Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13732

Upgrade OWASP dependency-check plugin version

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0-alpha2
    • Component/s: security
    • Labels:
      None

      Description

      For reasons I don't fully understand, the current version (1.3.6) of the OWASP dependency-check plugin produces an essentially empty report on trunk (3.0.0). After some research, it appears that this plugin has undergone significant work in the latest version, 1.4.3. Upgrading to this version produces the expected full report.

      The only gotcha is that a new-ish version of maven is required. I'm using 3.2.2; I know that 3.0.x fails with a strange error.

      This plugin was introduced in HADOOP-13198.

      1. HADOOP-13732.001.patch
        0.6 kB
        Mike Yoder
      2. HADOOP-13732.002.patch
        2 kB
        Mike Yoder

        Activity

        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10661 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10661/)
        HADOOP-13732. Upgrade OWASP dependency-check plugin version. Contributed (wang: rev c473490da01c5909209b138034e1a1c85e174247)

        • (edit) BUILDING.txt
        • (edit) pom.xml
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10661 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10661/ ) HADOOP-13732 . Upgrade OWASP dependency-check plugin version. Contributed (wang: rev c473490da01c5909209b138034e1a1c85e174247) (edit) BUILDING.txt (edit) pom.xml
        Hide
        andrew.wang Andrew Wang added a comment -

        Committed to trunk, thanks Mike for the find and fix!

        Show
        andrew.wang Andrew Wang added a comment - Committed to trunk, thanks Mike for the find and fix!
        Hide
        andrew.wang Andrew Wang added a comment -

        I ran the checker locally, LGTM. will commit shortly.

        Show
        andrew.wang Andrew Wang added a comment - I ran the checker locally, LGTM. will commit shortly.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 14s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
        +1 mvninstall 6m 39s trunk passed
        +1 compile 6m 53s trunk passed
        +1 mvnsite 9m 19s trunk passed
        +1 mvneclipse 1m 3s trunk passed
        +1 javadoc 4m 19s trunk passed
        +1 mvninstall 6m 37s the patch passed
        +1 compile 6m 51s the patch passed
        +1 javac 6m 51s the patch passed
        +1 mvnsite 9m 20s the patch passed
        +1 mvneclipse 1m 1s the patch passed
        +1 whitespace 0m 0s The patch has no whitespace issues.
        +1 xml 0m 1s The patch has no ill-formed XML file.
        +1 javadoc 4m 18s the patch passed
        -1 unit 95m 30s root in the patch failed.
        -1 asflicense 0m 22s The patch generated 2 ASF License warnings.
        153m 16s



        Reason Tests
        Failed junit tests hadoop.hdfs.server.namenode.TestDecommissioningStatus
          hadoop.hdfs.server.blockmanagement.TestPendingInvalidateBlock
          hadoop.yarn.server.applicationhistoryservice.webapp.TestAHSWebServices



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:9560f25
        JIRA Issue HADOOP-13732
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12834747/HADOOP-13732.002.patch
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml
        uname Linux 5e438e5ad828 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / 61e30cf
        Default Java 1.8.0_101
        unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/artifact/patchprocess/patch-unit-root.txt
        Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/testReport/
        asflicense https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/artifact/patchprocess/patch-asflicense-problems.txt
        modules C: . U: .
        Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/console
        Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 14s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 6m 39s trunk passed +1 compile 6m 53s trunk passed +1 mvnsite 9m 19s trunk passed +1 mvneclipse 1m 3s trunk passed +1 javadoc 4m 19s trunk passed +1 mvninstall 6m 37s the patch passed +1 compile 6m 51s the patch passed +1 javac 6m 51s the patch passed +1 mvnsite 9m 20s the patch passed +1 mvneclipse 1m 1s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 1s The patch has no ill-formed XML file. +1 javadoc 4m 18s the patch passed -1 unit 95m 30s root in the patch failed. -1 asflicense 0m 22s The patch generated 2 ASF License warnings. 153m 16s Reason Tests Failed junit tests hadoop.hdfs.server.namenode.TestDecommissioningStatus   hadoop.hdfs.server.blockmanagement.TestPendingInvalidateBlock   hadoop.yarn.server.applicationhistoryservice.webapp.TestAHSWebServices Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13732 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12834747/HADOOP-13732.002.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml uname Linux 5e438e5ad828 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 61e30cf Default Java 1.8.0_101 unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/artifact/patchprocess/patch-unit-root.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/testReport/ asflicense https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/artifact/patchprocess/patch-asflicense-problems.txt modules C: . U: . Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10856/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
        Hide
        hadoopqa Hadoop QA added a comment -
        -1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 10s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
        +1 mvninstall 7m 6s trunk passed
        +1 compile 7m 17s trunk passed
        +1 mvnsite 10m 44s trunk passed
        +1 mvneclipse 1m 44s trunk passed
        +1 javadoc 5m 4s trunk passed
        +1 mvninstall 8m 9s the patch passed
        +1 compile 8m 31s the patch passed
        +1 javac 8m 31s the patch passed
        +1 mvnsite 10m 47s the patch passed
        +1 mvneclipse 1m 9s the patch passed
        +1 whitespace 0m 0s The patch has no whitespace issues.
        +1 xml 0m 1s The patch has no ill-formed XML file.
        +1 javadoc 5m 4s the patch passed
        -1 unit 104m 54s root in the patch failed.
        -1 asflicense 0m 26s The patch generated 2 ASF License warnings.
        172m 0s



