java:[line 210]: At SparkMain.java:[line 211]
. {color:green}+1{color} There are no new bugs found in [sharelib/hcatalog].
. {color:red}-1{color} There are [3] new bugs found below threshold in
[sharelib/hive2] that must be fixed.
. You can find the FindBugs diff here (look for the red and orange ones):
sharelib/hive2/findbugs-new.html
. The most important FindBugs errors are:
. At Hive2Main.java:[line 278]: FileReader(...) reads a file whose location
might be specified by user input
. At Hive2Main.java:[line 164]: At Hive2Main.java:[line 145]
. At Hive2Main.java:[line 148]: File(...) reads a file whose location might be
specified by user input
. FileOutputStream(...) writes to a file whose location might be specified by
user input: At Hive2Main.java:[line 145]
. At Hive2Main.java:[line 117]: At Hive2Main.java:[line 266]
. {color:green}+1{color} There are no new bugs found in [sharelib/streaming].
. {color:red}-1{color} There are [8] new bugs found below threshold in
[sharelib/p
