Uploaded image for project: 'Flume'
  1. Flume
  2. FLUME-3131

Upgrade spring framework library dependencies

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.7.0
    • Fix Version/s: 1.8.0
    • Component/s: None
    • Labels:

      Description

      Group Artifact Version used Upgrade target
      org.springframework spring-aop 3.0.7.RELEASE 4.3.9.RELEASE,
      org.springframework spring-context 3.0.7.RELEASE 4.3.9.RELEASE,
      org.springframework spring-core 3.0.7.RELEASE 4.3.9.RELEASE,

      Security vulnerability: https://www.cvedetails.com/vulnerability-list/vendor_id-9664/product_id-17274/Springsource-Spring-Framework.html
      Maven repositories:

      Please do:

      • CVE might be a false alarm or mistake. Please double check.
      • double check the newest version.
      • consider to remove a dependency if better alternative is available.
      • check whether the lib change would introduce a backward incompatibility (in which case please add this label `breaking_change` and fix version should be the next major)

      Excerpt from mvn dependency:tree

      org.apache.flume.flume-ng-sources:flume-jms-source:jar:1.8.0-SNAPSHOT
      \- org.apache.activemq:activemq-core:jar:5.7.0:provided
         +- org.springframework:spring-context:jar:3.0.7.RELEASE:provided
         |  +- org.springframework:spring-aop:jar:3.0.7.RELEASE:provided
         |  +- org.springframework:spring-beans:jar:3.0.7.RELEASE:provided
         |  +- org.springframework:spring-core:jar:3.0.7.RELEASE:provided
         |  +- org.springframework:spring-expression:jar:3.0.7.RELEASE:provided
         |  \- org.springframework:spring-asm:jar:3.0.7.RELEASE:provided
      
      1. FLUME-3131-1.patch
        1 kB
        Ferenc Szabo
      2. FLUME-3131.patch
        1 kB
        Ferenc Szabo

        Issue Links

          Activity

          Hide
          denes Denes Arvay added a comment -

          Thank you Ferenc Szabo for the patch and Attila Simon for the review, I have pushed it to trunk.

          Show
          denes Denes Arvay added a comment - Thank you Ferenc Szabo for the patch and Attila Simon for the review, I have pushed it to trunk.
          Hide
          hudson Hudson added a comment -

          FAILURE: Integrated in Jenkins build Flume-trunk-hbase-1 #310 (See https://builds.apache.org/job/Flume-trunk-hbase-1/310/)
          FLUME-3131. Upgrade Spring Framework library dependencies (denes: http://git-wip-us.apache.org/repos/asf/flume/repo?p=flume.git&a=commit&h=aa1aea07b7e2bd25e28efdc262239ec501fbf086)

          • (edit) pom.xml
          • (edit) flume-ng-sources/flume-jms-source/pom.xml
          Show
          hudson Hudson added a comment - FAILURE: Integrated in Jenkins build Flume-trunk-hbase-1 #310 (See https://builds.apache.org/job/Flume-trunk-hbase-1/310/ ) FLUME-3131 . Upgrade Spring Framework library dependencies (denes: http://git-wip-us.apache.org/repos/asf/flume/repo?p=flume.git&a=commit&h=aa1aea07b7e2bd25e28efdc262239ec501fbf086 ) (edit) pom.xml (edit) flume-ng-sources/flume-jms-source/pom.xml
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/flume/pull/153

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/flume/pull/153
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit aa1aea07b7e2bd25e28efdc262239ec501fbf086 in flume's branch refs/heads/trunk from Ferenc Szabo
          [ https://git-wip-us.apache.org/repos/asf?p=flume.git;h=aa1aea0 ]

          FLUME-3131. Upgrade Spring Framework library dependencies

          The Spring Framework libraries are transitive depencencies through ActiveMQ
          thus it's not possible to upgrade.
          They are only used is tests so moved ActiveMQ to test scope.

          This closes #153

          Reviewers: Attila Simon, Denes Arvay

          (Ferenc Szabo via Denes Arvay)

          Show
          jira-bot ASF subversion and git services added a comment - Commit aa1aea07b7e2bd25e28efdc262239ec501fbf086 in flume's branch refs/heads/trunk from Ferenc Szabo [ https://git-wip-us.apache.org/repos/asf?p=flume.git;h=aa1aea0 ] FLUME-3131 . Upgrade Spring Framework library dependencies The Spring Framework libraries are transitive depencencies through ActiveMQ thus it's not possible to upgrade. They are only used is tests so moved ActiveMQ to test scope. This closes #153 Reviewers: Attila Simon, Denes Arvay (Ferenc Szabo via Denes Arvay)
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user szaboferee opened a pull request:

          https://github.com/apache/flume/pull/153

          FLUME-3131 Upgrade spring framework library dependencies

          they cannot be upgraded because they are activemq dependencies. they were moved to test scope

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/szaboferee/flume FLUME-3131

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/flume/pull/153.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #153


          commit ad845be6bd977f9b90c0f3c427714e228176b127
          Author: Ferenc Szabo <fszabo@cloudera.com>
          Date: 2017-08-15T07:30:24Z

          FLUME-3131 Upgrade spring framework library dependencies

          they cannot be upgraded because they are activemq dependencies. they were moved to test scope


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user szaboferee opened a pull request: https://github.com/apache/flume/pull/153 FLUME-3131 Upgrade spring framework library dependencies they cannot be upgraded because they are activemq dependencies. they were moved to test scope You can merge this pull request into a Git repository by running: $ git pull https://github.com/szaboferee/flume FLUME-3131 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/flume/pull/153.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #153 commit ad845be6bd977f9b90c0f3c427714e228176b127 Author: Ferenc Szabo <fszabo@cloudera.com> Date: 2017-08-15T07:30:24Z FLUME-3131 Upgrade spring framework library dependencies they cannot be upgraded because they are activemq dependencies. they were moved to test scope
          Hide
          fszabo Ferenc Szabo added a comment -

          Attila Simon thanks for your comment, I have uploaded an updated patch.

          Review board: https://reviews.apache.org/r/61014/

          Show
          fszabo Ferenc Szabo added a comment - Attila Simon thanks for your comment, I have uploaded an updated patch. Review board: https://reviews.apache.org/r/61014/
          Hide
          sati Attila Simon added a comment -

          After looking at your patch now it is clear that you wanted to achieve what I wrote above. Have you considered pulling in the https://search.maven.org/#artifactdetails%7Cjavax.jms%7Cjms-api%7C1.1-rev-1%7Cjar instead of the geronimo shaded version?

          Show
          sati Attila Simon added a comment - After looking at your patch now it is clear that you wanted to achieve what I wrote above. Have you considered pulling in the https://search.maven.org/#artifactdetails%7Cjavax.jms%7Cjms-api%7C1.1-rev-1%7Cjar instead of the geronimo shaded version?
          Hide
          sati Attila Simon added a comment - - edited

          Hi Ferenc Szabo,
          In general I'm fine with any approach which getting us closer to the state that flume is not vulnerable based on our understanding.

          Indeed it looks like test only. But having a closer look it seems like that activemq (parent dependency of spring and also brings in geronimo) also falls into the same category. I would also consider update the version of the activemq in case it still passes testing and doesn't bring in undesired dependencies transitively. (This in turn might help resolving this ticket by either removing the spring dependency completely or pulling in a "better" one)