        Reason Tests
        Failed junit tests hadoop.yarn.server.applicationhistoryservice.webapp.TestAHSWebServices
          hadoop.yarn.server.nodemanager.containermanager.queuing.TestQueuingContainerManager



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:9560f25
        JIRA Issue HADOOP-13732
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12834009/HADOOP-13732.001.patch
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml
        uname Linux ab815439f88d 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / b733a6f
        Default Java 1.8.0_101
        unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/artifact/patchprocess/patch-unit-root.txt
        Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/testReport/
        asflicense https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/artifact/patchprocess/patch-asflicense-problems.txt
        modules C: . U: .
        Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/console
        Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 10s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 7m 6s trunk passed +1 compile 7m 17s trunk passed +1 mvnsite 10m 44s trunk passed +1 mvneclipse 1m 44s trunk passed +1 javadoc 5m 4s trunk passed +1 mvninstall 8m 9s the patch passed +1 compile 8m 31s the patch passed +1 javac 8m 31s the patch passed +1 mvnsite 10m 47s the patch passed +1 mvneclipse 1m 9s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 1s The patch has no ill-formed XML file. +1 javadoc 5m 4s the patch passed -1 unit 104m 54s root in the patch failed. -1 asflicense 0m 26s The patch generated 2 ASF License warnings. 172m 0s Reason Tests Failed junit tests hadoop.yarn.server.applicationhistoryservice.webapp.TestAHSWebServices   hadoop.yarn.server.nodemanager.containermanager.queuing.TestQueuingContainerManager Subsystem Report/Notes Docker Image:yetus/hadoop:9560f25 JIRA Issue HADOOP-13732 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12834009/HADOOP-13732.001.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml uname Linux ab815439f88d 3.13.0-95-generic #142-Ubuntu SMP Fri Aug 12 17:00:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / b733a6f Default Java 1.8.0_101 unit https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/artifact/patchprocess/patch-unit-root.txt Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/testReport/ asflicense https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/artifact/patchprocess/patch-asflicense-problems.txt modules C: . U: . Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/10824/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
        Hide
        yoderme Mike Yoder added a comment -

        I'd have to make a dependency-check specific note in BUILDING.txt, which seems a little awkard. (The normal build isn't affected, of course.) I'll see what I can do. My only alternative idea is a comment around this plugin in pom.xml. I do agree it needs to be documented somewhere.

        • I don't even think that maven is available on RHEL 6.6
        • My RHEL 7.2 machine looks like it would use version 3.0.5-16
        • My Ubuntu 16.04 machine is using 3.3.9
        • Looks like Ubuntu 14.04 uses 3.0.5-1

        The maven release history page is at https://maven.apache.org/docs/history.html

        Show
        yoderme Mike Yoder added a comment - I'd have to make a dependency-check specific note in BUILDING.txt, which seems a little awkard. (The normal build isn't affected, of course.) I'll see what I can do. My only alternative idea is a comment around this plugin in pom.xml. I do agree it needs to be documented somewhere. I don't even think that maven is available on RHEL 6.6 My RHEL 7.2 machine looks like it would use version 3.0.5-16 My Ubuntu 16.04 machine is using 3.3.9 Looks like Ubuntu 14.04 uses 3.0.5-1 The maven release history page is at https://maven.apache.org/docs/history.html
        Hide
        andrew.wang Andrew Wang added a comment -

        Hi Mike, if we need to use a more recent version of Maven, then we also need to update BUILDING.txt.

        Could you comment on the availability of the required Maven version on a few common OSs? e.g. RHEL6, 7, Ubuntu 12/14/16.

        Show
        andrew.wang Andrew Wang added a comment - Hi Mike, if we need to use a more recent version of Maven, then we also need to update BUILDING.txt. Could you comment on the availability of the required Maven version on a few common OSs? e.g. RHEL6, 7, Ubuntu 12/14/16.
        Hide
        yoderme Mike Yoder added a comment -
        Show
        yoderme Mike Yoder added a comment - Ping Andrew Wang

          People

          • Assignee:
            yoderme Mike Yoder
            Reporter:
            yoderme Mike Yoder
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development