Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Replace bcprov-jdk15on dependency with bcprov-jdk18-on #23532

Merged
merged 1 commit into from
Oct 31, 2024
Merged

[fix][sec] Replace bcprov-jdk15on dependency with bcprov-jdk18-on #23532

merged 1 commit into from
Oct 31, 2024

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Oct 30, 2024

Motivation

OWASP dependency check shows an error for bcprov-jdk15-on dependency.

One or more dependencies were identified with known vulnerabilities in Apache Pulsar :: Tiered Storage :: Parent:

bcprov-jdk15on-1.70.jar (pkg:maven/org.bouncycastle/[email protected], cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.70:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.70:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.70:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.70:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.70:*:*:*:*:*:*:*) : CVE-2024-34447, CVE-2024-29857, CVE-2024-30171, CVE-2023-33202, CVE-2023-33201

Modifications

Replace outdated bcprov-jdk15-on dependency with bcprov-jdk18-on which continues to be updated.

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 4.1.0 milestone Oct 30, 2024
@lhotari lhotari self-assigned this Oct 30, 2024
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Oct 30, 2024
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.32%. Comparing base (bbc6224) to head (bb2dad1).
Report is 703 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #23532      +/-   ##
============================================
+ Coverage     73.57%   74.32%   +0.74%     
- Complexity    32624    34419    +1795     
============================================
  Files          1877     1943      +66     
  Lines        139502   147045    +7543     
  Branches      15299    16205     +906     
============================================
+ Hits         102638   109284    +6646     
- Misses        28908    29318     +410     
- Partials       7956     8443     +487
Flag Coverage Δ
inttests 27.62% <ø> (+3.03%) ⬆️
systests 24.36% <ø> (+0.04%) ⬆️
unittests 73.69% <ø> (+0.85%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 653 files with indirect coverage changes

@Technoboy- Technoboy- merged commit f196e2c into apache:master Oct 31, 2024
53 of 55 checks passed
visxu pushed a commit to vissxu/pulsar that referenced this pull request Nov 6, 2024
@lhotari @visxu
[fix][sec] Replace bcprov-jdk15on dependency with bcprov-jdk18-on (ap…
2d3c3c6 
…ache#23532)
lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Replace bcprov-jdk15on dependency with bcprov-jdk18-on (#2…
2143097 
…3532)

(cherry picked from commit f196e2c)
lhotari added a commit that referenced this pull request Nov 13, 2024
@lhotari
[fix][sec] Replace bcprov-jdk15on dependency with bcprov-jdk18-on (#2…
624d7dc 
…3532)

(cherry picked from commit f196e2c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Technoboy- Technoboy- Technoboy- approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@nodece nodece Awaiting requested review from nodece

Assignees

@lhotari lhotari

Labels
area/security cherry-picked/branch-3.3 cherry-picked/branch-4.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.3.3 release/4.0.1
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
3 participants
@lhotari @codecov-commenter @Technoboy-