You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@calcite.apache.org by "Francis Chuang (JIRA)" <ji...@apache.org> on 2018/06/26 01:17:00 UTC

[jira] [Updated] (CALCITE-2379) CVSS dependency-check-maven fails for calcite-spark module

     [ https://issues.apache.org/jira/browse/CALCITE-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Francis Chuang updated CALCITE-2379:
------------------------------------
    Component/s: spark

> CVSS dependency-check-maven fails for calcite-spark module
> ----------------------------------------------------------
>
>                 Key: CALCITE-2379
>                 URL: https://issues.apache.org/jira/browse/CALCITE-2379
>             Project: Calcite
>          Issue Type: Bug
>          Components: spark
>            Reporter: Volodymyr Vysotskyi
>            Assignee: Julian Hyde
>            Priority: Major
>             Fix For: 1.17.0
>
>
> Check for vulnerabilities among dependencies fails for {{calcite-spark}} module.
> Output for "{{mvn install -Ppedantic -DskipTests=true}}":
> {noformat}
> One or more dependencies were identified with known vulnerabilities in Calcite Spark:
> jackson-databind-2.9.4.jar (com.fasterxml.jackson.core:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) : CVE-2018-7489
> protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0, cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
> commons-beanutils-core-1.8.0.jar (commons-beanutils:commons-beanutils-core:1.8.0, cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
> commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0, cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
> commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1, cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) : CVE-2015-5262, CVE-2014-3577
> javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2, javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
> mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) : CVE-2015-9097
> validation-api-1.1.0.Final.jar (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~, javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
> jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2, javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
> pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13) : CVE-2007-1100
> py4j-0.10.4.jar (cpe:/a:python:python:0.10.4, cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) : CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158, CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652, CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150, CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143, CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679, CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
> avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7, org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161, CVE-2016-5001
> curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0, org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
> api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30, org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
> xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
> zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6, org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017, CVE-2014-0085
> jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13, cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) : CVE-2018-5968, CVE-2017-17485
> jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908, cpe:/a:jetty:jetty:9.2.19.v20160908, org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
> jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26, cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26, org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
> unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0, org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
> xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
> serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:serializer:2.7.1) : CVE-2014-0107
> xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) : CVE-2014-0107
> xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1, xerces:xercesImpl:2.9.1) : CVE-2012-0881
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml (com.fasterxml.jackson.core:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) : CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml (cpe:/a:eclipse:jetty:9.3.11.v20160721, cpe:/a:jetty:jetty:9.3.11.v20160721, org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)