kafka icon indicating copy to clipboard operation
kafka copied to clipboard

Published 20 hours ago verified publisher icon apache

KAFKA-13518: Update gson dependency

Open dongjinleekr opened this issue 3 years ago • 12 comments

Here is the fix. Since spotbugs 4.5.1 was released just 12 hours ago, it would take a little bit to be synched with maven central.

Committer Checklist (excluded from commit message)

  • [ ] Verify design and implementation
  • [ ] Verify test coverage and CI build status
  • [ ] Verify documentation (including upgrade notes)

dongjinleekr avatar Dec 08 '21 11:12 dongjinleekr

Hi @showuon,

Here it is. I just updated the issue title more clearly and updated the spotbugs dependency into 4.5.2.

dongjinleekr avatar Dec 25 '21 07:12 dongjinleekr

@showuon Sorry for bothering you. Here is the update. There were some updates on spotbugs between 4.2.2 and 4.5.2 and some previously-unfound problems are now detected:

  • In 4.3.0, spotbugs improved their detection logic for MS_EXPOSE_REP:

    MS_EXPOSE_REP and EI_EXPOSE_REP are now reported for code returning a reference to a mutable object indirectly (e.g. via a local variable)

  • In 4.4.2, spotbugs fixed some false positives for DMI_RANDOM_USED_ONLY_ONCE and started to detect some unfound problems:

    DMI_RANDOM_USED_ONLY_ONCE false positive

After the update, it works like a charm: 20211225-180841

dongjinleekr avatar Dec 25 '21 09:12 dongjinleekr

@showuon My bad. I found several other false-positives from other modules with spotbugs; They are now fixed. (Please see the comments.) :bow: 20211227-231700

dongjinleekr avatar Dec 27 '21 14:12 dongjinleekr

Thanks for the PR. Seems like the new version has more false positives. Do you know if they intend to fix those?

ijuma avatar Feb 05 '22 05:02 ijuma

@ijuma

Do you know if they intend to fix those?

Oh yes, as you can see in the updated PR, I updated spotbugs to 4.5.3 following the gradle plugin 5.0.5, and rebased onto the latest trunk. It seems like there are a bunch of false positives in the recent version of spotbugs (below) but, I verified that none of them are affecting.

20220214-191747

+1. They also have not fixed the issues I commented on in spotbugs-exclude.xml yet. I will follow up and apply them as soon as they fix them.

dongjinleekr avatar Feb 14 '22 10:02 dongjinleekr

Should we wait until they fix these issues in spotBugs? It doesn't look like the cost/benefit in upgrading here isn't favorable.

ijuma avatar Feb 14 '22 14:02 ijuma

@ijuma If you don't mind CVE WS-2021-0419 introduced by gson 2.8.6. This PR is to fix it.

dongjinleekr avatar Feb 15 '22 00:02 dongjinleekr

Rebased onto the latest trunk. cc/ @ijuma

dongjinleekr avatar Mar 17 '22 03:03 dongjinleekr

Gson library has another recent vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-25647. Gson library 2.8.9 fixes this, which is included in Spotbugs 4.5.0 and higher.

Boojapho avatar May 18 '22 16:05 Boojapho

@Boojapho Thanks for reporting. Here is the fix - rebased onto the latest trunk and upgraded spotbugs into 4.7.0, which also fixes the gson vulnerability.

dongjinleekr avatar Jun 06 '22 01:06 dongjinleekr

@ijuma Here is the update:

  1. Rebased onto the latest trunk.
  2. Gather the false positives together and add some TODO comments not to leave the workarounds later.
  3. Reduce the scope of DMI_RANDOM_USED_ONLY_ONCE and MS_EXPOSE_REP into scala-only and some specific classes only, respectively.

dongjinleekr avatar Jun 11 '22 13:06 dongjinleekr

Can you please update to spotbugs 4.7.1? It seems like it fixes the false positives.

ijuma avatar Aug 08 '22 14:08 ijuma

@dongjinleekr I have not seen this PR. I have raised draft PR https://github.com/apache/kafka/pull/12768 to upgrade spotbugs. Can we update to spotbugs 4.7.3?

omkreddy avatar Oct 19 '22 14:10 omkreddy

Closing this PR in favour of https://github.com/apache/kafka/pull/12768

omkreddy avatar Oct 24 '22 17:10 omkreddy