Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgraded jetty version to fix a security vulnerability #1365

Merged
merged 2 commits into from
Nov 11, 2024
Merged

Upgraded jetty version to fix a security vulnerability #1365

merged 2 commits into from
Nov 11, 2024

Conversation

chandrams
Copy link
Contributor

Description

Upgraded the jetty version to fix this vulnerability

Fixes # (issue)

Type of change

  • Bug fix
  • New feature
  • Docs update
  • Breaking change (What changes might users need to make in their application due to this PR?)
  • Requires DB changes

How has this been tested?

Tested this manually by building the docker image and pushing it to quay. Verified that this advisory is not listed by the quay security scanner

  • New Test X
  • Functional testsuite

Test Configuration

  • Kubernetes clusters tested on: NA

Checklist 🎯

  • Followed coding guidelines
  • Comments added
  • Dependent changes merged
  • Documentation updated
  • Tests added or updated

Additional information

Include any additional information such as links, test results, screenshots here

@chandrams
Addressing a CVE by upgrading jetty version
9aac985 
Signed-off-by: Chandrakala Subramanyam <[email protected]>
@chandrams chandrams added this to the Kruize 0.2 Release milestone Nov 11, 2024
@chandrams chandrams self-assigned this Nov 11, 2024
dinogun
dinogun reviewed Nov 11, 2024
View reviewed changes
pom.xml Outdated
@@ -10,7 +10,7 @@
<properties>
<fabric8-version>4.13.2</fabric8-version>
<org-json-version>20240303</org-json-version>
<jetty-version>9.4.55.v20240627</jetty-version>
<jetty-version>9.4.56.v20240826</jetty-version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we check with 12.0.15 as that is the latest?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With jetty 12.0.15 & 12.0.3 versions, I get the below error:

[ERROR] Failed to execute goal on project autotune: Could not resolve dependencies for project org.autotune:autotune:jar:0.1.1
[ERROR] dependency: org.eclipse.jetty:jetty-servlets:jar:12.0.15 (compile)
[ERROR] 	Could not find artifact org.eclipse.jetty:jetty-servlets:jar:12.0.15 in central (https://repo.maven.apache.org/maven2)
[ERROR] dependency: org.eclipse.jetty:jetty-servlet:jar:12.0.15 (compile)
[ERROR] 	Could not find artifact org.eclipse.jetty:jetty-servlet:jar:12.0.15 in central (https://repo.maven.apache.org/maven2)

Tried 11.0.24, but got the below compilation errors

[ERROR] /home/autotune/src/autotune/src/main/java/com/autotune/experimentManager/handler/LoadValidationHandler.java:[32,21] package javax.servlet does not exist
[ERROR] /home/autotune/src/autotune/src/main/java/com/autotune/experimentManager/handler/eminterface/EMHandlerInterface.java:[25,21] package javax.servlet does not exist
[ERROR] /home/autotune/src/autotune/src/main/java/com/autotune/experimentManager/handler/LoadValidationHandler.java:[42,187] cannot find symbol
  symbol:   class ServletContext
  location: class com.autotune.experimentManager.handler.LoadValidationHandler
[ERROR] /home/autotune/src/autotune/src/main/java/com/autotune/experimentManager/handler/eminterface/EMHandlerInterface.java:[35,65] cannot find symbol
  symbol:   class ServletContext
  location: interface com.autotune.experimentManager.handler.eminterface.EMHandlerInterface
[ERROR] /home/autotune/src/autotune/src/main/java/com/autotune/analyzer/utils/AnalyzerErrorConstants.java:[25,26] package javax.servlet.http does not exist
[ERROR] /home/autotune/src/autotune/src/main/java/com/autotune/analyzer/performanceProfiles/PerformanceProfileValidation.java:[33,26] package javax.servlet.http does not exist
[ERROR] /home/autotune/src/autotune/src/main/java/com/autotune/analyzer/services/ListExperiments.java:[49,21] package javax.servlet does not exist

Checking with 10.0.24

@chandrams
Updated jetty version to 10.0.24
55d725e 
Signed-off-by: Chandrakala Subramanyam <[email protected]>
dinogun
dinogun approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@dinogun dinogun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dinogun dinogun merged commit 3d8a383 into kruize:mvp_demo Nov 11, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dinogun dinogun dinogun approved these changes

@msvinaykumar msvinaykumar Awaiting requested review from msvinaykumar

Assignees

@chandrams chandrams

Labels
None yet
Projects
Monitoring
Status: Done
Milestone
Kruize 0.2 Release
Development

Successfully merging this pull request may close these issues.
2 participants
@chandrams @dinogun