[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16070245#comment-16070245 ] Artem Ervits commented on OOZIE-2946: - [~Jan Hentschel] don't forget to add a vote on the OOZIE-2969 jira :). > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Fix For: 5.0.0 > > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16070213#comment-16070213 ] Jan Hentschel commented on OOZIE-2946: -- I would also go with dropping support of 1.7. The public support ended in April 2015, so it should be time to drop it with the next major release. I don't know if there is another minor release planned for Oozie. If there's a plan we probably need to address this one. HBASE-18293 solved this one by using the JDK 1.8 specific profile. As far as I know Oozie doesn't have different profiles for the different Java versions. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Fix For: 5.0.0 > > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068409#comment-16068409 ] Artem Ervits commented on OOZIE-2946: - [~Jan Hentschel] I opened jira to drop JDK 1.7, HBase and Hadoop projects are dropping it with next major release https://issues.apache.org/jira/browse/OOZIE-2969 > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Fix For: 5.0.0 > > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068367#comment-16068367 ] Andras Piros commented on OOZIE-2946: - [~Jan Hentschel] it seems like FindSecBugs maven plugin doesn't like JDK 1.7.0: {noformat} bash-3.2$ mvn -version Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T17:41:47+01:00) Java version: 1.7.0_80, vendor: Oracle Corporation ... bash-3.2$ mvn clean install -DskipTests ... [INFO] [INFO] Building Apache Oozie Client 5.0.0-SNAPSHOT [INFO] ... [INFO] --- findbugs-maven-plugin:3.0.1:findbugs (findbugs) @ oozie-client --- [INFO] Fork Value is true [java] Exception in thread "main" java.lang.UnsupportedClassVersionError: edu/umd/cs/findbugs/FindBugs2 : Unsupported major.minor version 52.0 [java] at java.lang.ClassLoader.defineClass1(Native Method) [java] at java.lang.ClassLoader.defineClass(ClassLoader.java:800) [java] at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) [java] at java.net.URLClassLoader.defineClass(URLClassLoader.java:449) [java] at java.net.URLClassLoader.access$100(URLClassLoader.java:71) [java] at java.net.URLClassLoader$1.run(URLClassLoader.java:361) [java] at java.net.URLClassLoader$1.run(URLClassLoader.java:355) [java] at java.security.AccessController.doPrivileged(Native Method) [java] at java.net.URLClassLoader.findClass(URLClassLoader.java:354) [java] at java.lang.ClassLoader.loadClass(ClassLoader.java:425) [java] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) [java] at java.lang.ClassLoader.loadClass(ClassLoader.java:358) [java] at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482) ... [INFO] Apache Oozie Client FAILURE [ 4.409 s] ... {noformat} Do you have a plan for JDK 1.7.0? > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Fix For: 5.0.0 > > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052323#comment-16052323 ] Robert Kanter commented on OOZIE-2946: -- Ya, it seems to require an install before it picks up the changes. Presumably once it's committed that shouldn't be a problem. +1 > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16051662#comment-16051662 ] Jan Hentschel commented on OOZIE-2946: -- I'm not sure if the build compares the differences to the master or to previous runs. If I start a Maven build locally via mvn clean install I see the new problems, such as the one found in DistcpMain. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050959#comment-16050959 ] Robert Kanter commented on OOZIE-2946: -- Ok, that seems reasonable to me. One last question: any idea why the latest Jenkins run didn't find any new findbugs problems but the one from Yesterday found a ton (as expected)? > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050381#comment-16050381 ] Hadoop QA commented on OOZIE-2946: -- Testing JIRA OOZIE-2946 Cleaning local git workspace {color:green}+1 PATCH_APPLIES{color} {color:green}+1 CLEAN{color} {color:red}-1 RAW_PATCH_ANALYSIS{color} .