You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2022/08/11 09:00:45 UTC
[GitHub] [spark] LuciferYang opened a new pull request, #37481: [SPARK-40047][BUILD] Exclude `xalan` from `htmlunit` to clean warning of CVE-2022-34169
LuciferYang opened a new pull request, #37481:
URL: https://github.com/apache/spark/pull/37481
### What changes were proposed in this pull request?
This pr exclude `xalan` from `htmlunit` to clean warning of CVE-2022-34169:
```
Provides transitive vulnerable dependency xalan:xalan:2.7.2
CVE-2022-34169 7.5 Integer Coercion Error vulnerability with medium severity found
Results powered by Checkmarx(c)
```
`xalan:xalan:2.7.2` is the latest version, the code base has not been updated for 5 years, so can't solve by upgrading `xalan`.
### Why are the changes needed?
The vulnerability is described is [CVE-2022-34169](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169), better to exclude it although it's just test dependency for Spark.
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
- Pass GitHub Actions
- Manual test:
run `mvn dependency:tree -Phadoop-3 -Phadoop-cloud -Pmesos -Pyarn -Pkinesis-asl -Phive-thriftserver -Pspark-ganglia-lgpl -Pkubernetes -Phive | grep xalan` to check that `xalan` is not matched after this pr
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun closed pull request #37481: [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun closed pull request #37481: [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
URL: https://github.com/apache/spark/pull/37481
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] LuciferYang commented on a diff in pull request #37481: [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
Posted by GitBox <gi...@apache.org>.
LuciferYang commented on code in PR #37481:
URL: https://github.com/apache/spark/pull/37481#discussion_r944077228
##########
pom.xml:
##########
@@ -712,6 +712,12 @@
<groupId>net.sourceforge.htmlunit</groupId>
<artifactId>htmlunit</artifactId>
<version>${htmlunit.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
+ </exclusion>
+ </exclusions>
<scope>test</scope>
Review Comment:
OK~ I'll remember to add it next time
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] LuciferYang commented on pull request #37481: [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
Posted by GitBox <gi...@apache.org>.
LuciferYang commented on PR #37481:
URL: https://github.com/apache/spark/pull/37481#issuecomment-1212680321
thanks @dongjoon-hyun
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on a diff in pull request #37481: [SPARK-40047][BUILD] Exclude `xalan` from `htmlunit` to clean warning of CVE-2022-34169
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on code in PR #37481:
URL: https://github.com/apache/spark/pull/37481#discussion_r943978465
##########
pom.xml:
##########
@@ -712,6 +712,12 @@
<groupId>net.sourceforge.htmlunit</groupId>
<artifactId>htmlunit</artifactId>
<version>${htmlunit.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
+ </exclusion>
+ </exclusions>
<scope>test</scope>
Review Comment:
For the test dependency, we had better have `[TESTS]` tag.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org