amoro icon indicating copy to clipboard operation
amoro copied to clipboard
verified publisher icon apache

[AMORO-3971] Fix high CVEs in dependencies, including Zookeeper, Jackson-Core, and Snappy-Java.

Open zhangwl9 opened this issue 1 month ago • 6 comments

Why are the changes needed?

Close #3971.

Brief change log

  • Bump shade-zookeeper version to 3.9.4
  • Bump shade-jackson version to 2.15.0
  • Bump snappy-java version to 1.1.10.1
  • Bump maven-shade-plugin to 3.4.0 in order to upgrade the Jackson version. For details, see https://github.com/apache/amoro-shade/pull/16

How was this patch tested?

  • [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

  • [ ] Add screenshots for manual tests if appropriate

  • [x] Run test locally before making a pull request

Documentation

  • Does this pull request introduce a new feature? (yes / no)
  • If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

zhangwl9 avatar Nov 27 '25 05:11 zhangwl9

releated to amoro-shade: https://github.com/apache/amoro-shade/pull/3

xxubai avatar Nov 27 '25 06:11 xxubai

releated to amoro-shade: apache/amoro-shade#3 I need to wait for amoro-shade-zookeeper to be merged first, and then update amoro-shade-jackson to 2.15.0. Only then I can update the relevant reference versions in the amoro project.

zhangwl9 avatar Nov 27 '25 07:11 zhangwl9

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 28.94%. Comparing base (99ecf53) to head (909f7ea). :warning: Report is 1 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master    #3976      +/-   ##
============================================
- Coverage     29.14%   28.94%   -0.21%     
+ Complexity     3921     3877      -44     
============================================
  Files           638      632       -6     
  Lines         50937    50676     -261     
  Branches       6545     6464      -81     
============================================
- Hits          14846    14668     -178     
+ Misses        35030    34978      -52     
+ Partials       1061     1030      -31
Flag Coverage Δ
core 28.94% <ø> (-0.21%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov-commenter avatar Nov 27 '25 07:11 codecov-commenter

could you update the dependencies list.

./dev/dependencies.sh --replace

turboFei avatar Nov 28 '25 02:11 turboFei

@xxubai I noticed you've updated the Shade version in https://github.com/apache/amoro-shade/tree/update-0.9-snapshot, but when Amoro runs the compilation, it can't access these new Shade version JAR files. What else needs to be done? You can upload the new version to the location specified in the error report.

image

zhangwl9 avatar Nov 28 '25 03:11 zhangwl9

The compilation error is as follows: image We must await the release of the maven-shade 0.9-snapshot version. Only after obtaining the jar file for this version from the following path (https://repository.apache.org/content/groups/snapshots/org/apache/amoro/amoro-shade-zookeeper-3/) can compilation proceed.

zhangwl9 avatar Dec 08 '25 06:12 zhangwl9