{color:green}+1{color} the patch does not introduce any @author tags .{color:green}+1{color} the patch does not introduce any tabs .{color:green}+1{color} the patch does not introduce any trailing spaces .{color:green}+1{color} the patch does not introduce any line longer than 132 .{color:red}-1{color} the patch does not add/modify any testcase {color:green}+1 RAT{color} .{color:green}+1{color} the patch does not seem to introduce new RAT warnings {color:green}+1 JAVADOC{color} .{color:green}+1{color} the patch does not seem to introduce new Javadoc warnings .{color:red}WARNING{color}: the current HEAD has 6 Javadoc warning(s) {color:green}+1 COMPILE{color} .{color:green}+1{color} HEAD compiles .{color:green}+1{color} patch compiles .{color:green}+1{color} the patch does not seem to introduce new javac warnings {color:green}+1{color} There are no new bugs found in total. {color:green}+1 BACKWARDS_COMPATIBILITY{color} .{color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations .{color:green}+1{color} the patch does not modify JPA files {color:green}+1 TESTS{color} .Tests run: 1966 .Tests rerun: 64 .Tests failed at first run: org.apache.oozie.action.hadoop.TestJavaActionExecutor,org.apache.oozie.action.hadoop.TestLauncherAM, {color:green}+1 DISTRO{color} .{color:green}+1{color} distro tarball builds with the patch {color:red}*-1 Overall result, please check the reported -1(s)*{color} {color:red}. There is at least one warning, please check{color} The full output of the test-patch run is available at . https://builds.apache.org/job/oozie-trunk-precommit-build/3894/ > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050140#comment-16050140 ] Jan Hentschel commented on OOZIE-2946: -- [~rkanter] I moved the version of findbugs-maven-plugin to the pluginManagement, but I was not able to move findsecbugs to it. It seems that Maven doesn't pick up the version for a dependency of a plugin (had the same problem with the findbugs dependency of the xml-maven-plugin) if you define it in the dependencyManagement or pluginManagement. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch, OOZIE-2946-2.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049518#comment-16049518 ] Robert Kanter commented on OOZIE-2946: -- [~Jan Hentschel], I just noticed that we define a {{}} for the findbugs-maven-plugin in the {{}} and {{}} sections. They also don't have the same version. We should define the version only in {{}}. Can you also fix that while we're adding the find-sec-bugs plugin; it's kind of related. Also, the version for {{com.h3xstream.findsecbugs}} should be defined in the {{}} as well. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049032#comment-16049032 ] Jan Hentschel commented on OOZIE-2946: -- The Findbugs problems are expected due to the nature of the patch. Solving the new warnings should be part of another ticket. The failed tests seem to be flaky. > Include find-sec-bugs plugin > > > Key: OOZIE-2946 > URL: https://issues.apache.org/jira/browse/OOZIE-2946 > Project: Oozie > Issue Type: Task > Components: build, security >Reporter: Jan Hentschel >Assignee: Jan Hentschel >Priority: Minor > Attachments: OOZIE-2946-1.patch > > > The [Find Security Bugs|http://find-sec-bugs.github.io/] plugin looks for > security bugs in Java web apps, such as Oozie. This plugin should be included > in the build process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (OOZIE-2946) Include find-sec-bugs plugin
[ https://issues.apache.org/jira/browse/OOZIE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049030#comment-16049030 ] Hadoop QA commented on OOZIE-2946: -- Testing JIRA OOZIE-2946 Cleaning local git workspace {color:green}+1 PATCH_APPLIES{color} {color:green}+1 CLEAN{color} {color:red}-1 RAW_PATCH_ANALYSIS{color} .{color:green}+1{color} the patch does not introduce any @author tags .{color:green}+1{color} the patch does not introduce any tabs .{color:green}+1{color} the patch does not introduce any trailing spaces .{color:green}+1{color} the patch does not introduce any line longer than 132 .{color:red}-1{color} the patch does not add/modify any testcase {color:green}+1 RAT{color} .