Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vertx-grpc to dependencyManagement to get rid of CVE-2024-8391 #4548

Closed
wants to merge 1 commit into from
Closed

Add vertx-grpc to dependencyManagement to get rid of CVE-2024-8391 #4548

wants to merge 1 commit into from

Conversation

equanz
Copy link
Contributor

@equanz equanz commented Jan 20, 2025
edited
Loading

Motivation

Related to #4545

The OWASP Dependency Check job failed with the following errors.

Run mvn -q -B -ntp clean install verify -Powasp-dependency-check -DskipTests -pl '!stream/distributedlog/io/dlfs,!tests'
Error:  Failed to execute goal org.owasp:dependency-check-maven:10.0.2:aggregate (default) on project bookkeeper: 
Error:  
Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
Error:  
Error:  vertx-grpc-4.5.1.jar: CVE-2024-8391(7.5)
...

https://github.com/apache/bookkeeper/actions/runs/12851240827/job/35831830711?pr=4533

% mvn dependency:tree
...
[INFO] ------< org.apache.bookkeeper.metadata.drivers:jetcd-core-shaded >------
[INFO] Building Apache BookKeeper :: Metadata Drivers:: jetcd-core shaded 4.18.0-SNAPSHOT [56/93]
[INFO]   from metadata-drivers/jetcd-core-shaded/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency:3.6.1:tree (default-cli) @ jetcd-core-shaded ---
[INFO] org.apache.bookkeeper.metadata.drivers:jetcd-core-shaded:jar:4.18.0-SNAPSHOT
[INFO] +- io.etcd:jetcd-core:jar:0.7.7:compile
[INFO] |  +- io.etcd:jetcd-grpc:jar:0.7.7:compile
[INFO] |  |  \- io.vertx:vertx-grpc:jar:4.5.1:compile
[INFO] |  |     \- io.vertx:vertx-core:jar:4.5.11:compile
...

Changes

  • Add io.vertx:vertx-grpc to dependencyManagement

@equanz
Copy link
Contributor Author

equanz commented Jan 20, 2025

rerun failure checks

1 similar comment
@equanz
Copy link
Contributor Author

equanz commented Jan 21, 2025

rerun failure checks

@equanz equanz closed this Jan 21, 2025
@equanz equanz reopened this Jan 21, 2025
@hezhangjian
Copy link
Member

Thanks for your contribution. But I think it's duplicate of #4547

@equanz
Copy link
Contributor Author

equanz commented Jan 21, 2025

it's duplicate of #4547

That is true. So could you please review one or the other?

@equanz equanz mentioned this pull request Jan 21, 2025
Open
@hezhangjian
Copy link
Member

Thank you for your contribution! In open source communities, we usually prefer to merge the earlier PR when two identical fixes are proposed. Since PR #4547 has already been merged, I will close this one. Please feel free to contribute again in the future if you have more ideas or improvements. Your efforts are much appreciated!

@equanz equanz deleted the update_vertx-grpc branch January 21, 2025 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@equanz @hezhangjian