HADOOP-19578: Upgrade esdk-obs-java to resolve CVE-2023-3635 #7707

YanivKunda · 2025-05-25T09:16:07Z

Description of PR

Upgrade esdk-obs-java (in hadoop-huaweicloud) to resolve CVE-2023-3635

How was this patch tested?

Ran existing tests.

For code changes:

Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?

hadoop-yetus · 2025-05-25T11:29:31Z

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	21m 12s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	35m 40s		trunk passed
+1 💚	compile	0m 29s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 28s		trunk passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	mvnsite	0m 33s		trunk passed
+1 💚	javadoc	0m 34s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 28s		trunk passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	shadedclient	71m 56s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
-1 ❌	mvninstall	0m 24s	/patch-mvninstall-hadoop-cloud-storage-project_hadoop-huaweicloud.txt	hadoop-huaweicloud in the patch failed.
+1 💚	compile	0m 19s		the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javac	0m 19s		the patch passed
+1 💚	compile	0m 19s		the patch passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	javac	0m 19s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	0m 21s		the patch passed
+1 💚	javadoc	0m 20s		the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 19s		the patch passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	shadedclient	34m 59s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 24s		hadoop-huaweicloud in the patch passed.
+1 💚	asflicense	0m 37s		The patch does not generate ASF License warnings.
		132m 1s

Subsystem	Report/Notes
Docker	ClientAPI=1.49 ServerAPI=1.49 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/1/artifact/out/Dockerfile
GITHUB PR	#7707
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname	Linux 75c9a3d9b31f 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / `c3f593b`
Default Java	Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/1/testReport/
Max. process+thread count	557 (vs. ulimit of 5500)
modules	C: hadoop-cloud-storage-project/hadoop-huaweicloud U: hadoop-cloud-storage-project/hadoop-huaweicloud
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/1/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

slfan1989 · 2025-05-26T05:40:49Z

hadoop-cloud-storage-project/hadoop-huaweicloud/pom.xml

@@ -29,7 +29,7 @@
  <properties>
    <file.encoding>UTF-8</file.encoding>
    <downloadSources>true</downloadSources>
-    <esdk.version>3.20.4.2</esdk.version>
+    <esdk.version>3.25.4</esdk.version>


https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/1/artifact/out/patch-mvninstall-hadoop-cloud-storage-project_hadoop-huaweicloud.txt

[ERROR] Dependency convergence error for com.squareup.okio:okio:jar:3.6.0 paths to dependency are:
[ERROR] +-org.apache.hadoop:hadoop-huaweicloud:jar:3.5.0-SNAPSHOT
[ERROR] +-com.huaweicloud:esdk-obs-java:jar:3.25.4:compile
[ERROR] +-com.squareup.okhttp3:okhttp:jar:4.12.0:compile
[ERROR] +-com.squareup.okio:okio:jar:3.6.0:compile
[ERROR] and
[ERROR] +-org.apache.hadoop:hadoop-huaweicloud:jar:3.5.0-SNAPSHOT
[ERROR] +-com.huaweicloud:esdk-obs-java:jar:3.25.4:compile
[ERROR] +-com.squareup.okio:okio:jar:3.8.0:compile

We need to resolve this compilation error.

@slfan1989 this is an internal dependency "issue" with the esdk-obj-java library -
It uses OkHttp 4.12.0 which declares OkIo 3.6.0,
But it also uses OkIo 3.8.0 directly, overriding OkHttp's version of choice.
If this discrepancy is contained within a single (and external) part of the dependency tree, can this warning be suppressed?

the pom dependency declarations will need to explicitly exclude the 3.6 versoin; look for the many other uses of to see this in use

hadoop-yetus · 2025-07-07T23:55:27Z

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	20m 57s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	37m 22s		trunk passed
+1 💚	compile	0m 29s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 28s		trunk passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	mvnsite	0m 33s		trunk passed
+1 💚	javadoc	0m 35s		trunk passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 27s		trunk passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	shadedclient	74m 50s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 24s		the patch passed
+1 💚	compile	0m 20s		the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javac	0m 20s		the patch passed
+1 💚	compile	0m 19s		the patch passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	javac	0m 19s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	0m 22s		the patch passed
+1 💚	javadoc	0m 20s		the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 19s		the patch passed with JDK Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
+1 💚	shadedclient	35m 52s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 23s		hadoop-huaweicloud in the patch passed.
+1 💚	asflicense	0m 38s		The patch does not generate ASF License warnings.
		135m 32s

Subsystem	Report/Notes
Docker	ClientAPI=1.51 ServerAPI=1.51 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/3/artifact/out/Dockerfile
GITHUB PR	#7707
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname	Linux 79aa806cbc5b 5.15.0-143-generic #153-Ubuntu SMP Fri Jun 13 19:10:45 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / `1027e19`
Default Java	Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-ga~~us1-0ubuntu1~~20.04-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/3/testReport/
Max. process+thread count	694 (vs. ulimit of 5500)
modules	C: hadoop-cloud-storage-project/hadoop-huaweicloud U: hadoop-cloud-storage-project/hadoop-huaweicloud
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-7707/3/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

github-actions bot added build trunk labels May 25, 2025

slfan1989 reviewed May 26, 2025

View reviewed changes

< 8000 /div>
YanivKunda force-pushed the HADOOP-19578_upgrade_esdk-obs-java branch from c3f593b to c4c7bfa Compare July 7, 2025 21:35

github-actions bot added YARN MapReduce HDFS DistCp Common RBF TOOLS AWS ABFS Infra labels Jul 7, 2025

github-actions bot added YARN MapReduce HDFS DistCp Common RBF TOOLS AWS ABFS Infra labels Jul 7, 2025

HADOOP-19578: Upgrade esdk-obs-java to resolve CVE-2023-3635

1027e19

YanivKunda force-pushed the HADOOP-19578_upgrade_esdk-obs-java branch from c4c7bfa to 1027e19 Compare July 7, 2025 21:38

github-actions bot removed YARN HDFS RBF TOOLS AWS ABFS labels Jul 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

HADOOP-19578: Upgrade esdk-obs-java to resolve CVE-2023-3635 #7707

HADOOP-19578: Upgrade esdk-obs-java to resolve CVE-2023-3635 #7707

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

HADOOP-19578: Upgrade esdk-obs-java to resolve CVE-2023-3635 #7707

Are you sure you want to change the base?

HADOOP-19578: Upgrade esdk-obs-java to resolve CVE-2023-3635 #7707

Conversation

Description of PR

How was this patch tested?

For code changes:

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!