Closed ggrossman closed 2 years ago
Merging #298 (9929373) into develop (86c9f42) will increase coverage by
0.05%
. The diff coverage isn/a
.
@@ Coverage Diff @@
## develop #298 +/- ##
===========================================
+ Coverage 52.63% 52.69% +0.05%
===========================================
Files 318 318
Lines 16870 16885 +15
Branches 1046 1017 -29
===========================================
+ Hits 8879 8897 +18
+ Misses 7991 7988 -3
Impacted Files | Coverage Δ | |
---|---|---|
util-core/src/main/scala/com/twitter/io/Buf.scala | 93.27% <0.00%> (-0.54%) |
:arrow_down: |
...ore/src/main/scala/com/twitter/util/Activity.scala | 18.59% <0.00%> (ø) |
|
...til-core/src/main/scala/com/twitter/util/Var.scala | 97.65% <0.00%> (+0.07%) |
:arrow_up: |
...core/src/main/scala/com/twitter/util/Promise.scala | 78.13% <0.00%> (+0.40%) |
:arrow_up: |
...ore/src/main/scala/com/twitter/util/Duration.scala | 85.39% <0.00%> (+0.56%) |
:arrow_up: |
...til-core/src/main/scala/com/twitter/util/Try.scala | 87.50% <0.00%> (+1.56%) |
:arrow_up: |
...ore/src/main/scala/com/twitter/util/Closable.scala | 71.42% <0.00%> (+3.68%) |
:arrow_up: |
...in/scala/com/twitter/logging/QueueingHandler.scala | 100.00% <0.00%> (+6.25%) |
:arrow_up: |
.../scala/com/twitter/util/security/Credentials.scala | 60.00% <0.00%> (+18.33%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update 86c9f42...9929373. Read the comment docs.
Thanks @ggrossman! Looks good to me, we'll work on getting this merged in.
thanks, merged in here! https://github.com/twitter/util/commit/68c5a8adba471ab03b05ffcfba738972e671cc61
Problem
sbt has a dependency on log4j2, which was shown recently to have serious security vulnerabilities. The version of sbt currently used by twitter/util, 1.5.5, is vulnerable.
Solution
Update to use sbt 1.6.1, which upgrades the log4j dependency to log4j 2.17.1, which resolves these security vulnerabilities.
From https://eed3si9n.com/sbt-1.6.1:
For details, see The state of the log4j CVE in the Scala ecosystem