diff --git a/.github/workflows/ci-it.yaml b/.github/workflows/ci-it.yaml index 7bdd5f1f71017aa9e22d1e215cf51346e5c8335f..8ce935764536e0e0ce996c5ebdf9ad62194d2b32 100644 --- a/.github/workflows/ci-it.yaml +++ b/.github/workflows/ci-it.yaml @@ -111,7 +111,8 @@ jobs: java-version: 8 - name: 'Install & Test' if: env.SKIP_CI != 'true' - run: ./mvnw --batch-mode -P"agent,backend,ui,dist" clean verify install + run: | + ./mvnw --batch-mode -P"agent,backend,ui,dist" clean verify install CI-on-MacOS: diff --git a/CHANGES.md b/CHANGES.md index 632f88d5ad47aea286fcf4d309d6b64014ddb7c0..b13efb519269fc423ae5c330c496e93e7ca0d178 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -60,6 +60,7 @@ Release Notes. * Add HTTP implementation of logs reporting protocol. * Make metrics exporter still work even when storage layer failed. * Fix Jetty HTTP `TRACE` issue, disable HTTP methods except `POST`. +* CVE: upgrade snakeyaml to prevent [billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs#Variations) in dynamic configuration. #### UI * Add logo for kong plugin. diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE index a24fafb9ef26f0439c9124bc55230b2f17fc1bbe..83c98e566a9d71e7b381de49a65e6b33fabf66fb 100755 --- a/dist-material/release-docs/LICENSE +++ b/dist-material/release-docs/LICENSE @@ -247,7 +247,7 @@ The text of each license is the standard Apache 2.0 license. securesm 1.1: https://github.com/elastic/securesm/blob/master/pom.xml , Apache 2.0 LMAX Ltd.(disruptor) 3.3.6: https://github.com/LMAX-Exchange/disruptor , Apache 2.0 Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0 - SnakeYAML 1.18: http://www.snakeyaml.org , Apache 2.0 + SnakeYAML 1.28: http://www.snakeyaml.org , Apache 2.0 Joda-Time 2.10.5: http://www.joda.org/joda-time/ , Apache 2.0 Joda-Convert 2.2.1: http://www.joda.org/joda-convert/ , Apache 2.0 Spring Framework 4.3.14.RELEASE: https://github.com/spring-projects/spring-framework, Apache 2.0 diff --git a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java index ef7c99234ee8abf597caea756064b7e40605168f..90e635dc79b7a68cedd3ce29c331fd45afa54098 100644 --- a/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java +++ b/oap-server/analyzer/agent-analyzer/src/main/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcher.java @@ -18,7 +18,7 @@ package org.apache.skywalking.oap.server.analyzer.provider.trace; -import java.util.concurrent.atomic.AtomicReference; +import java.util.concurrent.atomic.AtomicInteger; import lombok.extern.slf4j.Slf4j; import org.apache.skywalking.oap.server.analyzer.module.AnalyzerModule; import org.apache.skywalking.oap.server.analyzer.provider.AnalyzerModuleConfig; @@ -31,11 +31,11 @@ import org.apache.skywalking.oap.server.library.module.ModuleProvider; */ @Slf4j public class TraceLatencyThresholdsAndWatcher extends ConfigChangeWatcher { - private AtomicReference slowTraceSegmentThreshold; + private AtomicInteger slowTraceSegmentThreshold; public TraceLatencyThresholdsAndWatcher(ModuleProvider provider) { super(AnalyzerModule.NAME, provider, "slowTraceSegmentThreshold"); - slowTraceSegmentThreshold = new AtomicReference<>(); + slowTraceSegmentThreshold = new AtomicInteger(); slowTraceSegmentThreshold.set(getDefaultValue()); } diff --git a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java index 5e11e5caa74dbb96d02b065131db3ed32cba60eb..b552be909b2d2ca63c1fa86d272fed4e04c3d717 100644 --- a/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java +++ b/oap-server/analyzer/agent-analyzer/src/test/java/org/apache/skywalking/oap/server/analyzer/provider/trace/TraceLatencyThresholdsAndWatcherTest.java @@ -57,7 +57,7 @@ public class TraceLatencyThresholdsAndWatcherTest { register.registerConfigChangeWatcher(watcher); register.start(); - while (watcher.getSlowTraceSegmentThreshold() == 10000) { + while (watcher.getSlowTraceSegmentThreshold() < 0) { Thread.sleep(2000); } assertThat(watcher.getSlowTraceSegmentThreshold(), is(3000)); diff --git a/oap-server/pom.xml