You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "L. C. Hsieh (Jira)" <ji...@apache.org> on 2020/08/01 17:41:00 UTC

[jira] [Commented] (SPARK-32502) Please fix CVE related to Guava 14.0.1

    [ https://issues.apache.org/jira/browse/SPARK-32502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17169374#comment-17169374 ] 

L. C. Hsieh commented on SPARK-32502:
-------------------------------------

Is LimitedInputStream.java a real problem for the CVE? Seems not, it is just a simple input stream to limit reading. Or just because CVE scanner finds copy-pasted code and thinks it is using problematic Guava version?

> Please fix CVE related to Guava 14.0.1
> --------------------------------------
>
>                 Key: SPARK-32502
>                 URL: https://issues.apache.org/jira/browse/SPARK-32502
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 3.0.0
>            Reporter: Rodney Aaron Stainback
>            Priority: Major
>
> Please fix the following CVE related to Guava 14.0.1
> |cve|severity|cvss|
> |CVE-2018-10237|medium|5.9|
>  
> Our security team is trying to block us from using spark because of this issue
>  
> One thing that's very weird is I see from this [pom file|[https://github.com/apache/spark/blob/v3.0.0/common/network-common/pom.xml]] you reference guava but it's not clear what version.
>  
> But if I look on [maven|[https://mvnrepository.com/artifact/org.apache.spark/spark-network-common_2.12/3.0.0]] the guava reference is not showing up
>  
> Is this reference somehow being shaded into the network common jar?  It's not clear to me.
>  
> Also, I've noticed code like [this file|[https://github.com/apache/spark/blob/v3.0.0/common/network-common/src/main/java/org/apache/spark/network/util/LimitedInputStream.java]] which is a copy-paste of some guava source code.
>  
> The CVE scanner we use Twistlock/Palo Alto Networks - Prisma Cloud Compute Edition is very thorough and will find CVEs in copy-pasted code and shaded jars.
>  
> Please fix this CVE so we can use spark



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org