Fix NPE by mihirgt · Pull Request #437 · hypertrace/hypertrace-ingester

mihirgt · 2023-11-06T03:16:31Z

No description provided.

codecov · 2023-11-06T03:19:43Z

Codecov Report

Merging #437 (42da9eb) into main (f4c7de4) will increase coverage by 0.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main     #437      +/-   ##
============================================
+ Coverage     79.93%   79.94%   +0.01%     
- Complexity     1421     1422       +1     
============================================
  Files           128      128              
  Lines          5566     5566              
  Branches        509      509              
============================================
+ Hits           4449     4450       +1     
  Misses          885      885              
+ Partials        232      231       -1

Flag	Coverage Δ
unit	`79.94% <ø> (+0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today!

github-actions · 2023-11-06T08:37:32Z

Unit Test Results

  78 files ±0   78 suites ±0 1m 43s ⏱️ +16s
418 tests ±0 418 ✔️ ±0 0 💤 ±0 0 ❌ ±0

Results for commit 8124224. ± Comparison against base commit f4c7de4.

aaron-steinfeld · 2023-11-06T16:38:01Z

    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
  </suppress>
+  <suppress until="2023-12-30Z">


Please fix this rather than suppressing

Was suppressed because there is no mitigation currently available.
https://access.redhat.com/security/cve/CVE-2023-4586

4586 is the suppression above this one. You're correct that one can be suppressed as described in https://github.com/hypertrace/hypertrace-bom/blob/6e9d9aa4f9a9631c281df4b4c8916490d5cd39d9/owasp-suppressions.xml#L29-L40

The issue here is the newly added one, 44487 - that is the HTTP2 Rapid RST vuln and should not be suppressed. Netty*.100 contains the fix, and our latest framework libs should already include that if upgraded.

aaron-steinfeld · 2023-11-07T04:54:16Z

   ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
    <cve>CVE-2022-45688</cve>
+    <cve>CVE-2023-5072</cve>


Now that I look a bit more closely, this one (and its sibling 45688 above it) is also incorrectly suppressed. Both have released. fixes that should be used. They historically had a FP on older versions of the dependency check plugin, but those were resolved last month. Try removing it, upgrading the dep check plugin to latest and rerun.

Fix NPE

0a1f8c8

mihirgt requested a review from a team as a code owner November 6, 2023 03:16

mihirgt requested review from kotharironak and saxenakshitiz November 6, 2023 03:16