-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HIVE-28496: Address CVE-2020-28487 due to 4.20.0 version of vis.js #5430
Conversation
Link to resource vis-network.min.js from vis.js library: Before (with vis.min.js):After (with vis-network.min.js): |
1a8c9bd
to
49f66c2
Compare
@okumin @zhangbutao |
You said this pr introduced user-facing change, but i don't see any difference from the screenshots you provided. |
Yes, they are identical even after the library upgrade. I meant in the sense that this change is at the user-facing end. Updated the comment now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 LGTM
Thanks for the fix!
Thank you @zhangbutao for the review! |
Thanks! The motivation looks good to me. I am checking the content on CDN and that on this PR. CDN
This PRThe checksum didn't match.
The diff is too big to put here.
I have some questions.
|
49f66c2
to
55ca3d8
Compare
Thank you for the review.
|
Thanks. I verified the content of 55ca3d8 is precisely the same as that in the internet.
I also confirmed the revision is likely to work in the same way as 4.0.0. Configuration I used.
CI failed but I believe it is unrelated. As for the license, the MIT part about |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I approved. I would like someone to check the license point as well.
55ca3d8
to
f129be6
Compare
force pushed now to retrigger Jenkins, no changes. |
f129be6
to
c24e71c
Compare
@ayushtkn Could you please comment on the license point? Thank you. |
Both Apache Hive and vis.js are licensed under Apache License 2.0. In Applying the Apache license, version 2.0, it is mentioned that each source file must include a header. @okumin @zhangbutao |
I assume you are not an author of vis.js, and the rule is unlikely applied if I undeistand correctly. P.S. The new file includes a part of MIT license, and that's why I thought adding a header could be confusing. I wonder if this fact should be mentioned explicitly in LICENSE as we do so for such as jQuery. I'm not a professional of legal problems |
@zabetak Could you please comment on the license point? Thank you. |
When we include code not owned by the contributor it is best to leave the file as it is (no modifications). More general, it is best to avoid minified javascript files in Apache source releases but this is a bit of a grey area so we can continue as is for the moment. |
@zabetak Thank you, we will proceed as is. |
@zabetak Just a question from my curiosity. L44- of the file is not licensed as AL2, as it is MIT. Don't we need special care in this case? Additionally, if it was GPL or something, would we have to take care of it? I think Butao can merge this PR as a committer. |
@okumin Good catch! I haven't noticed that portions of the file (L44-49) are licensed differently. Yes, we need to handle such cases carefully especially when we are dealing with licenses that are not in category-a. Since it seems that portion of the file is only under the MIT license then we should include both a copy of the license in our source code distribution and an appropriate entry in our main LICENSE file. In general, whenever there is a doubt about how to handle a licensing case, the correct reaction is to contact the Apache legal team (e.g., by opening a LEGAL jira ticket) and request guidance. |
c24e71c
to
e43ed3a
Compare
e43ed3a
to
a5a57a7
Compare
Quality Gate passedIssues Measures |
What changes were proposed in this pull request?
https://issues.apache.org/jira/browse/HIVE-28496
Upgrade vis.js from 4.20.0 to address CVE-2020-28487
Why are the changes needed?
To address CVE-2020-28487
Does this PR introduce any user-facing change?
No. Please see the next comment for screenshots.
Is the change a dependency upgrade?
Yes. Not attaching the dependency tree output since this does not show up
How was this patch tested?
Using the HTML generated from the template file QueryProfileTmpl.jamon in the checkWebuiShowGraph test from TestQueryDisplay.java