You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by "steve.hostettler@gmail.com" <st...@gmail.com> on 2019/01/29 07:35:19 UTC
H2 license and vulnerabilities
Hello,
I am using Apache Ignite in an financial setting and it gets reported as a
high risk because of one of its dependencies : H2
The blackduck report warns the following:
1) The H2 license being weak reciprocal it is not the prefered type of OSS
licenses (e.g., Apache, MIT)
2) There are known vulnerabulities for now more than a year that do not get
fixed:
https://www.cvedetails.com/vulnerability-list/vendor_id-17893/product_id-45580/year-2018/H2database-H2.html
So here are my questions :
1) is there any plan to swap H2 by another in memory database and if not
what is the view of the community on the above points.
2) Does ignite uses the part of H2 that is vulnerable (disk backup)?
Many thanks in advance
--
Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
Re: H2 license and vulnerabilities
Posted by "steve.hostettler@gmail.com" <st...@gmail.com>.
Hello Vladimir,
thanks a lot for the quick turnaround. That answers my question and clears
the vulnerability part.
Best Regards
--
Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
Re: H2 license and vulnerabilities
Posted by Vladimir Ozerov <vo...@gridgain.com>.
Hi Steve,
H2 cannot be removed from Ignite easily as it is integrated pretty deep
into indexing module. Good news is that our usage of H2 is pretty limited -
we only use it's parser, planner and execution pipeline. We do not use H2
as data storage.
Please let me know if you need any additional clarifications.
Vladimir.
On Tue, Jan 29, 2019 at 10:35 AM steve.hostettler@gmail.com <
steve.hostettler@gmail.com> wrote:
> Hello,
> I am using Apache Ignite in an financial setting and it gets reported as a
> high risk because of one of its dependencies : H2
>
> The blackduck report warns the following:
> 1) The H2 license being weak reciprocal it is not the prefered type of OSS
> licenses (e.g., Apache, MIT)
> 2) There are known vulnerabulities for now more than a year that do not get
> fixed:
>
> https://www.cvedetails.com/vulnerability-list/vendor_id-17893/product_id-45580/year-2018/H2database-H2.html
>
> So here are my questions :
> 1) is there any plan to swap H2 by another in memory database and if not
> what is the view of the community on the above points.
> 2) Does ignite uses the part of H2 that is vulnerable (disk backup)?
>
> Many thanks in advance
>
>
>
> --
> Sent from: http://apache-ignite-developers.2346864.n4.nabble.com/
>