Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.13.x][RHPAM-4700][CVE-2022-1471] snakeyaml to 1.33 #25

Merged
merged 3 commits into from
Nov 24, 2023
Merged

[8.13.x][RHPAM-4700][CVE-2022-1471] snakeyaml to 1.33 #25

merged 3 commits into from
Nov 24, 2023

Conversation

mareknovotny
Copy link
Member

@mareknovotny mareknovotny commented Oct 17, 2023
edited
Loading

https://issues.redhat.com/browse/RHPAM-4700

Related PRs:

How to replicate CI configuration locally?

Build Chain tool does "simple" maven build(s), the builds are just Maven commands, but because the repositories relates and depends on each other and any change in API or class method could affect several of those repositories there is a need to use build-chain tool to handle cross repository builds and be sure that we always use latest version of the code for each repository.

build-chain tool is a build tool which can be used on command line locally or in Github Actions workflow(s), in case you need to change multiple repositories and send multiple dependent pull requests related with a change you can easily reproduce the same build by executing it on Github hosted environment or locally in your development environment. See local execution details to get more information about it.

How to retest this PR or trigger a specific build:

  • for pull request checks
    Please add comment: Jenkins retest this

  • for a specific pull request check
    please add comment: Jenkins (re)run [optaplanner|optaplanner-quickstarts] tests

  • for a full downstream build

    • for jenkins job:
      please add comment: Jenkins run fdb
    • for github actions job:
      add the label run_fdb

  • for a compile downstream build
    please add comment: Jenkins run cdb

  • for a full production downstream build
    please add comment: Jenkins execute product fdb

  • for an upstream build
    please add comment: Jenkins run upstream

  • for quarkus branch checks
    Run checks against Quarkus current used branch
    Please add comment: Jenkins run quarkus-branch

  • for a quarkus branch specific check
    Run checks against Quarkus current used branch
    Please add comment: Jenkins (re)run [optaplanner|optaplanner-quickstarts] quarkus-branch

  • for quarkus main checks
    Run checks against Quarkus main branch
    Please add comment: Jenkins run quarkus-main

  • for a specific quarkus main check
    Run checks against Quarkus main branch
    Please add comment: Jenkins (re)run [optaplanner|optaplanner-quickstarts] quarkus-branch

  • for quarkus lts checks
    Run checks against Quarkus lts branch
    Please add comment: Jenkins run quarkus-lts

  • for a specific quarkus lts check
    Run checks against Quarkus lts branch
    Please add comment: Jenkins (re)run [optaplanner|optaplanner-quickstarts] quarkus-lts

  • for native checks
    Run native checks
    Please add comment: Jenkins run native

  • for a specific native check
    Run native checks
    Please add comment: Jenkins (re)run [optaplanner|optaplanner-quickstarts] native

  • for native lts checks
    Run native checks against quarkus lts branch
    Please add comment: Jenkins run native-lts

  • for a specific native lts check
    Run native checks against quarkus lts branch
    Please add comment: Jenkins (re)run [optaplanner|optaplanner-quickstarts] native-lts

CI Status

You can check OptaPlanner repositories CI status from Chain Status webpage.

How to backport a pull request to a different branch?

In order to automatically create a backporting pull request please add one or more labels having the following format backport-<branch-name>, where <branch-name> is the name of the branch where the pull request must be backported to (e.g., backport-7.67.x to backport the original PR to the 7.67.x branch).

NOTE: backporting is an action aiming to move a change (usually a commit) from a branch (usually the main one) to another one, which is generally referring to a still maintained release branch. Keeping it simple: it is about to move a specific change or a set of them from one branch to another.

Once the original pull request is successfully merged, the automated action will create one backporting pull request per each label (with the previous format) that has been added.

If something goes wrong, the author will be notified and at this point a manual backporting is needed.

NOTE: this automated backporting is triggered whenever a pull request on main branch is labeled or closed, but both conditions must be satisfied to get the new PR created.