b/oap-server/pom.xml index 391b09b4bb60dfb6f1cc7b7536b67b00211c29a6..ddb0afd37eada32a7823fd8ec4abe64f6cdc43fc 100755 --- a/oap-server/pom.xml +++ b/oap-server/pom.xml @@ -57,7 +57,7 @@ 1.7.25 2.9.0 28.1-jre - 1.18 + 1.28 5.2.3 8.0 3.4.10 diff --git a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java index 1c95d23aafdd7472cb24a37b2f73a9b7c7b162b8..503ae15b511bc91d4e6ab8d30cb633ae380b9f33 100644 --- a/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java +++ b/oap-server/server-configuration/configuration-api/src/main/java/org/apache/skywalking/oap/server/configuration/api/ConfigWatcherRegister.java @@ -64,7 +64,6 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi public void start() { isStarted = true; - configSync(); LOGGER.info("Current configurations after the bootstrap sync." + LINE_SEPARATOR + register.toString()); Executors.newSingleThreadScheduledExecutor() @@ -72,7 +71,7 @@ public abstract class ConfigWatcherRegister implements DynamicConfigurationServi new RunnableWithExceptionProtection( this::configSync, t -> LOGGER.error("Sync config center error.", t) - ), syncPeriod, syncPeriod, TimeUnit.SECONDS); + ), 0, syncPeriod, TimeUnit.SECONDS); } void configSync() { diff --git a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java index 71bff49be6fbfdfee3146d5bd746fd1c61607ecb..95b83c1be26ea83ebc2fc6187539156eab186b4c 100644 --- a/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java +++ b/oap-server/server-library/library-util/src/test/java/org/apache/skywalking/oap/server/library/util/PropertyPlaceholderHelperTest.java @@ -73,7 +73,7 @@ public class PropertyPlaceholderHelperTest { Assert.assertEquals("0.0.0.0", yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restHost"), properties))); //tests that use ${REST_PORT:12800} and set REST_PORT in environmentVariables. - Assert.assertEquals(12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties))); + Assert.assertEquals((Integer) 12801, yaml.load(placeholderHelper.replacePlaceholders(properties.getProperty("restPort"), properties))); } @Test diff --git a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java index 4c524c0128ec4b0d063eda951e5c2cf1697d2f3e..84ffff66f4b79d05d28d69c8ba521e5b8b23a4a0 100644 --- a/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java +++ b/oap-server/server-receiver-plugin/envoy-metrics-receiver-plugin/src/test/java/org/apache/skywalking/oap/server/receiver/envoy/als/k8s/K8SALSServiceMeshHTTPAnalysisTest.java @@ -155,7 +155,7 @@ public class K8SALSServiceMeshHTTPAnalysisTest { @Override public void init(ModuleManager manager, EnvoyMetricReceiverConfig config) { - super.init(manager, config); + this.config = config; serviceRegistry = mock(K8SServiceRegistry.class); when(serviceRegistry.findService(anyString())).thenReturn(config.serviceMetaInfoFactory().unknown()); when(serviceRegistry.findService("10.44.2.56")).thenReturn(new ServiceMetaInfo("ingress", "ingress-Inst")); diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt index 4ce602af261084183f4d84c5598fff5325024829..472726ad4021ad55ad46a7add280b5ff643700eb 100755 --- a/tools/dependencies/known-oap-backend-dependencies-es7.txt +++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt @@ -158,7 +158,7 @@ simpleclient_common-0.6.0.jar simpleclient_hotspot-0.6.0.jar simpleclient_httpserver-0.9.0.jar slf4j-api-1.7.25.jar -snakeyaml-1.18.jar +snakeyaml-1.28.jar swagger-annotations-1.6.2.jar t-digest-3.2.jar vavr-0.10.3.jar diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt index 1421eec41f37234067fd3f0207f572d71549af91..db9107adbe5897dcc39bde94db25b79e3edaea9b 100755 --- a/tools/dependencies/known-oap-backend-dependencies.txt +++ b/tools/dependencies/known-oap-backend-dependencies.txt @@ -154,7 +154,7 @@ simpleclient_common-0.6.0.jar simpleclient_hotspot-0.6.0.jar simpleclient_httpserver-0.9.0.jar slf4j-api-1.7.25.jar -snakeyaml-1.18.jar +snakeyaml-1.28.jar swagger-annotations-1.6.2.jar t-digest-3.2.jar vavr-0.10.3.jar