-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MIGRATIONS-1296 - Fix mend security issues #293
Merged
Merged
Changes from all commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
a3c342e
MIGRATIONS-1296 - Fix mend security issues - part 1
okhasawn 235cd49
Update checkstyle version to latest
okhasawn 0f97945
fix aws-msk-iam-auth related mend issue
okhasawn cf7711a
actually update spotbugs
okhasawn 293bb8d
apache related mend fixes
okhasawn 3dc7b38
upgrading aws-cdk-lib version in hopes of fixing mend issue
okhasawn 076aa9c
upgrading aws-cdk-lib version in hopes of fixing mend issue
okhasawn 70ec837
reverting aws-cdk-lib upgrade because it didn't fix mend issue
okhasawn f34a25e
removing unnecessary repo in gradle file
okhasawn 423ae11
specify a minimum version for some transitive dependencies per @lewij…
okhasawn dc9ded4
add string parsing to compare version manually and accurately choose …
okhasawn a875b38
updated version comparison function
okhasawn fa29cef
Merge branch 'main' into mend-fixes
sumobrian a708c59
Merge branch 'mend-fixes' of github.com:okhasawn/opensearch-migration…
okhasawn File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
certifi==2023.5.7 | ||
certifi==2023.7.22 | ||
charset-normalizer==3.1.0 | ||
idna==3.4 | ||
iniconfig==2.0.0 | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From mine and Omar's conversation earlier: I have a slight concern here about maintaining this in the future, say for instance the dependency which has this transitive dependency gets updated and in turn updates this transitive dependency to a later version than we have listed here (1.10.0). I don't want to actually prevent a later version from being used. If its a small fix we should add a conditional check here that the dependency is less than the version we want to insert, or otherwise don't override the version. If not a small fix let's raise an issue around this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Tanner, that's a very valid concern and I agree that it wouldn't be dev friendly to have to maintain that.
Fortunately, I just pushed a change where I'm specifying a minimum version and check if the dependency wants to pull a higher version of the transitive dependency. If that's the case, then the higher version would be used. In case the dependency was requesting a version lower than the one we're "targeting", then the targeted version would be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was playing around with this a little bit and it seems like it is just doing string comparison and not actual version comparison. For instance if I set the target version to 1.9.0 and the incoming requested is 1.10.0, it will try to set the incoming requested to 1.9.0. Lmk if you see different results with this use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh interesting.
What I tested before pushing that was with the
apache.bcel
dependency. I know that the requested version is 6.5, If I set the target to 6.4 then the 6.5 one is pulled.I'll look into that and see if there's a different method of comparison for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking of doing something with string parsing and compare the versions manually, I think it can be helpful in case we have more situations with transitive dependency versions in the future. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please let me know what you think of the proposed method I just pushed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I think this in more in line with what we need to do. I would change the function you created to return a boolean and call it something like
isRequestedVersionOlder
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few additional comments to capture in another JIRA:
static
wasRequestedVersionReleasedBeforeTargetVersion
if (isRequestedVersionOlder(details.requested.version, targetVersion))