You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Arkadiusz Gasinski (Jira)" <ji...@apache.org> on 2022/03/16 22:06:00 UTC

[jira] [Created] (BEAM-14118) beam-vendor-grpc-1_43_2 shades vulnerable Netty dependency

Arkadiusz Gasinski created BEAM-14118:
-----------------------------------------

             Summary: beam-vendor-grpc-1_43_2 shades vulnerable Netty dependency
                 Key: BEAM-14118
                 URL: https://issues.apache.org/jira/browse/BEAM-14118
             Project: Beam
          Issue Type: Improvement
          Components: runner-flink
    Affects Versions: 2.37.0
            Reporter: Arkadiusz Gasinski


The [beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2] dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]

In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments. 

Because Netty is shaded, we can't simply override the version in the build tool.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)