Skip to content

Upgrade ZooKeeper dependency to 3.8.0 - gradle #3084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
eolivelli wants to merge 4 commits into from
Closed

Upgrade ZooKeeper dependency to 3.8.0 - gradle #3084

eolivelli wants to merge 4 commits into from

Conversation

@eolivelli
Copy link
Contributor

@eolivelli eolivelli commented Mar 7, 2022

Motivation

We are using an old version of ZooKeeper, 3.6.x (and ZooKeeper 3.5.x was declared EOL a few weeks ago).
We should upgrade to the latest version.

Changes

Upgraded ZooKeeper dependency.

nicoloboschi
nicoloboschi requested changes Mar 7, 2022
View reviewed changes
Copy link
Contributor

@nicoloboschi nicoloboschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should also update the backward compatibilty tests

bookkeeper/tests/integration-tests-topologies/src/main/resources/cube-definitions/3-node-all-version-unstarted.yaml

Line 25 in 74bbeec

image: zookeeper:3.6.2

@dlg99
Copy link
Contributor

dlg99 commented Mar 9, 2022

License check failed, OWASP detects new CVEs in zk 3.8 (are these real or misdetections?) + test failures.
These have to be addressed.

@eolivelli
Copy link
Contributor Author

eolivelli commented Mar 10, 2022

@dlg99

regarding OWASP we can follow this discussion
apache/pulsar#14630

basically there are false positives about "Jetty" that the OWASP checker reports in zookeeper jars

in ZooKeeper project we added these exclusions
apache/zookeeper@3004c90

Regarding the LICENSE check...my Gradle Fu is very weak and I am not able to tell Gradle to fully exclude LogBack and fix the package.

Any suggestion is really appreciated

@dlg99
Copy link
Contributor

dlg99 commented Mar 11, 2022

You can suppress false positives at https://github.com/apache/bookkeeper/blob/master/src/owasp-dependency-check-suppressions.xml

As for the logback, try something like

configurations {
  runtime.exclude group: "......", module: "....."
}

or

configurations {
  all.exclude group: "......", module: "....."
}

Search for "configurations" in the build.gradle

Maybe @lhotari knows a better way

@eolivelli
Copy link
Contributor Author

eolivelli commented Mar 21, 2022

@dlg99 thanks for your advice but I cannot make it work

I hope that some Gradle expert could help
@pkumar-singh @lhotari @nicoloboschi

@eolivelli eolivelli changed the title Upgrade ZooKeeper dependency to 3.8.0 Upgrade ZooKeeper dependency to 3.8.0 - gradle Mar 27, 2022
@eolivelli eolivelli closed this Mar 27, 2022
@eolivelli eolivelli mentioned this pull request Mar 27, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicoloboschi nicoloboschi nicoloboschi requested changes

@hezhangjian hezhangjian hezhangjian approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@eolivelli @dlg99 @hezhangjian @nicoloboschi