Google Git
Sign in
apache / zookeeper / c0567034179ada13ed9577cbe69b3f4b203bba86
commitc0567034179ada13ed9577cbe69b3f4b203bba86[log] [tgz]
authorPatrick Hunt <phunt@apache.org>Fri Jul 12 07:32:42 2019 +0200
committerEnrico Olivelli <eolivelli@apache.org>Sat Jul 13 08:45:14 2019 +0200
tree4de44860b2ebf681d56f29327125cd35b6dbffc6
parent5bf8cf1a7782b04e540e18188bd499f21bf90562 [diff]
ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-…

The JIRA is resolved by updating jackson to version 2.9.9.1.

However in so doing I found that it was impossible to run the
dependency check as the CVE lists would always fail to download,
regardless ant or maven. In researching the issue 5.1.0 of the
dependency checker is now available. That fixes this issue (d/l).

However in so doing a couple new problems arise:

The ant dependency check now fails with a circular dependency issue in
one of the transient libraries
(org.sonatype.ossindex#ossindex-service-client;1.2.0). I was unable to
workaround this issue. As such the ant dependency checker is not able
to update to the new version. I believe we should just stop using it
in favor of the maven one as this seems to be Ivy related, as mvn
works just fine with the same change.

Another problem that arises with the dependency checker version
upgrade is that two new issues are identified:

https://www.cvedetails.com/cve/CVE-2008-7220/
which is resolved with the updated prototype.js

https://www.cvedetails.com/cve/CVE-2019-3826/
which seems like a false positive. Please check my work on this.

After these changes the mvn owasp check passes. The code compiles. I
tested the generated documentation and it seems unaffected by the
prototype.js change, although I could have missed this.

Change-Id: I12c9b3111641b066417fc85b155877af5edf9929

Author: Patrick Hunt <phunt@apache.org>

Reviewers: Enrico Olivelli <eolivelli@apache.org>

Closes #1014 from phunt/ZOOKEEPER-3441
2 files changed
tree: 4de44860b2ebf681d56f29327125cd35b6dbffc6
  1. bin/
  2. conf/
  3. src/
  4. zookeeper-client/
  5. zookeeper-contrib/
  6. zookeeper-docs/
  7. zookeeper-it/
  8. zookeeper-jute/
  9. zookeeper-recipes/
  10. zookeeper-server/
  11. .gitattributes
  12. .gitignore
  13. .travis.yml
  14. build.xml
  15. excludeFindBugsFilter.xml
  16. ivy.xml
  17. ivysettings.xml
  18. LICENSE.txt
  19. NOTICE.txt
  20. owaspSuppressions.xml
  21. pom.xml
  22. README.md
  23. README_packaging.txt
  24. source-package.xml
README.md

For the latest information about ZooKeeper, please visit our website at:

http://zookeeper.apache.org/

and our wiki, at:

https://cwiki.apache.org/confluence/display/ZOOKEEPER

Full documentation for this release can also be found in docs/index.html

Packaging/release artifacts - Maven

A buildable tarball is located under zookeeper/target/ directory

The artifacts for the modules are uploaded to maven central.

Packaging/release artifacts - Ant

The release artifact contains the following jar file at the toplevel:

zookeeper-.jar - legacy jar file which contains all classes and source files. Prior to version 3.3.0 this was the only jar file available. It has the benefit of having the source included (for debugging purposes) however is also larger as a result

The release artifact contains the following jar files in “dist-maven” directory:

zookeeper-.jar - bin (binary) jar - contains only class (.class) files zookeeper--sources.jar - contains only src (.java) files zookeeper--javadoc.jar - contains only javadoc files

These bin/src/javadoc jars were added specifically to support Maven/Ivy which have the ability to pull these down automatically as part of your build process. The content of the legacy jar and the bin+sources jar are the same.

As of version 3.3.0 bin/sources/javadoc jars contained in dist-maven directory are deployed to the Apache Maven repository after the release has been accepted by Apache: http://people.apache.org/repo/m2-ibiblio-rsync-repository/