You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Robert Metzger (Jira)" <ji...@apache.org> on 2020/10/23 13:12:00 UTC

[jira] [Commented] (FLINK-19782) Upgrade antlr to 4.7.1 or newer

    [ https://issues.apache.org/jira/browse/FLINK-19782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17219668#comment-17219668 ] 

Robert Metzger commented on FLINK-19782:
----------------------------------------

I believe this is a false positive. All mentions of antlr in the code are exclusions of it.
The report states that flink-python contains ANTLR, but it actually exclude it as well: https://github.com/apache/flink/blob/master/flink-python/pom.xml#L336.

Looking at the flink-python binary contents of the current master, you'll find the following files:
{code}
 find . | grep "antlr"
./META-INF/maven/org.antlr
./META-INF/maven/org.antlr/antlr4-runtime
./META-INF/maven/org.antlr/antlr4-runtime/pom.xml
./META-INF/maven/org.antlr/antlr4-runtime/pom.properties
{code}

I guess these files are not properly excluded by the beam project. I'll see if we can exclude them in our shading, then the warning should go away.

> Upgrade antlr to 4.7.1 or newer
> -------------------------------
>
>                 Key: FLINK-19782
>                 URL: https://issues.apache.org/jira/browse/FLINK-19782
>             Project: Flink
>          Issue Type: Task
>          Components: API / Python
>    Affects Versions: 1.12.0, 1.11.2
>            Reporter: Till Rohrmann
>            Priority: Critical
>             Fix For: 1.12.0, 1.11.3
>
>
> A user reported dependency vulnerabilities which affect {{antlr}} [1]. We should upgrade this dependency to {{4.7.1}} or newer.
> [1] https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a%40%3Cuser.flink.apache.org%3E



--
This message was sent by Atlassian Jira
(v8.3.4#803005)