You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@calcite.apache.org by "Stamatis Zampetakis (Jira)" <ji...@apache.org> on 2019/08/30 10:06:00 UTC
[jira] [Commented] (CALCITE-3314) CVSS dependency-check-maven fails
for calcite-pig, calcite-piglet, calcite-spark
[ https://issues.apache.org/jira/browse/CALCITE-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16919391#comment-16919391 ]
Stamatis Zampetakis commented on CALCITE-3314:
----------------------------------------------
Regarding the nature of vulnerabilities they originate from the following direct dependencies:
* org.apache.hadoop:hadoop-client:jar:2.7.5:test
* org.apache.hadoop:hadoop-common:jar:2.7.5:test
* org.apache.pig:pig:jar:h2:0.16.0:compile
* org.apache.spark:spark-core_2.10:jar:2.2.0:compile
Simply updating those to the latest version does not solve the problem. Due to this we decided to disable the OWASP check for pig, piglet, and spark modules delegating the responsibility of choosing the appropriate versions to the clients using these modules.
> CVSS dependency-check-maven fails for calcite-pig, calcite-piglet, calcite-spark
> --------------------------------------------------------------------------------
>
> Key: CALCITE-3314
> URL: https://issues.apache.org/jira/browse/CALCITE-3314
> Project: Calcite
> Issue Type: Bug
> Reporter: Stamatis Zampetakis
> Assignee: Stamatis Zampetakis
> Priority: Blocker
> Fix For: 1.21.0
>
>
> Calcite build fails if the CVSS dependency check is active since there are serious vulnerabilties in calcite-pig, calcite-piglet, calcite-spark.
> Running mvn install -Ppedantic -fn gives the following errors:
> {noformat}
> ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-pig:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
> [ERROR]
> [ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
> [ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-piglet:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
> [ERROR]
> [ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
> [ERROR] jackson-core-asl-1.8.8.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
> [ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
> [ERROR] jackson-xc-1.8.3.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
> [ERROR] hadoop-auth-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
> [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
> [ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
> [ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-spark:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
> [ERROR]
> [ERROR] spark-core_2.10-2.2.0.jar: CVE-2018-17190
> [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
> [ERROR] hadoop-mapreduce-client-core-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
> [ERROR] bcprov-jdk15on-1.51.jar: CVE-2018-1000613
> [ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
> [ERROR] unused-1.0.0.jar: CVE-2018-17190
> [ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720
> [ERROR] spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml: CVE-2017-7658, CVE-2017-7657
> {noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)