You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Greg (Jira)" <ji...@apache.org> on 2021/12/03 17:04:00 UTC
[jira] [Updated] (ATLAS-4497) Large number of CVE's (vulnerabilities) when building 2.2.0 and 3.0.0-SNAPSHOT from source
[ https://issues.apache.org/jira/browse/ATLAS-4497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Greg updated ATLAS-4497:
------------------------
Summary: Large number of CVE's (vulnerabilities) when building 2.2.0 and 3.0.0-SNAPSHOT from source (was: Large number of CVE's (vulnerabilities) when building 2.2.0 from source)
> Large number of CVE's (vulnerabilities) when building 2.2.0 and 3.0.0-SNAPSHOT from source
> ------------------------------------------------------------------------------------------
>
> Key: ATLAS-4497
> URL: https://issues.apache.org/jira/browse/ATLAS-4497
> Project: Atlas
> Issue Type: Bug
> Components: atlas-core
> Affects Versions: 2.2.0
> Environment: Redhat UBI (Universal Base Image) 8.5
> Reporter: Greg
> Priority: Critical
> Labels: security
>
> Atlas 2.2.0 when built from source has a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled application and here's the list of the High and Critical vulnerabilities found:
>
> [https://pastebin.com/raw/tQNYMZd9]
>
> I am attempting to put together a public docker image of Atlas compiled from source. You can see my build process here to see how I arrived at the compiled build that I performed the scans on:
>
> [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
>
> I'm not a Java developer, but I would think that an updated pom.xml that has newer / more current (vulnerability free) versions of these packages may remediate these findings.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)