{color:green}+1{color} the patch does not seem to introduce new RAT warnings {color:green}+1 JAVADOC{color} .{color:green}+1{color} the patch does not seem to introduce new Javadoc warnings .{color:red}WARNING{color}: the current HEAD has 6 Javadoc warning(s) {color:green}+1 COMPILE{color} .{color:green}+1{color} HEAD compiles .{color:green}+1{color} patch compiles .{color:green}+1{color} the patch does not seem to introduce new javac warnings {color:red}-1{color} There are [106] new bugs found below threshold in total that must be fixed. . {color:red}-1{color} There are [1] new bugs found below threshold in [server] that must be fixed. . You can find the FindBugs diff here (look for the red and orange ones): server/findbugs-new.html . The most important FindBugs errors are: . At JspHandlerProvider.java:[line 43]: File(...) reads a file whose location might be specified by user input . At JspHandlerProvider.java:[line 43] . {color:red}-1{color} There are [8] new bugs found below threshold in [client] that must be fixed, listing only the first [5] ones. . You can find the FindBugs diff here (look for the red and orange ones): client/findbugs-new.html . The top [5] most important FindBugs errors are: . At OozieCLI.java:[line 840]: File(...) reads a file whose location might be specified by user input . FileInputStream(...) reads a file whose location might be specified by user input: At OozieCLI.java:[line 838] . At OozieCLI.java:[line 838]: At OozieCLI.java:[line 848] . At OozieCLI.java:[line 875]: File(...) reads a file whose location might be specified by user input . File(...) reads a file whose location might be specified by user input: At OozieCLI.java:[line 870] . {color:green}+1{color} There are no new bugs found in [docs]. . {color:red}-1{color} There are [3] new bugs found below threshold in [sharelib/hive] that must be fixed. . You can find the FindBugs diff here (look for the red and orange ones): sharelib/hive/findbugs-new.html . The most important FindBugs errors are: . At HiveMain.java:[line 336]: FileReader(...) reads a file whose location might be specified by user input . At HiveMain.java:[line 245]: At HiveMain.java:[line 226] . At HiveMain.java:[line 229]: File(...) reads a file whose location might be specified by user input . FileOutputStream(...) writes to a file whose location might be specified by user input: At HiveMain.java:[line 226] . At HiveMain.java:[line 172]: At HiveMain.java:[line 173] . {color:red}-1{color} There are [5] new bugs found below threshold in [sharelib/spark] that must be fixed. . You can find the FindBugs diff here (look for the red and orange ones): sharelib/spark/findbugs-new.html . The most important FindBugs errors are: . At SparkMain.java:[line 129]: File(...) reads a file whose location might be specified by user input . File(...) reads a file whose location might be specified by user input: At SparkMain.java:[line 129] . At SparkMain.java:[line 162]: At SparkMain.java:[line 169] . FileOutputStream(...) writes to a file whose location might be specified by user input: At SparkMain.java:[line 168] . At SparkMain.java:[line 210]: At SparkMain.java:[line 211] . {color:green}+1{color} There are no new bugs found in [sharelib/hcatalog]. . {color:red}-1{color} There are [3] new bugs found below threshold in [sharelib/hive2] that must be fixed. . You can find the FindBugs diff here (look for the red and orange ones): sharelib/hive2/findbugs-new.html . The most important FindBugs errors are: . At Hive2Main.java:[line 278]: FileReader(...) reads a file whose location might be specified by user input . At Hive2Main.java:[line 164]: At Hive2Main.java:[line 145] . At Hive2Main.java:[line 148]: File(...) reads a file whose location might be specified by user input . FileOutputStream(...) writes to a file whose location might be specified by user input: At Hive2Main.java:[line 145] . At Hive2Main.java:[line 117]: At Hive2Main.java:[line 266] . {color:green}+1{color} There are no new bugs found in [sharelib/streaming]. . {color:red}-1{color} There are [8] new bugs found below threshold in [sharelib/p