[WARNING] Fastjson library has a continuously insecurity trend
Hi dev team Especially committer and PMC member, recently, we just upgrade the fastjson through https://github.com/apache/skywalking/pull/4753. But today, we received the another report about the security issue again, https://github.com/apache/skywalking/pull/4804. The 4804 PR is not correct, but that is not the point. The concern I want to mention is that FastJson, imported by Nacos, keeps reporting security issues. This breaks our stable/security status high frequently. I want to ask, *do we need to consider removing the Nacos + FastJSON dependency? Due to this library is not in high quality from a security perspective.* These two are not required, they are just an implementation of configuration server and cluster management server. I don't request to act now, but I would like to hear, what do you think? Sheng Wu 吴晟 Twitter, wusheng1108
Re: [WARNING] Fastjson library has a continuously insecurity trend
I agree to remove the related modules, at least we can move it to our SkyAPM org kezhenxu94 > On May 20, 2020, at 20:51, Sheng Wu wrote: > > Hi dev team > > Especially committer and PMC member, recently, we just upgrade the fastjson > through https://github.com/apache/skywalking/pull/4753. But today, we > received the another report about the security issue again, > https://github.com/apache/skywalking/pull/4804. > The 4804 PR is not correct, but that is not the point. > > The concern I want to mention is that FastJson, imported by Nacos, keeps > reporting security issues. This breaks our stable/security status high > frequently. > > I want to ask, *do we need to consider removing the Nacos + > FastJSON dependency? Due to this library is not in high quality from a > security perspective.* > These two are not required, they are just an implementation of > configuration server and cluster management server. > > I don't request to act now, but I would like to hear, what do you think? > > Sheng Wu 吴晟 > Twitter, wusheng1108
Re: [WARNING] Fastjson library has a continuously insecurity trend
Security is very important for open source project, so I agree to remove nacos + fastjson, which continue to have security vulnerabilities. Are other components of skywalking using fastjosn? kezhenxu94 于 2020年5月20日周三 下午9:25写道: > I agree to remove the related modules, at least we can move it to our > SkyAPM org > > kezhenxu94 > > > On May 20, 2020, at 20:51, Sheng Wu wrote: > > > > Hi dev team > > > > Especially committer and PMC member, recently, we just upgrade the > fastjson > > through https://github.com/apache/skywalking/pull/4753. But today, we > > received the another report about the security issue again, > > https://github.com/apache/skywalking/pull/4804. > > The 4804 PR is not correct, but that is not the point. > > > > The concern I want to mention is that FastJson, imported by Nacos, keeps > > reporting security issues. This breaks our stable/security status high > > frequently. > > > > I want to ask, *do we need to consider removing the Nacos + > > FastJSON dependency? Due to this library is not in high quality from a > > security perspective.* > > These two are not required, they are just an implementation of > > configuration server and cluster management server. > > > > I don't request to act now, but I would like to hear, what do you think? > > > > Sheng Wu 吴晟 > > Twitter, wusheng1108 > > >
Re: [WARNING] Fastjson library has a continuously insecurity trend
Ming Wen 于2020年5月20日周三 下午9:49写道: > Security is very important for open source project, so I agree to remove > nacos + fastjson, which continue to have security vulnerabilities. > > Are other components of skywalking using fastjosn? > Ming, No core and skywalking's own codes depend on Nacos or Fastjson. They are just a plugin but included in the skywalking's official release. Sheng Wu 吴晟 Twitter, wusheng1108 > > > > kezhenxu94 于 2020年5月20日周三 下午9:25写道: > > > I agree to remove the related modules, at least we can move it to our > > SkyAPM org > > > > kezhenxu94 > > > > > On May 20, 2020, at 20:51, Sheng Wu wrote: > > > > > > Hi dev team > > > > > > Especially committer and PMC member, recently, we just upgrade the > > fastjson > > > through https://github.com/apache/skywalking/pull/4753. But today, we > > > received the another report about the security issue again, > > > https://github.com/apache/skywalking/pull/4804. > > > The 4804 PR is not correct, but that is not the point. > > > > > > The concern I want to mention is that FastJson, imported by Nacos, > keeps > > > reporting security issues. This breaks our stable/security status high > > > frequently. > > > > > > I want to ask, *do we need to consider removing the Nacos + > > > FastJSON dependency? Due to this library is not in high quality from a > > > security perspective.* > > > These two are not required, they are just an implementation of > > > configuration server and cluster management server. > > > > > > I don't request to act now, but I would like to hear, what do you > think? > > > > > > Sheng Wu 吴晟 > > > Twitter, wusheng1108 > > > > > > >
Re: [WARNING] Fastjson library has a continuously insecurity trend
FastJSON is the source of this security issues and the Nacos is a famous project. But security issues is very important problem, and they can’t really resolve it . So i suggest just remove the Nacos from the release package, keeping the source code in our project. Sheng Wu 于2020年5月20日 周三20:51写道: > Hi dev team > > Especially committer and PMC member, recently, we just upgrade the fastjson > through https://github.com/apache/skywalking/pull/4753. But today, we > received the another report about the security issue again, > https://github.com/apache/skywalking/pull/4804. > The 4804 PR is not correct, but that is not the point. > > The concern I want to mention is that FastJson, imported by Nacos, keeps > reporting security issues. This breaks our stable/security status high > frequently. > > I want to ask, *do we need to consider removing the Nacos + > FastJSON dependency? Due to this library is not in high quality from a > security perspective.* > These two are not required, they are just an implementation of > configuration server and cluster management server. > > I don't request to act now, but I would like to hear, what do you think? > > Sheng Wu 吴晟 > Twitter, wusheng1108 >
Re: [WARNING] Fastjson library has a continuously insecurity trend
Hi, Zhendong Song, As you’re discussing in a mailing list, it’s not appropriate to attach the postscript in the email with the declaration like "本邮件及其附件含有小米公司的保密信息", please use your personal email account or remove the postscript next time sending an email, thanks > On May 20, 2020, at 22:26, 宋振东 wrote: > > Dear all: > The latest version of Nacos references fastjosn 1.2.58, which also has > security problems. I think if there are many Nacos users, we should try to > solve this problem, if there are few users,we should give up this > library(Maybe there will be other security issues in the future). > > > > Zhendong Song > > > -- Original -- > From: "Sheng Wu";; > Send time: Wednesday, May 20, 2020 9:07 PM > To: "Z"; > Subject: Fwd: [WARNING] Fastjson library has a continuously insecurity trend > > If you want to reply, please send it to dev@skywalking.apache.org. > > Sheng Wu 吴晟 > Twitter, wusheng1108 > > > -- Forwarded message ----- > 发件人: Sheng Wu > Date: 2020年5月20日周三 下午8:51 > Subject: [WARNING] Fastjson library has a continuously insecurity trend > To: dev > > > Hi dev team > > Especially committer and PMC member, recently, we just upgrade the fastjson > through https://github.com/apache/skywalking/pull/4753. But today, we > received the another report about the security issue again, > https://github.com/apache/skywalking/pull/4804. > The 4804 PR is not correct, but that is not the point. > > The concern I want to mention is that FastJson, imported by Nacos, keeps > reporting security issues. This breaks our stable/security status high > frequently. > > I want to ask, do we need to consider removing the Nacos + FastJSON > dependency? Due to this library is