You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/06/13 06:32:14 UTC
[GitHub] [dolphinscheduler] zhongjiajie opened a new issue, #10427: [Bug] [deps]
zhongjiajie opened a new issue, #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427
### Search before asking
- [X] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar issues.
### What happened
After #10058 merged, we have CI to check our dependencies CVE issue to avoid adding some packages that have CVE issues. But we have many existing problem packages we have to upgrade. This issue points them up and track them until all done and OWASP CI pass
### What you expected to happen
ATT
### How to reproduce
ATT
### Anything else
ATT
### Version
dev
### Are you willing to submit PR?
- [X] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] github-actions[bot] commented on issue #10427: [Bug] [deps]
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427#issuecomment-1153527441
Thank you for your feedback, we have received your issue, Please wait patiently for a reply.
* In order for us to understand your request as soon as possible, please provide detailed information、version or pictures.
* If you haven't received a reply for a long time, you can [join our slack](https://s.apache.org/dolphinscheduler-slack) and send your question to channel `#troubleshooting`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] kezhenxu94 closed issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
Posted by GitBox <gi...@apache.org>.
kezhenxu94 closed issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
URL: https://github.com/apache/dolphinscheduler/issues/10427
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] kezhenxu94 commented on issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
Posted by GitBox <gi...@apache.org>.
kezhenxu94 commented on issue #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427#issuecomment-1242941947
Currently nearly all dependencies with CVEs are upgraded to latest, some of the reported dependencies don't yet have released new version that fixes the CVE, so we have no way to deal with those dependencies for now. Now this should be a routine work and let's close this issue
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] zhongjiajie commented on issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
Posted by GitBox <gi...@apache.org>.
zhongjiajie commented on issue #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427#issuecomment-1153528407
Currently package need to be upgrade is below
```log
Error: api-util-1.0.0-M20.jar: CVE-2018-1337(9.8)
Error: avro-1.7.4.jar: CVE-2021-43045(7.5)
Error: cron-utils-9.1.3.jar: CVE-2021-41269(9.8)
Error: gson-2.8.8.jar: CVE-2022-25647(7.5)
Error: h2-1.4.200.jar: CVE-2022-23221(9.8), CVE-2021-23463(9.1), CVE-2021-42392(9.8)
Error: hadoop-yarn-server-common-2.7.3.jar: CVE-2017-15718(9.8), CVE-2022-26612(9.8), CVE-2020-9492(8.8), CVE-2018-8029(8.8), CVE-2016-6811(8.8), CVE-2018-8009(8.8), CVE-2018-11768(7.5), CVE-2018-1296(7.5), CVE-2017-3166(7.8)
Error: hive-jdbc-2.1.0.jar: CVE-2018-11777(8.1), CVE-2020-13949(7.5), CVE-2018-1282(9.1)
Error: hive-orc-2.1.0.jar: CVE-2018-11777(8.1), CVE-2020-13949(7.5), CVE-2018-1282(9.1)
Error: hive-storage-api-2.1.0.jar: CVE-2018-11777(8.1), CVE-2018-1282(9.1)
Error: htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-7525(9.8), CVE-2018-7489(9.8), CVE-2020-35491(8.1), CVE-2020-35490(8.1), CVE-2020-36518(7.5)
Error: jackson-databind-2.10.5.jar: CVE-2020-25649(7.5), CVE-2020-36518(7.5)
Error: jackson-mapper-asl-1.9.13.jar: CVE-2017-7525(9.8), CVE-2019-10172(7.5)
Error: libfb303-0.9.3.jar: CVE-2016-5397(8.8), CVE-2018-1320(7.5), CVE-2019-0210(7.5), CVE-2020-13949(7.5), CVE-2019-0205(7.5)
Error: libthrift-0.9.3.jar: CVE-2016-5397(8.8), CVE-2018-1320(7.5), CVE-2019-0210(7.5), CVE-2020-13949(7.5), CVE-2019-0205(7.5)
Error: log4j-1.2-api-2.14.1.jar: CVE-2021-44228(10.0), CVE-2021-45046(9.0)
Error: log4j-1.2.17.jar: CVE-2021-4104(7.5), CVE-2020-9493(9.8), CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8), CVE-2022-23302(8.8)
Error: mybatis-3.5.2.jar: CVE-2020-26945(8.1)
Error: mybatis-plus-3.2.0.jar: CVE-2020-26945(8.1), CVE-2022-25517(9.8)
Error: mybatis-plus-core-3.2.0.jar: CVE-2020-26945(8.1)
Error: netty-3.6.2.Final.jar: CVE-2019-16869(7.5), CVE-2015-2156(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1)
Error: netty-all-4.1.53.Final.jar: CVE-2021-37136(7.5), CVE-2021-37137(7.5)
Error: okhttp-3.14.9.jar: CVE-2021-0341(7.5)
Error: pom.xml: CVE-2018-11804(7.5), CVE-2018-17190(9.8)
Error: pom.xml: CVE-2018-11804(7.5), CVE-2018-17190(9.8)
Error: snappy-0.2.jar: CVE-2018-6353(7.8)
Error: spring-core-5.3.12.jar: CVE-2022-22965(9.8), CVE-2016-1000027(9.8)
Error: spring-plugin-core-1.2.0.RELEASE.jar: CVE-2022-22965(9.8), CVE-2016-1000027(9.8)
Error: spring-tx-5.3.12.jar: CVE-2022-22965(9.8), CVE-2016-1000027(9.8)
Error: swagger-bootstrap-ui-1.9.3.jar: axios.min.js: CVE-2019-10742(7.5), CVE-2021-3749(7.5)
Error: unirest-java-3.7.04-standalone.jar/META-INF/maven/com.google.code.gson/gson/pom.xml: CVE-2022-25647(7.5)
Error: xercesImpl-2.9.1.jar: CVE-2012-0881(7.5), CVE-2013-4002(7.1)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] zhongjiajie commented on issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
Posted by GitBox <gi...@apache.org>.
zhongjiajie commented on issue #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427#issuecomment-1185087840
remove stale
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] github-actions[bot] commented on issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427#issuecomment-1183809631
This issue has been automatically marked as stale because it has not had recent activity for 30 days. It will be closed in next 7 days if no further activity occurs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] liqingwang commented on issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
Posted by GitBox <gi...@apache.org>.
liqingwang commented on issue #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427#issuecomment-1218999392
Hi @zhongjiajie , I have working on this thing this time, I maybe can give some help
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] zhongjiajie commented on issue #10427: [Bug] [deps] Upgrade package version to avoid exists CVE issue
Posted by GitBox <gi...@apache.org>.
zhongjiajie commented on issue #10427:
URL: https://github.com/apache/dolphinscheduler/issues/10427#issuecomment-1229381102
> Hi @zhongjiajie , I have working on this thing this time, I maybe can give some help
Thanks for doing this, it is a good new for community
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org