Skip to content

Fix CVEs #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 27, 2023
Merged

Fix CVEs #96

merged 5 commits into from
Jun 27, 2023

Conversation

GumpacG
Copy link
Collaborator

@GumpacG GumpacG commented Jun 21, 2023
edited
Loading

Description

  • Removed H2 as is included but not used and makes CI fail
  • Updated guava version
  • Specified version of CodeQL as the update introduced breaking changes

Issues Resolved

#5

Check List

  • New functionality includes testing.
    • All tests pass, including unit test, integration test and doctest
  • New functionality has been documented.
    • New functionality has javadoc added
    • New functionality has user manual doc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@Yury-Fridlyand
Copy link
Collaborator

Can you update release notes?

@GumpacG GumpacG changed the title Removed h2 as a dependency Fix CVEs Jun 22, 2023
@GumpacG
Added to release notes
505837a 
Signed-off-by: Guian Gumpac <[email protected]>
@GumpacG GumpacG merged commit d01e4eb into opensearch-project:main Jun 27, 2023
@GumpacG GumpacG deleted the integ-remove-h2-dependency branch June 27, 2023 23:19
@mbg
Copy link

mbg commented Jun 28, 2023

Hi @GumpacG 👋🏻

I work on CodeQL and noticed that you referenced an issue over on the codeql repo, but that isn't quite the same issue you are encountering here. I see that you have a test dependency on org.eclipse.jetty:jetty-server:11.0.14 which is only compatible with Java 11+. Indeed, your Java build CI only builds with Java 11 and 17, but your Gradle build script suggests that Java 8 should be used. (I assume that while your tests require Java 11+, the library part of this project is still happy with Java 8+?)

Rather than pinning the older version of CodeQL and missing out on new features and improvements, I would suggest that you build with Java 11 or 17 in the CodeQL workflow as well. The easiest way to accomplish this would be with a manual build by replacing

    - name: Autobuild
      uses: github/codeql-action/autobuild@v2

with

    - name: Build
      run: |
        ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off clean
        ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off testClasses

This should give you the same results as with the automatic build, except that the default Java version on the system is used instead of the one that CodeQL infers based on your project configuration. In the case of the GHA runners, the default is currently Java 11.

To further improve the workflow's reliability, I would also recommend adding a setup-java step to explicitly install and make Java 11 the default (or whichever version of Java you would like to use for the CodeQL workflow).

@GumpacG
Copy link
Collaborator Author

GumpacG commented Jun 28, 2023

I tested and the suggested solution worked. I'll update. Thanks @mbg.

@GumpacG GumpacG mentioned this pull request Jun 28, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@forestmvey forestmvey forestmvey approved these changes

@Yury-Fridlyand Yury-Fridlyand Yury-Fridlyand approved these changes

@pjfitzgibbons pjfitzgibbons Awaiting requested review from pjfitzgibbons

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@kavithacm kavithacm Awaiting requested review from kavithacm kavithacm is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@YANG-DB YANG-DB Awaiting requested review from YANG-DB YANG-DB is a code owner

@rupal-bq rupal-bq Awaiting requested review from rupal-bq

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@seankao-az seankao-az Awaiting requested review from seankao-az seankao-az is a code owner

@MaxKsyunz MaxKsyunz Awaiting requested review from MaxKsyunz MaxKsyunz is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@GumpacG @Yury-Fridlyand @mbg @forestmvey