Skip to content

add apache tez package#29167

Merged
mritunjaysharma394 merged 10 commits into
wolfi-dev:mainfrom
kranurag7:kr/add-tez
Sep 27, 2024
Merged

add apache tez package#29167
mritunjaysharma394 merged 10 commits into
wolfi-dev:mainfrom
kranurag7:kr/add-tez

Conversation

@kranurag7

@kranurag7 kranurag7 commented Sep 23, 2024
edited by maxgio92
Loading

Copy link
Copy Markdown
Member

Fixes:

Related:

Pre-review Checklist

For new package PRs only

  • This PR is marked as fixing a pre-existing package request bug
    • Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
  • REQUIRED - The package is available under an OSI-approved or FSF-approved license
  • REQUIRED - The version of the package is still receiving security updates
  • This PR links to the upstream project's support policy (e.g. endoflife.date)

@kranurag7 kranurag7 assigned kranurag7 and unassigned kranurag7 Sep 24, 2024
@maxgio92 maxgio92 self-assigned this Sep 25, 2024
maxgio92
maxgio92 reviewed Sep 25, 2024
View reviewed changes
Comment thread tez.yaml Outdated
maxgio92
maxgio92 reviewed Sep 25, 2024
View reviewed changes
Comment thread tez/patches.yaml
@maxgio92 maxgio92 force-pushed the kr/add-tez branch 3 times, most recently from 27926c7 to 8cffbd1 Compare September 25, 2024 18:13
maxgio92
maxgio92 reviewed Sep 25, 2024
View reviewed changes
Comment thread tez.yaml
kranurag7 and others added 8 commits September 26, 2024 13:30
@kranurag7 @maxgio92
add apache tez package
e1c8d15 
Signed-off-by: kranurag7 <81210977+kranurag7@users.noreply.github.com>
@maxgio92
chore(tez.yaml): rename tez install directory removing version
28cbb64 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92
fix(tez): add patch for cve-2024-7254
8ce146e 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92
chore(tez.yaml): remove unneeded build dependencies
a8f78d3 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92
chore(tez.yaml): decrease verbosity while preparing archives
be195ac 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92
test(tez): add basic test for tez packaging
dddcf95 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92
chore(tez.yaml): remove unneeded mkdir
b22db73 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92
chore(tez.yaml): remove unneeded tarball subpackage
0d9ea5f 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92 maxgio92 marked this pull request as ready for review September 26, 2024 11:31
@maxgio92
chore(tez.yaml): remove unneeded build deps
0b8c2b9 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92
chore(tez.yaml): document room for test improvements
04cd6bd 
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
mritunjaysharma394
mritunjaysharma394 approved these changes Sep 27, 2024
View reviewed changes

@mritunjaysharma394 mritunjaysharma394 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maxgio92 to later update advisories as the CVEs come from shaded jars

@mritunjaysharma394 mritunjaysharma394 merged commit b1111a9 into wolfi-dev:main Sep 27, 2024
@maxgio92

maxgio92 commented Sep 27, 2024

Copy link
Copy Markdown
Member

Note: the remaining filed vulnerabilities are from transitive and shaded dependencies. Details below.

Findings with related match in the dependency tree 
├── 📄 /usr/share/java/tez-0.10.4/lib/bcprov-jdk15on-1.70.jar
│       📦 bcprov-jdk15on 1.70 (java-archive)
│           Medium CVE-2024-29857 GHSA-8xfc-gm6g-vgpv fixed in 1.78
│           Medium CVE-2023-33201 GHSA-hr8g-6v94-x4m9
│           Medium CVE-2024-30172 GHSA-m44j-cfrm-g8qc fixed in 1.78
│           Medium CVE-2024-30171 GHSA-v435-xc8x-wvr9 fixed in 1.78

[INFO] +- org.apache.hadoop:hadoop-yarn-server-web-proxy:jar:3.3.6:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.68:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/avro-1.9.2.jar
│       📦 avro 1.9.2 (java-archive)
│           High CVE-2023-39410 GHSA-rhrv-645h-fjfh fixed in 1.11.3

[INFO] \- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- org.apache.avro:avro:jar:1.7.7:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/commons-compress-1.24.0.jar
│       📦 commons-compress 1.24.0 (java-archive)
│           Medium CVE-2024-26308 GHSA-4265-ccf5-phj5 fixed in 1.26.0
│           High CVE-2024-25710 GHSA-4g9r-vxhx-9pgx fixed in 1.26.0

[INFO] +- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- org.apache.commons:commons-compress:jar:1.21:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/commons-configuration2-2.8.0.jar
│       📦 commons-configuration2 2.8.0 (java-archive)
│           Medium CVE-2024-29133 GHSA-9w38-p64v-xpmv fixed in 2.10.1
│           Medium CVE-2024-29131 GHSA-xjp4-hw94-mvp5 fixed in 2.10.1

[INFO] \- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- org.apache.commons:commons-configuration2:jar:2.8.0:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/dnsjava-3.4.0.jar
│       📦 dnsjava 3.4.0 (java-archive)
│           High CVE-2024-25638 GHSA-cfxw-4h78-h7fw fixed in 3.6.0

[INFO] \- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- dnsjava:dnsjava:jar:2.1.7:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/hadoop-shaded-protobuf_3_21-1.2.0.jar
│       📦 protobuf-java 3.21.12 (java-archive)
│           High CVE-2024-7254 GHSA-735f-pc8j-v9w8 fixed in 3.25.5

This is an Hadoop-shaded dependency.

