Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update guava to 32.0.1-jre to address CVEs #15482

Merged
merged 4 commits into from
Dec 4, 2023
Merged

update guava to 32.0.1-jre to address CVEs #15482

merged 4 commits into from
Dec 4, 2023

Conversation

janjwerner-confluent
Copy link
Contributor

@janjwerner-confluent janjwerner-confluent commented Dec 4, 2023
edited by xvrl
Loading

Description

Update guava to 32.0.1-jre to address two CVEs:
CVE-2020-8908, CVE-2023-2976
This change requires a minor test change to remove assumptions about ordering.

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

xvrl
xvrl reviewed Dec 4, 2023
View reviewed changes
server/src/test/java/org/apache/druid/metadata/SqlSegmentsMetadataManagerTest.java Outdated
Comment on lines 286 to 287
// This test is guava version sensitive when upgrading to guava > 32
// the order changes to
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it sounds like it would be less brittle to change this test to compare sets instead of lists. I don't think anything relies on ordering here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This came up in:
#14767
There is an effort on de-flaking tests, I would guess this will show up on their radar sooner or later.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given that we changed the expected order once already I suggest we move to a set. I made suggestions you should be able to merge (mostly) as is.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

xvrl
xvrl reviewed Dec 4, 2023
View reviewed changes
licenses.yaml Show resolved Hide resolved
@janjwerner-confluent @xvrl
Update server/src/test/java/org/apache/druid/metadata/SqlSegmentsMeta…
65616a0 
…dataManagerTest.java

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
@janjwerner-confluent @xvrl
Update server/src/test/java/org/apache/druid/metadata/SqlSegmentsMeta…
5757361 
…dataManagerTest.java

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
@janjwerner-confluent @xvrl
Update server/src/test/java/org/apache/druid/metadata/SqlSegmentsMeta…
de9fccd 
…dataManagerTest.java

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
@xvrl xvrl merged commit 8cc256b into apache:master Dec 4, 2023
83 checks passed
@janjwerner-confluent janjwerner-confluent deleted the janjwerner-update-guava branch December 4, 2023 21:25
Pankaj260100 pushed a commit to confluentinc/druid that referenced this pull request Dec 13, 2023
@janjwerner-confluent @xvrl @Pankaj260100
update guava to 32.0.1-jre to address CVEs (apache#15482)
4889bfe 
Update guava to 32.0.1-jre to address two CVEs: CVE-2020-8908, CVE-2023-2976
This change requires a minor test change to remove assumptions about ordering.

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Dec 18, 2023
@Pankaj260100
using set instead of list, apache#15482
eaede8e
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Dec 18, 2023
@Pankaj260100
using set instead of list, apache#15482
3cb7afd
@Pankaj260100 Pankaj260100 mentioned this pull request Dec 19, 2023
Merged
Pankaj260100 pushed a commit to confluentinc/druid that referenced this pull request Dec 19, 2023
@janjwerner-confluent @xvrl @Pankaj260100
update guava to 32.0.1-jre to address CVEs (apache#15482)
8cca716 
Update guava to 32.0.1-jre to address two CVEs: CVE-2020-8908, CVE-2023-2976
This change requires a minor test change to remove assumptions about ordering.

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Dec 19, 2023
@Pankaj260100
using set instead of list, apache#15482
1f289c9
Pankaj260100 pushed a commit to confluentinc/druid that referenced this pull request Dec 19, 2023
@janjwerner-confluent @xvrl @Pankaj260100
update guava to 32.0.1-jre to address CVEs (apache#15482)
c7f8db4 
Update guava to 32.0.1-jre to address two CVEs: CVE-2020-8908, CVE-2023-2976
This change requires a minor test change to remove assumptions about ordering.

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Dec 19, 2023
@Pankaj260100
using set instead of list, apache#15482
e5df49c
@LakshSingla LakshSingla added this to the 29.0.0 milestone Jan 29, 2024
@LakshSingla LakshSingla mentioned this pull request Feb 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xvrl xvrl xvrl approved these changes

Assignees
No one assigned
Labels
Area - Dependencies
Projects
None yet
Milestone
29.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@janjwerner-confluent @xvrl @LakshSingla