Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump up commons-compress to 1.26.1 to fix CVE #12627

Merged
merged 17 commits into from
Apr 3, 2024

Conversation

sandeshkr419
Copy link
Contributor

@sandeshkr419 sandeshkr419 commented Mar 12, 2024

Description

Follow-up on #12604, Bump common-compress package to 1.26.1 to fix CVE:

https://nvd.nist.gov/vuln/detail/CVE-2024-26308 NVD / Published Date:02/19/2024
https://nvd.nist.gov/vuln/detail/CVE-2024-25710 NVD / Published Date: 02/19/2024

Tika has been upgraded to latest release since any previous release were failing with required commons-compress upgrade. Also, other dependencies with ingest-attachement (with Tika) were upgraded to resolve minor future CVEs and test errors.

Related Issues

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)
  • Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Copy link
Contributor

❌ Gradle check result for 8c8a75f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

Copy link
Contributor

❌ Gradle check result for 8c8a75f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@sandeshkr419 sandeshkr419 changed the title [Do not merge now] Bump up commons-compress to 1.26.0 to fix CVE Bump up commons-compress to 1.26.0 to fix CVE Apr 2, 2024
@sandeshkr419 sandeshkr419 changed the title Bump up commons-compress to 1.26.0 to fix CVE Bump up commons-compress to 1.26.1 to fix CVE Apr 2, 2024
Copy link
Contributor

github-actions bot commented Apr 2, 2024

❕ Gradle check result for 86977e8: UNSTABLE

  • TEST FAILURES:
      1 org.opensearch.action.admin.cluster.node.tasks.ResourceAwareTasksTests.testTaskResourceTrackingDuringTaskCancellation

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

Copy link
Contributor

github-actions bot commented Apr 3, 2024

❕ Gradle check result for 9e3ce43: UNSTABLE

  • TEST FAILURES:
      1 org.opensearch.indices.replication.SegmentReplicationIT.testNodeDropWithOngoingReplication

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

Copy link
Contributor

github-actions bot commented Apr 3, 2024

❕ Gradle check result for 54b8ef9: UNSTABLE

  • TEST FAILURES:
      1 org.opensearch.remotestore.RemoteStoreStatsIT.testNonZeroPrimaryStatsOnNewlyCreatedIndexWithZeroDocs

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

@sandeshkr419
Copy link
Contributor Author

Changes are ready for review!

@kotwanikunal kotwanikunal added the backport 2.x Backport to 2.x branch label Apr 3, 2024
@kotwanikunal kotwanikunal merged commit c00e863 into opensearch-project:main Apr 3, 2024
37 checks passed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.x
# Create a new branch
git switch --create backport/backport-12627-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 c00e8631b42e0a12039b8f5796e5b54f429e2a1f
# Push it to GitHub
git push --set-upstream origin backport/backport-12627-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-12627-to-2.x.

@sandeshkr419 sandeshkr419 deleted the cve branch April 3, 2024 20:10
sandeshkr419 added a commit to sandeshkr419/OpenSearch that referenced this pull request Apr 3, 2024
* Bump up commons-compress to 1.26.0 to fix CVE

Signed-off-by: Aman Khare <[email protected]>

* Change log entry

Signed-off-by: Aman Khare <[email protected]>

* Update ignoreMissingClasses

Signed-off-by: Aman Khare <[email protected]>

* Update commons-codec and commons-lang3 dependencies also

Signed-off-by: Aman Khare <[email protected]>

* Upgrade commons-codec to 1.16.1

Signed-off-by: Aman Khare <[email protected]>

* Add commons-io dependency in plugin-cli build.gradle

Signed-off-by: Sandesh Kumar <[email protected]>

* Revert "Update ignoreMissingClasses"

This reverts commit d92fbda.