[INFO] org.apache.tez:hadoop-shim:jar:0.10.4
[INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.apache.hadoop:hadoop-yarn-api:jar:3.3.6:compile
[INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:1.1.1:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.2.11:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:3.25.5:compile
[INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7:jar:1.1.1:compile

[INFO] +- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7:jar:1.1.1:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/jackson-mapper-asl-1.9.2.jar
│       📦 jackson-mapper-asl 1.9.2 (java-archive)
│           Critical CVE-2019-10202 GHSA-c27h-mcmw-48hv
│           High CVE-2019-10172 GHSA-r6j9-8759-g62w

[INFO] +- com.sun.jersey:jersey-json:jar:1.19:compile
[INFO] |  +- com.sun.xml.bind:jaxb-impl:jar:2.2.3-1:compile
[INFO] |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.2:compile
[INFO] |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.2:compile

[INFO]    +- org.apache.avro:avro:jar:1.7.7:compile
[INFO]    |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO]    |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/logback-classic-1.2.10.jar
│       📦 logback-classic 1.2.10 (java-archive)
│           High CVE-2023-6378 GHSA-vmq6-5m68-f53m fixed in 1.2.13

Not found in the dependency tree.

├── 📄 /usr/share/java/tez-0.10.4/lib/logback-core-1.2.10.jar
│       📦 logback-core 1.2.10 (java-archive)
│           High CVE-2023-6378 GHSA-vmq6-5m68-f53m fixed in 1.2.13

Not found in the dependency tree.

├── 📄 /usr/share/java/tez-0.10.4/lib/netty-codec-http-4.1.100.Final.jar
│       📦 netty-codec-http 4.1.100.Final (java-archive)
│           Medium CVE-2024-29025 GHSA-5jpm-x58v-624v fixed in 4.1.108.Final

[INFO] +- org.apache.hadoop:hadoop-hdfs:test-jar:tests:3.3.6:test
[INFO] |  +- io.netty:netty-all:jar:4.1.100.Final:compile
[INFO] |  |  +- io.netty:netty-codec-http:jar:4.1.100.Final:compile

[INFO] org.apache.tez:tez-runtime-library:jar:0.10.4
[INFO] +- io.netty:netty-all:jar:4.1.100.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.100.Final:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/nimbus-jose-jwt-9.31.jar
│       📦 nimbus-jose-jwt 9.31 (java-archive)
│           Medium CVE-2023-52428 GHSA-gvpg-vgmx-xg6w fixed in 9.37.2

[INFO]    +- org.apache.hadoop:hadoop-auth:jar:3.3.6:compile
[INFO]    |  +- com.nimbusds:nimbus-jose-jwt:jar:9.8.1:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/protobuf-java-3.24.4.jar
│       📦 protobuf-java 3.24.4 (java-archive)
│           High CVE-2024-7254 GHSA-735f-pc8j-v9w8 fixed in 3.25.5

Fixed in this PR.

└── 📄 /usr/share/java/tez-0.10.4/lib/zookeeper-3.8.3.jar
        📦 zookeeper 3.8.3 (java-archive)
            Medium CVE-2024-23944 GHSA-r978-9m6m-6gm6 fixed in 3.8.4

[INFO] +- org.apache.hadoop:hadoop-auth:jar:3.3.6:compile
[INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.6.3:compile

[INFO] +- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.6.3:compile

@maxgio92 maxgio92 mentioned this pull request Oct 3, 2024
Closed
3 tasks
@kranurag7 kranurag7 deleted the kr/add-tez branch January 14, 2025 05:44
C0DE-X pushed a commit to C0DE-X/os that referenced this pull request Mar 2, 2026
@octo-sts
ruby3.3-sidekiq/8.1.1 package update (wolfi-dev#29167)
f34f351 
Co-authored-by: staging-update-bot <staging-update-bot@chainguard.dev>

Export:  8b15923
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxgio92 maxgio92 maxgio92 left review comments
@mritunjaysharma394 mritunjaysharma394 mritunjaysharma394 approved these changes

Assignees

@maxgio92 maxgio92

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kranurag7 @maxgio92 @mritunjaysharma394