Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE Fix] Fixes CVE-2022-42920 by forcing bcel version to resovle to 6.6 #2275

Merged
merged 1 commit into from
Nov 29, 2022
Merged

[CVE Fix] Fixes CVE-2022-42920 by forcing bcel version to resovle to 6.6 #2275

merged 1 commit into from
Nov 29, 2022

Conversation

DarshitChanpura
Copy link
Member

  • Category: Bug fix

Issues Resolved

Resolves #2248

Check List

- [ ] New functionality includes testing
- [ ] New functionality has been documented

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@DarshitChanpura DarshitChanpura changed the title Fixes CVE-2022-42920 by forcing bcel version to resovle to 6.6 [CVE Fix] Fixes CVE-2022-42920 by forcing bcel version to resovle to 6.6 Nov 23, 2022
@codecov-commenter
Copy link

codecov-commenter commented Nov 23, 2022
edited
Loading

Codecov Report

Merging #2275 (15b0b40) into main (7cad5e4) will decrease coverage by 0.06%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main    #2275      +/-   ##
============================================
- Coverage     61.05%   60.99%   -0.07%     
+ Complexity     3270     3264       -6     
============================================
  Files           259      259              
  Lines         18337    18337              
  Branches       3248     3248              
============================================
- Hits          11196    11184      -12     
- Misses         5555     5563       +8     
- Partials       1586     1590       +4
Impacted Files Coverage Δ
...urity/ssl/transport/SecuritySSLNettyTransport.java 62.36% <0.00%> (-4.31%) ⬇️
...earch/security/ssl/util/SSLConnectionTestUtil.java 93.18% <0.00%> (-2.28%) ⬇️
...ecurity/configuration/ConfigurationRepository.java 72.13% <0.00%> (-2.19%) ⬇️
.../dlic/auth/ldap2/LDAPConnectionFactoryFactory.java 57.46% <0.00%> (-1.50%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@DarshitChanpura DarshitChanpura marked this pull request as ready for review November 23, 2022 23:24
@DarshitChanpura DarshitChanpura requested a review from a team November 23, 2022 23:24
@cwperks
Copy link
Member

cwperks commented Nov 25, 2022

Is there any way to track when a new spotbugs gradle plugin is release? https://plugins.gradle.org/plugin/com.github.spotbugs

In this discussion with the maintainer of spotbugs I see that 4.7.4 has not been released yet and 4.7.4 contains an update for bcel from 6.5.0 -> 6.6.1: spotbugs/spotbugs#2251

Once 4.7.4 is released the gradle plugin also needs to follow-up with a release.

@DarshitChanpura
Copy link
Member Author

Is there any way to track when a new spotbugs gradle plugin is release? https://plugins.gradle.org/plugin/com.github.spotbugs

In this discussion with the maintainer of spotbugs I see that 4.7.4 has not been released yet and 4.7.4 contains an update for bcel from 6.5.0 -> 6.6.1: spotbugs/spotbugs#2251

Once 4.7.4 is released the gradle plugin also needs to follow-up with a release.

I'm not sure about the way to track the release automatically but I will keep an eye out for 4.7.4, and will update our build.gradle once it is out.

peternied
peternied reviewed Nov 28, 2022
View reviewed changes
build.gradle Outdated Show resolved Hide resolved
@DarshitChanpura
Fixes CVE-2022-42920 by forcing bcel version to resovle to 6.6
15b0b40 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@peternied peternied merged commit cad7c72 into opensearch-project:main Nov 29, 2022
@cwperks cwperks added backport 2.x backport to 2.x branch backport 2.4 labels Dec 6, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.4 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.4 2.4
# Navigate to the new working tree
cd .worktrees/backport-2.4
# Create a new branch
git switch --create backport/backport-2275-to-2.4
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 cad7c7201e902aeb711b407648d41d3c55fe7a49
# Push it to GitHub
git push --set-upstream origin backport/backport-2275-to-2.4
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.4

Then, create a pull request where the base branch is 2.4 and the compare/head branch is backport/backport-2275-to-2.4.

@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2275-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 cad7c7201e902aeb711b407648d41d3c55fe7a49
# Push it to GitHub
git push --set-upstream origin backport/backport-2275-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2275-to-2.x.

This was referenced Dec 6, 2022
Merged
Merged
Merged
@DarshitChanpura DarshitChanpura mentioned this pull request Dec 8, 2022
Merged
3 tasks
@dzane17 dzane17 mentioned this pull request Mar 16, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternied peternied peternied approved these changes

@cwperks cwperks cwperks approved these changes

Assignees
No one assigned
Labels
backport 2.x backport to 2.x branch backport 2.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2022-42920 (High) detected in bcel-6.5.0.jar
4 participants
@DarshitChanpura @codecov-commenter @cwperks @peternied