Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.x] Bump spotless (6.24.0 -> 6.25.0) to bump eclipse resources (3.18 -> 3.19) #3993

Merged
merged 1 commit into from
Jan 26, 2024
Merged

[Backport 2.x] Bump spotless (6.24.0 -> 6.25.0) to bump eclipse resources (3.18 -> 3.19) #3993

merged 1 commit into from
Jan 26, 2024

Conversation

opensearch-trigger-bot[bot]
Copy link
Contributor

Backport d441138 from #3992.

@github-actions
Bump spotless (6.24.0 -> 6.25.0) to bump eclipse resources (3.18 -> 3…
ee085e0 
….19) (#3992)

### Description
This PR bumps spotless to bump the transient dependency on
org.eclipse.platform:org.eclipse.core.resources@3.18.100 ->
org.eclipse.platform:org.eclipse.core.resources@3.19.100. In turn this
should stop scanners from reporting the project as vulnerable to:
https://nvd.nist.gov/vuln/detail/CVE-2023-4218.

I was not able to easily move just the Eclipse dependency because it
seems that the package causing the flagging
org.eclipse.platform:org.eclipse.core.resources@3.18.100 does not have a
straight path forward to the recommended versions listed on the CVE.
However,
https://security.snyk.io/package/maven/org.eclipse.platform:org.eclipse.core.resources/3.19.100
reports that this version should remove the issue while
https://security.snyk.io/package/maven/org.eclipse.platform:org.eclipse.core.resources/3.18.100
will cause the flag.

One note: We should not actually be concerned about this issue as it is
related to Eclipse IDE behavior and nothing to do with the type of
dependency on the Eclipse packages like we have.

### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
(cherry picked from commit d441138)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@github-actions github-actions bot merged commit 3d9632a into 2.x Jan 26, 2024
84 checks passed
@github-actions GitHub Actions
Copy link
Contributor

This pull request was automatically merged as opensearch-trigger-bot[bot] is authorized to merge changes to build.gradle,.github/workflows/*.yml files after all CI checks have passed.

@github-actions github-actions bot deleted the backport/backport-3992-to-2.x branch January 26, 2024 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwperks cwperks cwperks approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@davidlago davidlago Awaiting requested review from davidlago

@peternied peternied Awaiting requested review from peternied peternied is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@cwperks