Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DAOS-16673 common: ignore Hadoop 3.4.0 related CVE #15320

Merged
merged 1 commit into from
Oct 16, 2024
Merged

DAOS-16673 common: ignore Hadoop 3.4.0 related CVE #15320

merged 1 commit into from
Oct 16, 2024

Conversation

grom72
Copy link
Contributor

@grom72 grom72 commented Oct 15, 2024
edited
Loading

Hadoope 3.4.0 has resolved a few CVE issues but introduced a new

  • Enable Trivy scans on the release branch.
  • Enable on-demand scan and scan on final PR merge.

Based on: #15284

Doc-only: true

Required-githooks: true

Before requesting gatekeeper:

  • Two review approvals and any prior change requests have been resolved.
  • Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
  • Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
  • Commit messages follows the guidelines outlined here.
  • Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

  • You are the appropriate gatekeeper to be landing the patch.
  • The PR has 2 reviews by people familiar with the code, including appropriate owners.
  • Githooks were used. If not, request that user install them and check copyright dates.
  • Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
  • All builds have passed. Check non-required builds for any new compiler warnings.
  • Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
  • If applicable, the PR has addressed any potential version compatibility issues.
  • Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
  • Extra checks if forced landing is requested
    • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
    • No new NLT or valgrind warnings. Check the classic view.
    • Quick-build or Quick-functional is not used.
  • Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

@grom72
DAOS-16673 common: ignore Hadoop 3.4.0 related CVE
31ee422 
Hadoope 3.4.0 has resolved a few CVE issues but introduces new

+ enable Trivy scans on release branch
+ enable on demand scan and scan on final PR merge.

Doc-only: true

Required-githooks: true

Signed-off-by: Tomasz Gromadzki <[email protected]>
@grom72 grom72 added clean-cherry-pick Cherry-pick from another branch that did not require additional edits release-2.6.2 Targeted for release 2.6.2 labels Oct 15, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 15, 2024
edited
Loading

Ticket title is 'Ignore hadoop vulnerability in hadoop-common:3.4.0'
Status is 'Awaiting backport'
Labels: 'SDLe,scrubbed_2.8'
Job should run at elevated priority (1)
https://daosio.atlassian.net/browse/DAOS-16673

@grom72 grom72 requested a review from tanabarr October 15, 2024 15:52
@grom72 grom72 requested a review from a team October 15, 2024 21:19
@github-actions github-actions bot added the priority Ticket has high priority (automatically managed) label Oct 15, 2024
@daltonbohning daltonbohning added the forced-landing The PR has known failures or has intentionally reduced testing, but should still be landed. label Oct 16, 2024
@daltonbohning daltonbohning merged commit 6e16c8e into release/2.6 Oct 16, 2024
40 of 42 checks passed
@daltonbohning daltonbohning deleted the grom72/DAOS-16673-trivy-ignore-for-hadoop-3.4.0-2.6.x branch October 16, 2024 00:43
@daltonbohning
Copy link
Contributor

@grom72 The landing run is failing with Resource not accessible by integration
https://github.com/daos-stack/daos/actions/runs/11356735200

Any idea why it passed on this PR but not the landing run?

This was referenced Oct 28, 2024
Closed
Closed
Closed
@mjmac mjmac mentioned this pull request Nov 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianjmurrell brianjmurrell brianjmurrell approved these changes

@tanabarr tanabarr tanabarr approved these changes

@janekmi janekmi Awaiting requested review from janekmi

Assignees
No one assigned
Labels
clean-cherry-pick Cherry-pick from another branch that did not require additional edits forced-landing The PR has known failures or has intentionally reduced testing, but should still be landed. priority Ticket has high priority (automatically managed) release-2.6.2 Targeted for release 2.6.2
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@grom72 @daltonbohning @brianjmurrell @tanabarr