not in high quality from a security > perspective. > These two are not required, they are just an implementation of configuration > server and cluster management server. > > I don't request to act now, but I would like to hear, what do you think? > > Sheng Wu 吴晟 > Twitter, wusheng1108 > > > #/**本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! > This e-mail and its attachments contain confidential information from > XIAOMI, which is intended only for the person or entity whose address is > listed above. Any use of the information contained herein in any way > (including, but not limited to, total or partial disclosure, reproduction, or > dissemination) by persons other than the intended recipient(s) is prohibited. > If you receive this e-mail in error, please notify the sender by phone or > email immediately and delete it!**/#
Re: [WARNING] Fastjson library has a continuously insecurity trend
> > So i suggest just remove the Nacos from the release package, keeping the > source code in our project. Coordination and configuration APIs are stable now, and I don't see any potential improvements about them. Anyone who needs it can revert to the commit contains nacos easily. Keeping unreleased codes in the main repo is dangerous for us, so I prefer to remove it straightly. peng-yongsheng 于2020年5月20日周三 下午10:27写道: > FastJSON is the source of this security issues and the Nacos is a famous > project. But security issues is very important problem, and they can’t > really resolve it . > > So i suggest just remove the Nacos from the release package, keeping the > source code in our project. > > > Sheng Wu 于2020年5月20日 周三20:51写道: > > > Hi dev team > > > > Especially committer and PMC member, recently, we just upgrade the > fastjson > > through https://github.com/apache/skywalking/pull/4753. But today, we > > received the another report about the security issue again, > > https://github.com/apache/skywalking/pull/4804. > > The 4804 PR is not correct, but that is not the point. > > > > The concern I want to mention is that FastJson, imported by Nacos, keeps > > reporting security issues. This breaks our stable/security status high > > frequently. > > > > I want to ask, *do we need to consider removing the Nacos + > > FastJSON dependency? Due to this library is not in high quality from a > > security perspective.* > > These two are not required, they are just an implementation of > > configuration server and cluster management server. > > > > I don't request to act now, but I would like to hear, what do you think? > > > > Sheng Wu 吴晟 > > Twitter, wusheng1108 > > > -- Hongtao Gao Apache SkyWalking && Apache ShardingSphere Twitter, @hanahmily
Re: [WARNING] Fastjson library has a continuously insecurity trend
I agree to remove the related modules. --- Daming Apache SkyWalking > 在 2020年5月20日,下午11:13,Hongtao Gao 写道: > >> >> So i suggest just remove the Nacos from the release package, keeping the >> source code in our project. > > > Coordination and configuration APIs are stable now, and I don't see any > potential improvements about them. > Anyone who needs it can revert to the commit contains nacos easily. > Keeping unreleased codes in the main repo is dangerous for us, so I prefer > to remove it straightly. > > peng-yongsheng 于2020年5月20日周三 下午10:27写道: > >> FastJSON is the source of this security issues and the Nacos is a famous >> project. But security issues is very important problem, and they can’t >> really resolve it . >> >> So i suggest just remove the Nacos from the release package, keeping the >> source code in our project. >> >> >> Sheng Wu 于2020年5月20日 周三20:51写道: >> >>> Hi dev team >>> >>> Especially committer and PMC member, recently, we just upgrade the >> fastjson >>> through https://github.com/apache/skywalking/pull/4753. But today, we >>> received the another report about the security issue again, >>> https://github.com/apache/skywalking/pull/4804. >>> The 4804 PR is not correct, but that is not the point. >>> >>> The concern I want to mention is that FastJson, imported by Nacos, keeps >>> reporting security issues. This breaks our stable/security status high >>> frequently. >>> >>> I want to ask, *do we need to consider removing the Nacos + >>> FastJSON dependency? Due to this library is not in high quality from a >>> security perspective.* >>> These two are not required, they are just an implementation of >>> configuration server and cluster management server. >>> >>> I don't request to act now, but I would like to hear, what do you think? >>> >>> Sheng Wu 吴晟 >>> Twitter, wusheng1108 >>> >> > > > -- > Hongtao Gao > > Apache SkyWalking && Apache ShardingSphere > Twitter, @hanahmily
