Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement] Fixing CVEs #54749

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

va-os-commits
Copy link
Contributor

@va-os-commits va-os-commits commented Jan 6, 2025

Why I'm doing:

https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-8161188

What I'm doing:

Bumping up the versions of libraries for in which CVEs have been fixed

Fixes #issue

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
  • I have added documentation for my new feature or new function
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 3.4
    • 3.3
    • 3.2
    • 3.1
    • 3.0

@va-os-commits va-os-commits changed the title Upgrading avro version [Enhancement] Fixing CVEs Jan 6, 2025
Signed-off-by: Vikas Attiguppa <[email protected]>
@va-os-commits
Copy link
Contributor Author

@Astralidea @kevincai could you please review this PR I closed out the older one #53224

Copy link
Contributor

@kevincai kevincai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be good to remove the corresponding CVE from .trivyignore

@Astralidea Astralidea enabled auto-merge (squash) January 7, 2025 02:21
@dirtysalt
Copy link
Contributor

@va-os-commits better to remove related CVE from .trivyignore, to see if it passes our trivy check.

Signed-off-by: Vikas Attiguppa <[email protected]>
auto-merge was automatically disabled January 7, 2025 07:42

Head branch was pushed to by a user without write access

Copy link

sonarqubecloud bot commented Jan 7, 2025

@va-os-commits
Copy link
Contributor Author

@kevincai looks like there was a timeout in VULN scanning phase of the build. Is there a way to re-trigger it?

Copy link

github-actions bot commented Jan 7, 2025

[Java-Extensions Incremental Coverage Report]

pass : 0 / 0 (0%)

Copy link

github-actions bot commented Jan 7, 2025

[FE Incremental Coverage Report]

pass : 0 / 0 (0%)

Copy link

github-actions bot commented Jan 7, 2025

[BE Incremental Coverage Report]

pass : 0 / 0 (0%)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants