You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@bigtop.apache.org by "Olaf Flebbe (Jira)" <ji...@apache.org> on 2020/03/05 17:20:00 UTC
[jira] [Commented] (BIGTOP-3321) CVEs in the dependencies are in
the execution path of your project
[ https://issues.apache.org/jira/browse/BIGTOP-3321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17052353#comment-17052353 ]
Olaf Flebbe commented on BIGTOP-3321:
-------------------------------------
Bigtop-1.4 should contain hadoop-2.8.5 safe against CVE-2017-15713. Why do you think we deliver hadoop-2.7.3 ?
> CVEs in the dependencies are in the execution path of your project
> ------------------------------------------------------------------
>
> Key: BIGTOP-3321
> URL: https://issues.apache.org/jira/browse/BIGTOP-3321
> Project: Bigtop
> Issue Type: Improvement
> Reporter: XuCongying
> Priority: Major
>
> Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. See below for more details:
> # *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.3
> * *Call Chain to Buggy Methods:*
> ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
> *** Files in your project: bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java
> *** One of the possible call chain:
> org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
> org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
> ** *Some files in your project call the library method org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[]), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
> *** Files in your project: bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/smoke/IncrementalPELoad.java
> *** One of the possible call chain:
> org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[])
> org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine)
> org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration)
> org.apache.hadoop.conf.Configuration.get(java.lang.String)
> org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
> ** *Some files in your project call the library method org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[]), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
> *** Files in your project: bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java
> *** One of the possible call chain:
> org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[])
> org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine)
> org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration)
> org.apache.hadoop.conf.Configuration.get(java.lang.String)
> org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
> ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.getInt(java.lang.String,int), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
> *** Files in your project: bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java
> *** One of the possible call chain:
> org.apache.hadoop.conf.Configuration.getInt(java.lang.String,int)
> org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
> org.apache.hadoop.conf.Configuration.get(java.lang.String)
> org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
> ** *Some files in your project call the library method org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean), which can reach the buggy method of [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*
> *** Files in your project: bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java
> *** One of the possible call chain:
> org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean)
> org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
> org.apache.hadoop.conf.Configuration.get(java.lang.String)
> org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
> * *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. From 2.7.3 to 3.2.1, 8 of the APIs (called by 11 times in your project) were modified.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)