Re: [WARNING] Fastjson library has a continuously insecurity trend
Hongtao Gao 于2020年5月20日周三 下午11:13写道: > > > > So i suggest just remove the Nacos from the release package, keeping > the > > source code in our project. > > > Coordination and configuration APIs are stable now, and I don't see any > potential improvements about them. > Anyone who needs it can revert to the commit contains nacos easily. > Keeping unreleased codes in the main repo is dangerous for us, so I prefer > to remove it straightly. > Agree, git is the time machine. We should not worry about rolling back in some days. Zhenxu Moving the code to skyapm, is fine, we just need to keep the Apache license header there, and indicate why these codes are copied there. If we really think that is meaningful. People are going to ask questions there, it will be some workload there. Also, notice, once we don't change the codes, how to release them. Sheng Wu 吴晟 Twitter, wusheng1108 > > peng-yongsheng 于2020年5月20日周三 下午10:27写道: > > > FastJSON is the source of this security issues and the Nacos is a famous > > project. But security issues is very important problem, and they can’t > > really resolve it . > > > > So i suggest just remove the Nacos from the release package, keeping > the > > source code in our project. > > > > > > Sheng Wu 于2020年5月20日 周三20:51写道: > > > > > Hi dev team > > > > > > Especially committer and PMC member, recently, we just upgrade the > > fastjson > > > through https://github.com/apache/skywalking/pull/4753. But today, we > > > received the another report about the security issue again, > > > https://github.com/apache/skywalking/pull/4804. > > > The 4804 PR is not correct, but that is not the point. > > > > > > The concern I want to mention is that FastJson, imported by Nacos, > keeps > > > reporting security issues. This breaks our stable/security status high > > > frequently. > > > > > > I want to ask, *do we need to consider removing the Nacos + > > > FastJSON dependency? Due to this library is not in high quality from a > > > security perspective.* > > > These two are not required, they are just an implementation of > > > configuration server and cluster management server. > > > > > > I don't request to act now, but I would like to hear, what do you > think? > > > > > > Sheng Wu 吴晟 > > > Twitter, wusheng1108 > > > > > > > > -- > Hongtao Gao > > Apache SkyWalking && Apache ShardingSphere > Twitter, @hanahmily >
Re: [WARNING] Fastjson library has a continuously insecurity trend
I just recheck the dependency tree, and could confirm the fastjson is imported by Nacos only. No other library depends on this. [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ apache-skywalking-apm-es7 --- [WARNING] Failure to transfer org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml from https://repository.apache.org/snapshots was cached in the local repository, resolution will not be reattempted until the update interval of apache.snapshots has elapsed or updates are forced. Original error: Could not transfer metadata org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml from/to apache.snapshots (https://repository.apache.org/snapshots): Connect to repository.apache.org:443 [repository.apache.org/207.244.88.140] failed: Operation timed out Downloading from apache.snapshots: https://repository.apache.org/snapshots/org/apache/skywalking/server-starter-es7/8.0.0-SNAPSHOT/server-starter-es7-8.0.0-SNAPSHOT.jar [INFO] org.apache.skywalking:apache-skywalking-apm-es7:pom:8.0.0-SNAPSHOT [INFO] +- org.apache.skywalking:apm-agent:jar:8.0.0-SNAPSHOT:compile [INFO] | \- org.apache.skywalking:apm-agent-core:jar:8.0.0-SNAPSHOT:compile [INFO] | +- org.apache.skywalking:apm-network:jar:8.0.0-SNAPSHOT:compile [INFO] | | +- io.grpc:grpc-netty:jar:1.26.0:compile [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.42.Final:compile (version selected from constraint [4.1.42.Final,4.1.42.Final]) [INFO] | | | \- io.netty:netty-handler-proxy:jar:4.1.42.Final:compile [INFO] | | | \- io.netty:netty-codec-socks:jar:4.1.42.Final:compile [INFO] | | +- io.grpc:grpc-protobuf:jar:1.26.0:compile [INFO] | | | +- io.grpc:grpc-api:jar:1.26.0:compile [INFO] | | | | \- io.grpc:grpc-context:jar:1.26.0:compile [INFO] | | | +- com.google.protobuf:protobuf-java:jar:3.11.0:compile [INFO] | | | +- com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile [INFO] | | | \- io.grpc:grpc-protobuf-lite:jar:1.26.0:compile [INFO] | | +- io.grpc:grpc-stub:jar:1.26.0:compile [INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:2.0.26.Final:compile [INFO] | +- org.apache.skywalking:apm-util:jar:8.0.0-SNAPSHOT:compile [INFO] | +- net.bytebuddy:byte-buddy:jar:1.10.7:compile [INFO] | \- org.apache.skywalking:apm-datacarrier:jar:8.0.0-SNAPSHOT:compile [INFO] +- org.apache.skywalking:server-starter-es7:jar:8.0.0-SNAPSHOT:compile [INFO] | +- org.apache.skywalking:server-bootstrap:jar:8.0.0-SNAPSHOT:compile [INFO] | | +- org.apache.skywalking:server-core:jar:8.0.0-SNAPSHOT:compile [INFO] | | | +- org.yaml:snakeyaml:jar:1.18:compile [INFO] | | | +- org.apache.skywalking:library-module:jar:8.0.0-SNAPSHOT:compile [INFO] | | | +- org.apache.skywalking:telemetry-api:jar:8.0.0-SNAPSHOT:compile [INFO] | | | +- org.apache.skywalking:configuration-api:jar:8.0.0-SNAPSHOT:compile [INFO] | | | +- org.apache.skywalking:library-util:jar:8.0.0-SNAPSHOT:compile [INFO] | | | | +- joda-time:joda-time:jar:2.10.5:compile [INFO] | | | | \- com.google.protobuf:protobuf-java-util:jar:3.11.4:compile [INFO] | | | +- org.apache.skywalking:library-client:jar:8.0.0-SNAPSHOT:compile [INFO] | | | | +- com.zaxxer:HikariCP:jar:3.1.0:compile [INFO] | | | | +- commons-dbcp:commons-dbcp:jar:1.4:compile [INFO] | | | | | \- commons-pool:commons-pool:jar:1.5.4:compile [INFO] | | | | +- org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:compile [INFO] | | | | | +- org.elasticsearch:elasticsearch:jar:6.3.2:compile [INFO] | | | | | | +- org.elasticsearch:elasticsearch-core:jar:6.3.2:compile [INFO] | | | | | | +- org.elasticsearch:elasticsearch-secure-sm:jar:6.3.2:compile [INFO] | | | | | | +- org.elasticsearch:elasticsearch-x-content:jar:6.3.2:compile [INFO] | | | | | | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile [INFO] | | | | | | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.10:compile [INFO] | | | | | | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.8.10:compile [INFO] | | | | | | +- org.apache.lucene:lucene-core:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-analyzers-common:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-backward-codecs:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-grouping:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-highlighter:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-join:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-memory:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-misc:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-queries:jar:7.3.1:compile [INFO] | | | | | | +- org.apache.lucene:lucene-qu
Re: [WARNING] Fastjson library has a continuously insecurity trend
