Skip to content

TEZ-4576: Bump dependency-check-maven from 1.3.6 to 3.2.0 #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 19, 2024
Merged

TEZ-4576: Bump dependency-check-maven from 1.3.6 to 3.2.0 #252

merged 1 commit into from
Aug 19, 2024

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 28, 2022
edited
Loading

Bumps dependency-check-maven from 1.3.6 to 3.2.0.

Changelog

Sourced from dependency-check-maven's changelog.

Version 3.2.0 (2018-05-21)

Security Fix

  • Unsafe unzip operations (zip slip), as reported by the Snyk Security Research Team, have been corrected. CVE-2018-12036 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.

Bug Fixes

  • The dependency-check-maven plugin no longer uses the Central Analyzer by default
  • Updated dependency-check-maven so that it will not fail when your multi-module build has dependencies that have not yet been built in the reactor (See #740)
    • Note if the required dependency has not yet been built in the reactor and the dependency is available in a configured repository dependency-check-maven, as expected, would pull the dependency from the repository for analysis.
  • Minor documentation updates
  • False positive reduction
  • Fixed the Gradle Plugin and Ant Task so that the temp directory is properly cleaned up after execution
  • Removed TLSv1 from the list of protocols used by default (See #1237)

Enhancements

  • Excess white space has been removed from the XML and HTML reports; the JSON report is still pretty printed (a future release will convert this to a configurable option)
  • Better error reporting
  • Changed to use commons-text instead of commons-lang3 as a portion of commons-lang3 was moved to commonts-text
  • Added more flexible suppression rules with the introduction of the until attribute (see #1145 and dependency-suppression.1.2.xsd

Version 3.1.2 (2018-04-02)

Bug Fixes

  • Updated the NVD URLs
  • Updated documentation
  • Add project references to the JSON and XML report; in aggregate scans using Maven or Gradle the dependencies will include a reference to the project/module where they were found
  • The configuration option versionCheckEnabled was added to Maven to allow users to disable the check for new versions of dependency-check; this will be added to gradle plugin, Ant Task, and the CLI in a future release
  • The XML and JSON reports were fixed so that the correct version number is displayed see [issue #1109](jeremylong/DependencyCheck#1109)
  • The initial database creation time for H2 databases was improved
  • Changes made to decrease false positive and false negatives

Version 3.1.1 (2018-01-29)

Bug Fixes

  • Fixed the Central Analyzer to use the updated SHA1 query syntax.
  • Reverted change that broke Maven 3.1.0 compatability; Maven 3.1.0 and beyond is once again supported.
  • False positive reduction.
  • Minor documentation cleanup.

Version 3.1.0 (2018-01-02)

Enhancements

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Nov 28, 2022
@tez-yetus
Copy link

tez-yetus commented Nov 28, 2022

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 32m 41s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ master Compile Tests _
+1 💚 mvninstall 15m 19s master passed
+1 💚 compile 2m 18s master passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 💚 compile 2m 5s master passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 💚 javadoc 2m 35s master passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 💚 javadoc 1m 51s master passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
_ Patch Compile Tests _
+1 💚 mvninstall 3m 55s the patch passed
+1 💚 compile 2m 20s the patch passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 💚 javac 2m 20s the patch passed
+1 💚 compile 2m 9s the patch passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 💚 javac 2m 9s the patch passed
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 xml 0m 1s The patch has no ill-formed XML file.
+1 💚 javadoc 2m 22s the patch passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 💚 javadoc 1m 55s the patch passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
_ Other Tests _
+1 💚 unit 74m 40s root in the patch passed.
+1 💚 asflicense 0m 55s The patch does not generate ASF License warnings.
146m 12s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/1/artifact/out/Dockerfile
GITHUB PR #252
Optional Tests dupname asflicense javac javadoc unit xml compile
uname Linux 7b06a064b889 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/tez.sh
git revision master / 25fc8c4
Default Java Private Build-1.8.0_352-8u352-ga-1~20.04-b08
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_352-8u352-ga-1~20.04-b08
Test Results https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/1/testReport/
Max. process+thread count 1483 (vs. ulimit of 5500)
modules C: . U: .
Console output https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/1/console
versions git=2.25.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@ayushtkn
Copy link
Member

ayushtkn commented May 28, 2024

@dependabot rebase

@dependabot dependabot bot force-pushed the dependabot/maven/org.owasp-dependency-check-maven-3.2.0 branch from 2b31dd4 to d87d93c Compare May 28, 2024 05:59
@tez-yetus
Copy link

