You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@calcite.apache.org by "Stamatis Zampetakis (Jira)" <ji...@apache.org> on 2019/08/30 10:02:00 UTC
[jira] [Created] (CALCITE-3314) CVSS dependency-check-maven fails
for calcite-pig, calcite-piglet, calcite-spark
Stamatis Zampetakis created CALCITE-3314:
--------------------------------------------
Summary: CVSS dependency-check-maven fails for calcite-pig, calcite-piglet, calcite-spark
Key: CALCITE-3314
URL: https://issues.apache.org/jira/browse/CALCITE-3314
Project: Calcite
Issue Type: Bug
Reporter: Stamatis Zampetakis
Assignee: Stamatis Zampetakis
Fix For: 1.21.0
Calcite build fails if the CVSS dependency check is active since there are serious vulnerabilties in calcite-pig, calcite-piglet, calcite-spark.
Running mvn install -Ppedantic -fn gives the following errors:
{noformat}
ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-pig:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
[ERROR]
[ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-piglet:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
[ERROR]
[ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] jackson-core-asl-1.8.8.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
[ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
[ERROR] jackson-xc-1.8.3.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
[ERROR] hadoop-auth-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
[ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
[ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
[ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-spark:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
[ERROR]
[ERROR] spark-core_2.10-2.2.0.jar: CVE-2018-17190
[ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
[ERROR] hadoop-mapreduce-client-core-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
[ERROR] bcprov-jdk15on-1.51.jar: CVE-2018-1000613
[ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
[ERROR] unused-1.0.0.jar: CVE-2018-17190
[ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720
[ERROR] spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml: CVE-2017-7658, CVE-2017-7657
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)