-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump Jackson dependency due to CVE-2022-1471 #26410
Conversation
Codecov Report
@@ Coverage Diff @@
## master #26410 +/- ##
==========================================
- Coverage 81.09% 81.07% -0.02%
==========================================
Files 469 469
Lines 67199 67199
==========================================
- Hits 54494 54483 -11
- Misses 12705 12716 +11
Flags with carried forward coverage won't be shown. Click here to find out more. see 9 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Run GoPortable PreCommit |
Run Java_PVR_Flink_Batch PreCommit |
Run Java_PVR_Flink_Docker PreCommit |
Run Java_Pulsar_IO_Direct PreCommit |
Run Java_hadoop_IO_Direct PreCommit |
Run Python_PVR_Flink PreCommit |
Run GoPortable PreCommit |
Run Java PreCommit |
Run Java_GCP_IO_Direct PreCommit |
Run Java_PVR_Flink_Docker PreCommit |
Run Java_hadoop_IO_Direct PreCommit |
Run Python_PVR_Flink PreCommit |
looks like gradle picking up different transitive dependency and breaks cassandra:
|
Yes, thanks @Abacn.
It is a |
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 1 week if no further activity occurs. If you think that’s incorrect or this pull request requires a review, please simply write any comment. If closed, you can revive the PR at any time and @mention a reviewer or discuss it on the dev@beam.apache.org list. Thank you for your contributions. |
This pull request has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time. |
added this to [Parent issue] Support for Apache Pulsar #31078 |
jackson-dataformat-yaml:2.14.1 included SnakeYAML 1.33, which is within CVE-2022-1471's range.
jackson-dataformat-yaml:2.15.0 updated to SnakeYAML 2.0, which has fixed vulnerabilities.
There was some discussion about the dependency on the dev mailing list (https://lists.apache.org/thread/jcwvgttjsmxyqkc01rwzhd8zjxjk99h4), but #25350 was abandoned because it's not exploitable.
Even though SnakeYAML has a statement about it (https://github.com/snakeyaml/snakeyaml#cve), it is nice to be on a version range that is considered safe.
To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md
GitHub Actions Tests Status (on master branch)
See CI.md for more information about GitHub Actions CI.