YARN-11389. Upgrade spring-core to 5.3.20 in wro4j-maven-plugin #5192

dmmkr · 2022-12-07T12:47:56Z

Description of PR

How was this patch tested?

hadoop-yarn-ui build sucessful
No spring 3.1.1.RELEASE jars were downloaded during build.

For code changes:

Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?< 8000 /li>
Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

dmmkr · 2022-12-07T12:48:52Z

hadoop-yetus · 2022-12-07T14:32:47Z

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 37s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+0 🆗	xmllint	0m 1s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	38m 10s		trunk passed
+1 💚	compile	3m 58s		trunk passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚	compile	3m 48s		trunk passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚	mvnsite	0m 43s		trunk passed
+1 💚	javadoc	0m 34s		trunk passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 23s		trunk passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚	shadedclient	67m 1s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 15s		the patch passed
+1 💚	compile	3m 23s		the patch passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚	javac	3m 23s		the patch passed
+1 💚	compile	3m 39s		the patch passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚	javac	3m 39s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	0m 31s		the patch passed
+1 💚	javadoc	0m 14s		the patch passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 14s		the patch passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚	shadedclient	21m 5s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	4m 30s		hadoop-yarn-ui in the patch passed.
+1 💚	asflicense	0m 54s		The patch does not generate ASF License warnings.
		103m 21s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5192/1/artifact/out/Dockerfile
GITHUB PR	#5192
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname	Linux 26147d56425b 4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / `74817d0`
Default Java	Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5192/1/testReport/
Max. process+thread count	558 (vs. ulimit of 5500)
modules	C: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui U: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5192/1/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

steveloughran · 2022-12-08T11:01:13Z

i think the maven plugin itself should be upgraded, rather than trying to add new dependencies (and do the old ones get excluded? how do you guarantee the new ones get picked up?). what happens later when an upgrade does take place? will we remember to remove what may then be older dependencies

this is a compile time issue only, no cve in any redistributables, so hard to justify creating classpath/version hell for.

dmmkr · 2022-12-08T11:44:51Z

Thanks @steveloughran for the review,

I agree that spring version upgrade should come with the plugin, I tried upgrading the maven plugin to the latest available version of 1.10.1, it still has the vulnerable spring version of 5.3.1

I can a comment similar to #421 to ensure that the spring dependencies get removed in the later versions of plugin upgrade.

We are adding spring as the first level dependency for the plugin, whereas the existing spring is coming from the second level of dependency. Maven ensures that the nearest level of dependency gets picked up.

brahmareddybattula · 2022-12-09T17:43:18Z

HI @steveloughran
As @dmmkr mentioned updated maven plugin doesn't fixed this and as handle on #421 this change should be ok.
Approach looks good to me now.
Please let me know your thoughts.

YARN-11389. Upgrade spring-core to 5.3.20 in wro4j-maven-plugin

74817d0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

YARN-11389. Upgrade spring-core to 5.3.20 in wro4j-maven-plugin #5192

YARN-11389. Upgrade spring-core to 5.3.20 in wro4j-maven-plugin #5192

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

YARN-11389. Upgrade spring-core to 5.3.20 in wro4j-maven-plugin #5192

Are you sure you want to change the base?

YARN-11389. Upgrade spring-core to 5.3.20 in wro4j-maven-plugin #5192

Conversation

Uh oh!

Description of PR

How was this patch tested?

For code changes:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!