This was referenced Oct 17, 2023
Merged
Closed
@mareknovotny
Copy link
Member Author

Jenkins retest this

@mareknovotny
Copy link
Member Author

ok to test

@mareknovotny
Copy link
Member Author

3 failures

kiegroup_optaplanner/optaplanner/optaplanner-quarkus-integration/optaplanner-quarkus/devui-integration-test/src/test/java/org/optaplanner/quarkus/it/devui/OptaPlannerDevUITest.java:81 | java.lang.NullPointerException 	at java.base/java.util.Objects.requireNonNull(Objects.java:221)
kiegroup_optaplanner/optaplanner/optaplanner-quarkus-integration/optaplanner-quarkus/devui-integration-test/src/test/java/org/optaplanner/quarkus/it/devui/OptaPlannerDevUITest.java:100 | java.lang.NullPointerException 	at java.base/java.util.Objects.requireNonNull(Objects.java:221)
kiegroup_optaplanner/optaplanner/optaplanner-quarkus-integration/optaplanner-quarkus/devui-integration-test/src/test/java/org/optaplanner/quarkus/it/devui/OptaPlannerDevUITest.java:58 | java.lang.NullPointerException 	at java.base/java.util.Objects.requireNonNull(Objects.java:221)

@lucamolteni
Copy link
Contributor

I'm not sure we should update snakeyaml to 2.0

Snakeyaml needs to be the same version that quarkus is using, and on 2.13 it's using 1.33. We cannot just update snakeyaml to 2.0 and expecting it to work. As latest Quarkus 2.13 fixed this quarkusio/quarkus#30440 upgrading to smallrye-config that uses SafeConstructor we should be safe smallrye/smallrye-config@1ca5a17

@yurloc yurloc mentioned this pull request Nov 10, 2023
Closed
@mareknovotny mareknovotny mentioned this pull request Nov 13, 2023
Merged
@mareknovotny
Copy link
Member Author

mareknovotny commented Nov 14, 2023
edited
Loading

we talked about this with @yurloc and we think jackson bom could be upgraded to override the snakeyaml or disable the quarkus Dev UI if not targeting production env. fyi @lucamolteni

@mareknovotny
Copy link
Member Author

jenkins retest this please

2 similar comments
@mareknovotny
Copy link
Member Author

jenkins retest this please

@mareknovotny
Copy link
Member Author

jenkins retest this please

lucamolteni
lucamolteni approved these changes Nov 20, 2023
View reviewed changes
Copy link
Contributor

@lucamolteni lucamolteni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So are we going for the 1.33 route? Because here kiegroup/optaweb-vehicle-routing#871 (comment) it seems we take a different approach @mareknovotny

@mareknovotny
Copy link
Member Author

mareknovotny commented Nov 20, 2023
edited
Loading

yes, just for Optaplanner

So are we going for the 1.33 route? Because here kiegroup/optaweb-vehicle-routing#871 (comment) it seems we take a different approach @mareknovotny

@mareknovotny
Copy link
Member Author

jenkins retest this please

@mareknovotny
Copy link
Member Author

cc @rgdoliveira

@yurloc
Copy link
Member

yurloc commented Nov 21, 2023

we talked about this with @yurloc and we think jackson bom could be upgraded to override the snakeyaml or disable the quarkus Dev UI if not targeting production env. fyi @lucamolteni

For the record, the optaplanner-quarkus extension exposes some data in the Dev UI. This feature was tracked by https://issues.redhat.com/browse/PLANNER-2411. I'm not arguing it's a supported feature but disabling the Dev UI console might be perceived as a downgrade by some users.

Furthemore, snakeyaml is only a test scope dependency.

@mareknovotny
Revert "snake-yaml to 2.0"
f06b7d5 
This reverts commit 30a19b7.
@mareknovotny mareknovotny merged commit 6303844 into 8.13.x Nov 24, 2023
4 checks passed
@mareknovotny mareknovotny deleted the RHPAM-4700 branch November 24, 2023 15:14
@github-actions github-actions bot mentioned this pull request Nov 24, 2023
Open
@mareknovotny mareknovotny mentioned this pull request Jan 9, 2024
Merged
@rgdoliveira rgdoliveira changed the title [8.13.x][RHPAM-4700][CVE-2022-1471] snakeyaml from 1.32 to 2.0 [8.13.x][RHPAM-4700][CVE-2022-1471] snakeyaml to 1.33 Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurloc yurloc yurloc left review comments

@lucamolteni lucamolteni lucamolteni approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mareknovotny @lucamolteni @yurloc @Ginxo