commit | c0567034179ada13ed9577cbe69b3f4b203bba86 | [log] [tgz] |
---|---|---|
author | Patrick Hunt <phunt@apache.org> | Fri Jul 12 07:32:42 2019 +0200 |
committer | Enrico Olivelli <eolivelli@apache.org> | Sat Jul 13 08:45:14 2019 +0200 |
tree | 4de44860b2ebf681d56f29327125cd35b6dbffc6 | |
parent | 5bf8cf1a7782b04e540e18188bd499f21bf90562 [diff] |
ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-… The JIRA is resolved by updating jackson to version 2.9.9.1. However in so doing I found that it was impossible to run the dependency check as the CVE lists would always fail to download, regardless ant or maven. In researching the issue 5.1.0 of the dependency checker is now available. That fixes this issue (d/l). However in so doing a couple new problems arise: The ant dependency check now fails with a circular dependency issue in one of the transient libraries (org.sonatype.ossindex#ossindex-service-client;1.2.0). I was unable to workaround this issue. As such the ant dependency checker is not able to update to the new version. I believe we should just stop using it in favor of the maven one as this seems to be Ivy related, as mvn works just fine with the same change. Another problem that arises with the dependency checker version upgrade is that two new issues are identified: https://www.cvedetails.com/cve/CVE-2008-7220/ which is resolved with the updated prototype.js https://www.cvedetails.com/cve/CVE-2019-3826/ which seems like a false positive. Please check my work on this. After these changes the mvn owasp check passes. The code compiles. I tested the generated documentation and it seems unaffected by the prototype.js change, although I could have missed this. Change-Id: I12c9b3111641b066417fc85b155877af5edf9929 Author: Patrick Hunt <phunt@apache.org> Reviewers: Enrico Olivelli <eolivelli@apache.org> Closes #1014 from phunt/ZOOKEEPER-3441
For the latest information about ZooKeeper, please visit our website at:
and our wiki, at:
https://cwiki.apache.org/confluence/display/ZOOKEEPER
Full documentation for this release can also be found in docs/index.html
Packaging/release artifacts - Maven
A buildable tarball is located under zookeeper/target/ directory The artifacts for the modules are uploaded to maven central.
Packaging/release artifacts - Ant
The release artifact contains the following jar file at the toplevel:
zookeeper-.jar - legacy jar file which contains all classes and source files. Prior to version 3.3.0 this was the only jar file available. It has the benefit of having the source included (for debugging purposes) however is also larger as a result
The release artifact contains the following jar files in “dist-maven” directory:
zookeeper-.jar - bin (binary) jar - contains only class (.class) files zookeeper--sources.jar - contains only src (.java) files zookeeper--javadoc.jar - contains only javadoc files
These bin/src/javadoc jars were added specifically to support Maven/Ivy which have the ability to pull these down automatically as part of your build process. The content of the legacy jar and the bin+sources jar are the same.
As of version 3.3.0 bin/sources/javadoc jars contained in dist-maven directory are deployed to the Apache Maven repository after the release has been accepted by Apache: http://people.apache.org/repo/m2-ibiblio-rsync-repository/