I have submitted the issue to Nacos team, https://github.com/alibaba/nacos/issues/2842 To check, *Does Nacos provide an alternative JSON library, rather than FastJSON, as a new option* If the answer is negative, and our consensus is clear, preferring to remove the codes. Then it is time to make the decision. Sheng Wu 吴晟 Twitter, wusheng1108 Sheng Wu 于2020年5月21日周四 上午9:23写道: > I just recheck the dependency tree, and could confirm the fastjson is > imported by Nacos only. No other library depends on this. > > [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ > apache-skywalking-apm-es7 --- > [WARNING] Failure to transfer > org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml > from https://repository.apache.org/snapshots was cached in the local > repository, resolution will not be reattempted until the update interval of > apache.snapshots has elapsed or updates are forced. Original error: Could > not transfer metadata > org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml > from/to apache.snapshots (https://repository.apache.org/snapshots): > Connect to repository.apache.org:443 [repository.apache.org/207.244.88.140] > failed: Operation timed out > Downloading from apache.snapshots: > https://repository.apache.org/snapshots/org/apache/skywalking/server-starter-es7/8.0.0-SNAPSHOT/server-starter-es7-8.0.0-SNAPSHOT.jar > [INFO] org.apache.skywalking:apache-skywalking-apm-es7:pom:8.0.0-SNAPSHOT > [INFO] +- org.apache.skywalking:apm-agent:jar:8.0.0-SNAPSHOT:compile > [INFO] | \- > org.apache.skywalking:apm-agent-core:jar:8.0.0-SNAPSHOT:compile > [INFO] | +- > org.apache.skywalking:apm-network:jar:8.0.0-SNAPSHOT:compile > [INFO] | | +- io.grpc:grpc-netty:jar:1.26.0:compile > [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.42.Final:compile > (version selected from constraint [4.1.42.Final,4.1.42.Final]) > [INFO] | | | \- io.netty:netty-handler-proxy:jar:4.1.42.Final:compile > [INFO] | | | \- > io.netty:netty-codec-socks:jar:4.1.42.Final:compile > [INFO] | | +- io.grpc:grpc-protobuf:jar:1.26.0:compile > [INFO] | | | +- io.grpc:grpc-api:jar:1.26.0:compile > [INFO] | | | | \- io.grpc:grpc-context:jar:1.26.0:compile > [INFO] | | | +- com.google.protobuf:protobuf-java:jar:3.11.0:compile > [INFO] | | | +- > com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile > [INFO] | | | \- io.grpc:grpc-protobuf-lite:jar:1.26.0:compile > [INFO] | | +- io.grpc:grpc-stub:jar:1.26.0:compile > [INFO] | | \- > io.netty:netty-tcnative-boringssl-static:jar:2.0.26.Final:compile > [INFO] | +- org.apache.skywalking:apm-util:jar:8.0.0-SNAPSHOT:compile > [INFO] | +- net.bytebuddy:byte-buddy:jar:1.10.7:compile > [INFO] | \- > org.apache.skywalking:apm-datacarrier:jar:8.0.0-SNAPSHOT:compile > [INFO] +- > org.apache.skywalking:server-starter-es7:jar:8.0.0-SNAPSHOT:compile > [INFO] | +- > org.apache.skywalking:server-bootstrap:jar:8.0.0-SNAPSHOT:compile > [INFO] | | +- > org.apache.skywalking:server-core:jar:8.0.0-SNAPSHOT:compile > [INFO] | | | +- org.yaml:snakeyaml:jar:1.18:compile > [INFO] | | | +- > org.apache.skywalking:library-module:jar:8.0.0-SNAPSHOT:compile > [INFO] | | | +- > org.apache.skywalking:telemetry-api:jar:8.0.0-SNAPSHOT:compile > [INFO] | | | +- > org.apache.skywalking:configuration-api:jar:8.0.0-SNAPSHOT:compile > [INFO] | | | +- > org.apache.skywalking:library-util:jar:8.0.0-SNAPSHOT:compile > [INFO] | | | | +- joda-time:joda-time:jar:2.10.5:compile > [INFO] | | | | \- > com.google.protobuf:protobuf-java-util:jar:3.11.4:compile > [INFO] | | | +- > org.apache.skywalking:library-client:jar:8.0.0-SNAPSHOT:compile > [INFO] | | | | +- com.zaxxer:HikariCP:jar:3.1.0:compile > [INFO] | | | | +- commons-dbcp:commons-dbcp:jar:1.4:compile > [INFO] | | | | | \- commons-pool:commons-pool:jar:1.5.4:compile > [INFO] | | | | +- > org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:compile > [INFO] | | | | | +- org.elasticsearch:elasticsearch:jar:6.3.2:compile > [INFO] | | | | | | +- > org.elasticsearch:elasticsearch-core:jar:6.3.2:compile > [INFO] | | | | | | +- > org.elasticsearch:elasticsearch-secure-sm:jar:6.3.2:compile > [INFO] | | | | | | +- > org.elasticsearch:elasticsearch-x-content:jar:6.3.2:compile > [INFO] | | | | | | | +- > com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile > [INFO] | | | | | | | +- > com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.10:compile > [INFO] | | | | | | | \- > com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.8.10:compile > [INFO] | | | | | | +- org.apache.lucene:lucene-core:jar:7.3.1:compile > [INFO] | | | | | | +- > org.apache.lucene:lucene-analyzers-common:jar:7.3.1:compile > [INFO] | | | | | | +- > org.apache.lucene:lucene-backward