          ⏚ [~/ws/apache/flume] trunk ± ag activemq *
          flume-ng-doc/sphinx/FlumeUserGuide.rst
          932:application it should work with any JMS provider but has only been tested with ActiveMQ.
          945:**initialContextFactory**   --           Inital Context Factory, e.g: org.apache.activemq.jndi.ActiveMQInitialContextFactory
          994:  a1.sources.r1.initialContextFactory = org.apache.activemq.jndi.ActiveMQInitialContextFactory
          
          flume-ng-sources/flume-jms-source/pom.xml
          74:      <groupId>org.apache.activemq</groupId>
          75:      <artifactId>activemq-core</artifactId>
          
          flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java
          37:import org.apache.activemq.ActiveMQConnectionFactory;
          38:import org.apache.activemq.broker.BrokerPlugin;
          39:import org.apache.activemq.broker.BrokerService;
          40:import org.apache.activemq.security.AuthenticationUser;
          41:import org.apache.activemq.security.SimpleAuthenticationPlugin;
          57:public class TestIntegrationActiveMQ {
          60:      "org.apache.activemq.jndi.ActiveMQInitialContextFactory";
          65:  // specific for dynamic queues on ActiveMq
          133:    ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
          154:    ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME,
          
          pom.xml
          1081:        <groupId>org.apache.activemq</groupId>
          1082:        <artifactId>activemq-core</artifactId>
          
          Show
          sati Attila Simon added a comment - - edited Hi Ferenc Szabo , In general I'm fine with any approach which getting us closer to the state that flume is not vulnerable based on our understanding. Indeed it looks like test only. But having a closer look it seems like that activemq (parent dependency of spring and also brings in geronimo) also falls into the same category. I would also consider update the version of the activemq in case it still passes testing and doesn't bring in undesired dependencies transitively. (This in turn might help resolving this ticket by either removing the spring dependency completely or pulling in a "better" one) ⏚ [~/ws/apache/flume] trunk ± ag activemq * flume-ng-doc/sphinx/FlumeUserGuide.rst 932:application it should work with any JMS provider but has only been tested with ActiveMQ. 945:**initialContextFactory** -- Inital Context Factory, e.g: org.apache.activemq.jndi.ActiveMQInitialContextFactory 994: a1.sources.r1.initialContextFactory = org.apache.activemq.jndi.ActiveMQInitialContextFactory flume-ng-sources/flume-jms-source/pom.xml 74: <groupId>org.apache.activemq</groupId> 75: <artifactId>activemq-core</artifactId> flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestIntegrationActiveMQ.java 37:import org.apache.activemq.ActiveMQConnectionFactory; 38:import org.apache.activemq.broker.BrokerPlugin; 39:import org.apache.activemq.broker.BrokerService; 40:import org.apache.activemq.security.AuthenticationUser; 41:import org.apache.activemq.security.SimpleAuthenticationPlugin; 57:public class TestIntegrationActiveMQ { 60: "org.apache.activemq.jndi.ActiveMQInitialContextFactory"; 65: // specific for dynamic queues on ActiveMq 133: ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, 154: ConnectionFactory factory = new ActiveMQConnectionFactory(USERNAME, pom.xml 1081: <groupId>org.apache.activemq</groupId> 1082: <artifactId>activemq-core</artifactId>
          Hide
          fszabo Ferenc Szabo added a comment - - edited

          Attila Simon
          In this case I would recommend to change the activemq dependency to have a test scope because it is only used in one test, than the vulnerability is not going to be present in production.
          For the `javax.jms.*` packages use the following dependency:

             <dependency>
                <groupId>org.apache.geronimo.specs</groupId>
                <artifactId>geronimo-jms_1.1_spec</artifactId>
                <version>1.1.1</version>
              </dependency>
          
          Show
          fszabo Ferenc Szabo added a comment - - edited Attila Simon In this case I would recommend to change the activemq dependency to have a test scope because it is only used in one test, than the vulnerability is not going to be present in production. For the `javax.jms.*` packages use the following dependency: <dependency> <groupId>org.apache.geronimo.specs</groupId> <artifactId>geronimo-jms_1.1_spec</artifactId> <version>1.1.1</version> </dependency>

            People

            • Assignee:
              fszabo Ferenc Szabo
              Reporter:
              sati Attila Simon
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development