tez-yetus commented May 28, 2024

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 22m 19s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ master Compile Tests _
+1 💚 mvninstall 14m 44s master passed
+1 💚 compile 2m 15s master passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 💚 compile 2m 9s master passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
+1 💚 javadoc 1m 46s master passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 💚 javadoc 1m 11s master passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
_ Patch Compile Tests _
+1 💚 mvninstall 4m 23s the patch passed
+1 💚 compile 2m 18s the patch passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 💚 javac 2m 18s the patch passed
+1 💚 compile 2m 9s the patch passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
+1 💚 javac 2m 9s the patch passed
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 xml 0m 2s The patch has no ill-formed XML file.
+1 💚 javadoc 1m 16s the patch passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 💚 javadoc 1m 13s the patch passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
_ Other Tests _
-1 ❌ unit 82m 38s root in the patch failed.
+1 💚 asflicense 0m 41s The patch does not generate ASF License warnings.
140m 22s
Reason Tests
Failed junit tests tez.analyzer.TestAnalyzer
Subsystem Report/Notes
Docker ClientAPI=1.45 ServerAPI=1.45 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/artifact/out/Dockerfile
GITHUB PR #252
Optional Tests dupname asflicense javac javadoc unit xml compile
uname Linux 3599d25cee49 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/tez.sh
git revision master / 38c5aac
Default Java Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
unit https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/artifact/out/patch-unit-root.txt
Test Results https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/testReport/
Max. process+thread count 2100 (vs. ulimit of 5500)
modules C: . U: .
Console output https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/console
versions git=2.34.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@ayushtkn
Copy link
Member

ayushtkn commented Aug 16, 2024

@dependabot rebase

@dependabot
Bump dependency-check-maven from 1.3.6 to 3.2.0
41549fb 
Bumps [dependency-check-maven](https://github.com/jeremylong/DependencyCheck) from 1.3.6 to 3.2.0.
- [Release notes](https://github.com/jeremylong/DependencyCheck/releases)
- [Changelog](https://github.com/jeremylong/DependencyCheck/blob/main/RELEASE_NOTES.md)
- [Commits](jeremylong/DependencyCheck@v1.3.6...v3.2.0)

---
updated-dependencies:
- dependency-name: org.owasp:dependency-check-maven
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/maven/org.owasp-dependency-check-maven-3.2.0 branch from d87d93c to 41549fb Compare August 16, 2024 07:34
@tez-yetus
Copy link

tez-yetus commented Aug 16, 2024

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 22m 17s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ master Compile Tests _
+1 💚 mvninstall 18m 24s master passed
+1 💚 compile 2m 23s master passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 💚 compile 2m 14s master passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
+1 💚 javadoc 1m 48s master passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 💚 javadoc 1m 12s master passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
_ Patch Compile Tests _
+1 💚 mvninstall 4m 23s the patch passed
+1 💚 compile 2m 24s the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 💚 javac 2m 24s the patch passed
+1 💚 compile 2m 9s the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
+1 💚 javac 2m 9s the patch passed
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 xml 0m 2s The patch has no ill-formed XML file.
+1 💚 javadoc 1m 17s the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 💚 javadoc 1m 13s the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
_ Other Tests _
-1 ❌ unit 82m 11s root in the patch failed.
+1 💚 asflicense 0m 43s The patch does not generate ASF License warnings.
143m 57s
Reason Tests
Failed junit tests tez.analyzer.TestAnalyzer
Subsystem Report/Notes
Docker ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/artifact/out/Dockerfile
GITHUB PR #252
Optional Tests dupname asflicense javac javadoc unit xml compile
uname Linux 2c2f9987f728 5.15.0-117-generic #127-Ubuntu SMP Fri Jul 5 20:13:28 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/tez.sh
git revision master / cd6ceec
Default Java Private Build-1.8.0_422-8u422-b05-1~22.04-b05
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~22.04-b05
unit https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/artifact/out/patch-unit-root.txt
Test Results https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/testReport/
Max. process+thread count 2100 (vs. ulimit of 5500)
modules C: . U: .
Console output https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/console
versions git=2.34.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@ayushtkn ayushtkn changed the title Bump dependency-check-maven from 1.3.6 to 3.2.0 TEZ-4576: Bump dependency-check-maven from 1.3.6 to 3.2.0 Aug 19, 2024
@ayushtkn ayushtkn merged commit 174d4e3 into master Aug 19, 2024
@dependabot dependabot bot deleted the dependabot/maven/org.owasp-dependency-check-maven-3.2.0 branch August 19, 2024 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tez-yetus @ayushtkn