Re: [WARNING] Fastjson library has a continuously insecurity trend
An update, Nacos team gave a promise, they will remove the Fastjson dependency to ease our concern. I think we could wait for the progress until we begin to initial our 8.0.0 release. If they can't finish it on time, we do the deletion action. Is everyone OK with this strategy? Sheng Wu 吴晟 Twitter, wusheng1108 Sheng Wu 于2020年5月21日周四 上午9:50写道: > I have submitted the issue to Nacos team, > https://github.com/alibaba/nacos/issues/2842 > To check, *Does Nacos provide an alternative JSON library, rather than > FastJSON, as a new option* > > If the answer is negative, and our consensus is clear, preferring to > remove the codes. Then it is time to make the decision. > > Sheng Wu 吴晟 > Twitter, wusheng1108 > > > Sheng Wu 于2020年5月21日周四 上午9:23写道: > >> I just recheck the dependency tree, and could confirm the fastjson is >> imported by Nacos only. No other library depends on this. >> >> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ >> apache-skywalking-apm-es7 --- >> [WARNING] Failure to transfer >> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml >> from https://repository.apache.org/snapshots was cached in the local >> repository, resolution will not be reattempted until the update interval of >> apache.snapshots has elapsed or updates are forced. Original error: Could >> not transfer metadata >> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml >> from/to apache.snapshots (https://repository.apache.org/snapshots): >> Connect to repository.apache.org:443 [ >> repository.apache.org/207.244.88.140] failed: Operation timed out >> Downloading from apache.snapshots: >> https://repository.apache.org/snapshots/org/apache/skywalking/server-starter-es7/8.0.0-SNAPSHOT/server-starter-es7-8.0.0-SNAPSHOT.jar >> [INFO] org.apache.skywalking:apache-skywalking-apm-es7:pom:8.0.0-SNAPSHOT >> [INFO] +- org.apache.skywalking:apm-agent:jar:8.0.0-SNAPSHOT:compile >> [INFO] | \- >> org.apache.skywalking:apm-agent-core:jar:8.0.0-SNAPSHOT:compile >> [INFO] | +- >> org.apache.skywalking:apm-network:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | +- io.grpc:grpc-netty:jar:1.26.0:compile >> [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.42.Final:compile >> (version selected from constraint [4.1.42.Final,4.1.42.Final]) >> [INFO] | | | \- >> io.netty:netty-handler-proxy:jar:4.1.42.Final:compile >> [INFO] | | | \- >> io.netty:netty-codec-socks:jar:4.1.42.Final:compile >> [INFO] | | +- io.grpc:grpc-protobuf:jar:1.26.0:compile >> [INFO] | | | +- io.grpc:grpc-api:jar:1.26.0:compile >> [INFO] | | | | \- io.grpc:grpc-context:jar:1.26.0:compile >> [INFO] | | | +- com.google.protobuf:protobuf-java:jar:3.11.0:compile >> [INFO] | | | +- >> com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile >> [INFO] | | | \- io.grpc:grpc-protobuf-lite:jar:1.26.0:compile >> [INFO] | | +- io.grpc:grpc-stub:jar:1.26.0:compile >> [INFO] | | \- >> io.netty:netty-tcnative-boringssl-static:jar:2.0.26.Final:compile >> [INFO] | +- org.apache.skywalking:apm-util:jar:8.0.0-SNAPSHOT:compile >> [INFO] | +- net.bytebuddy:byte-buddy:jar:1.10.7:compile >> [INFO] | \- >> org.apache.skywalking:apm-datacarrier:jar:8.0.0-SNAPSHOT:compile >> [INFO] +- >> org.apache.skywalking:server-starter-es7:jar:8.0.0-SNAPSHOT:compile >> [INFO] | +- >> org.apache.skywalking:server-bootstrap:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | +- >> org.apache.skywalking:server-core:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | | +- org.yaml:snakeyaml:jar:1.18:compile >> [INFO] | | | +- >> org.apache.skywalking:library-module:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | | +- >> org.apache.skywalking:telemetry-api:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | | +- >> org.apache.skywalking:configuration-api:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | | +- >> org.apache.skywalking:library-util:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | | | +- joda-time:joda-time:jar:2.10.5:compile >> [INFO] | | | | \- >> com.google.protobuf:protobuf-java-util:jar:3.11.4:compile >> [INFO] | | | +- >> org.apache.skywalking:library-client:jar:8.0.0-SNAPSHOT:compile >> [INFO] | | | | +- com.zaxxer:HikariCP:jar:3.1.0:compile >> [INFO] | | | | +- commons-dbcp:commons-dbcp:jar:1.4:compile >> [INFO] | | | | | \- commons-pool:commons-pool:jar:1.5.4:compile >> [INFO] | | | | +- >> org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:compile >> [INFO] | | | | | +- org.elasticsearch:elasticsearch:jar:6.3.2:compile >> [INFO] | | | | | | +- >> org.elasticsearch:elasticsearch-core:jar:6.3.2:compile >> [INFO] | | | | | | +- >> org.elasticsearch:elasticsearch-secure-sm:jar:6.3.2:compile >> [INFO] | | | | | | +- >> org.elasticsearch:elasticsearch-x-content:jar:6.3.2:compile >> [INFO] | | | | | | | +- >> com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile >>
Re: Fwd: [WARNING] Fastjson library has a continuously insecurity trend
Dear all: The latest version of Nacos references fastjosn 1.2.58, which also has security problems. I think if there are many Nacos users, we should try to solve this problem, if there are few users,we should give up this library(Maybe there will be other security issues in the future). [cid:c470d15d-0efb-48ab-b283-7dc134236d32]? Zhendong Song -- Original -- From: "Sheng Wu";; Send time: Wednesday, May 20, 2020 9:07 PM To: "Z"; Subject: Fwd: [WARNING] Fastjson library has a continuously insecurity trend If you want to reply, please send it to dev@skywalking.apache.org<mailto:dev@skywalking.apache.org>. Sheng Wu 吴晟 Twitter, wusheng1108 -- Forwarded message - 发件人: Sheng Wu mailto:wush...@apache.org>> Date: 2020年5月20日周三 下午8:51 Subject: [WARNING] Fastjson library has a continuously insecurity trend To: dev mailto:dev@skywalking.apache.org>> Hi dev team Especially committer and PMC member, recently, we just upgrade the fastjson through https://github.com/apache/skywalking/pull/4753. But today, we received the another report about the security issue again, https://github.com/apache/skywalking/pull/4804. The 4804 PR is not correct, but that is not the point. The concern I want to mention is that FastJson, imported by Nacos, keeps reporting security issues. This breaks our stable/security status high frequently. I want to ask, do we need to consider removing the Nacos + FastJSON dependency? Due to this library is not in high quality from a security perspective. These two are not required, they are just an implementation of configuration server and cluster management server. I don't request to act now, but I would like to hear, what do you think? Sheng Wu 吴晟 Twitter, wusheng1108 #/**本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from XIAOMI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!**/#
Re: Fwd: [WARNING] Fastjson library has a continuously insecurity trend
Dear all?? The latest version of Nacos references fastjosn 1.2.58, which also has security problems. I think if there are many Nacos users, we should try to solve this problem, if there are few users,we should give up this library(Maybe there will be other security issues in the future) Zhendong Song -- Original -- From: "Sheng Wu";https://github.com/apache/skywalking/pull/4753. But today, we received the another report about the security issue again, https://github.com/apache/skywalking/pull/4804. The 4804 PR is not correct, but that is not the point. The concern I want to mention is that FastJson, imported by Nacos, keeps reporting security issues. This breaks our stable/security status high frequently. I want to ask, do we need to consider removing the Nacos + FastJSON dependency? Due to this library is not in high quality from a security perspective. These two are not required, they are just an implementation of configuration server and cluster management server. I don't request to act now, but I would like to hear, what do you think? Sheng Wu Twitter, wusheng1108