Signed-off-by: Sandesh Kumar <[email protected]>

* Adding SHA for commons-io-2.15.1.jar

Signed-off-by: Sandesh Kumar <[email protected]>

* adding license, notice files for commons-io

Signed-off-by: Sandesh Kumar <[email protected]>

* Add missing classes for thirdPartyAudit

Signed-off-by: Sandesh Kumar <[email protected]>

* Refactor

Signed-off-by: Sandesh Kumar <[email protected]>

* Test commit - to be reverted

Signed-off-by: Sandesh Kumar <[email protected]>

* Bump commons-compress to 1.26.1, tika to 2.9.1

Signed-off-by: Sandesh Kumar <[email protected]>

* Remove Charsets class from exclusion list - not missing

Signed-off-by: Sandesh Kumar <[email protected]>

* Update tika to 2.9.2

Signed-off-by: Sandesh Kumar <[email protected]>

* commons-io 2.16.0

Signed-off-by: Sandesh Kumar <[email protected]>

* Refactor commons-io dependency mentions to avoid manual version setting/update

Signed-off-by: Sandesh Kumar <[email protected]>

---------

Signed-off-by: Aman Khare <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
Co-authored-by: Aman Khare <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
kotwanikunal pushed a commit that referenced this pull request Apr 3, 2024
* Bump up commons-compress to 1.26.0 to fix CVE



* Change log entry



* Update ignoreMissingClasses



* Update commons-codec and commons-lang3 dependencies also



* Upgrade commons-codec to 1.16.1



* Add commons-io dependency in plugin-cli build.gradle



* Revert "Update ignoreMissingClasses"

This reverts commit d92fbda.



* Adding SHA for commons-io-2.15.1.jar



* adding license, notice files for commons-io



* Add missing classes for thirdPartyAudit



* Refactor



* Test commit - to be reverted



* Bump commons-compress to 1.26.1, tika to 2.9.1



* Remove Charsets class from exclusion list - not missing



* Update tika to 2.9.2



* commons-io 2.16.0



* Refactor commons-io dependency mentions to avoid manual version setting/update



---------

Signed-off-by: Aman Khare <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
Co-authored-by: Aman Khare <[email protected]>
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
* Bump up commons-compress to 1.26.0 to fix CVE

Signed-off-by: Aman Khare <[email protected]>

* Change log entry

Signed-off-by: Aman Khare <[email protected]>

* Update ignoreMissingClasses

Signed-off-by: Aman Khare <[email protected]>

* Update commons-codec and commons-lang3 dependencies also

Signed-off-by: Aman Khare <[email protected]>

* Upgrade commons-codec to 1.16.1

Signed-off-by: Aman Khare <[email protected]>

* Add commons-io dependency in plugin-cli build.gradle

Signed-off-by: Sandesh Kumar <[email protected]>

* Revert "Update ignoreMissingClasses"

This reverts commit d92fbda.

Signed-off-by: Sandesh Kumar <[email protected]>

* Adding SHA for commons-io-2.15.1.jar

Signed-off-by: Sandesh Kumar <[email protected]>

* adding license, notice files for commons-io

Signed-off-by: Sandesh Kumar <[email protected]>

* Add missing classes for thirdPartyAudit

Signed-off-by: Sandesh Kumar <[email protected]>

* Refactor

Signed-off-by: Sandesh Kumar <[email protected]>

* Test commit - to be reverted

Signed-off-by: Sandesh Kumar <[email protected]>

* Bump commons-compress to 1.26.1, tika to 2.9.1

Signed-off-by: Sandesh Kumar <[email protected]>

* Remove Charsets class from exclusion list - not missing

Signed-off-by: Sandesh Kumar <[email protected]>

* Update tika to 2.9.2

Signed-off-by: Sandesh Kumar <[email protected]>

* commons-io 2.16.0

Signed-off-by: Sandesh Kumar <[email protected]>

* Refactor commons-io dependency mentions to avoid manual version setting/update

Signed-off-by: Sandesh Kumar <[email protected]>

---------

Signed-off-by: Aman Khare <[email protected]>
Signed-off-by: Sandesh Kumar <[email protected]>
Co-authored-by: Aman Khare <[email protected]>
Signed-off-by: Shivansh Arora <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x Backport to 2.x branch backport-failed CVE Fixes a CVE v2.14.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants