You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@streampipes.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/09/19 05:02:00 UTC

[jira] [Commented] (STREAMPIPES-519) multiple insecure libs used in streampipes

    [ https://issues.apache.org/jira/browse/STREAMPIPES-519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606425#comment-17606425 ] 

ASF subversion and git services commented on STREAMPIPES-519:
-------------------------------------------------------------

Commit 72c10f170df8b08f080b4bac0c81b477a75655a9 in incubator-streampipes's branch refs/heads/dev from Philipp Zehnder
[ https://gitbox.apache.org/repos/asf?p=incubator-streampipes.git;h=72c10f170 ]

Merge pull request #109 from pjfanning/patch-1

[STREAMPIPES-519] update snakeyaml due to CVEs

> multiple insecure libs used in streampipes
> ------------------------------------------
>
>                 Key: STREAMPIPES-519
>                 URL: https://issues.apache.org/jira/browse/STREAMPIPES-519
>             Project: StreamPipes
>          Issue Type: Improvement
>            Reporter: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>
> I ran a dependabot analysis using github and there were 74 issues - some are the ame issue appearing in multiple subprojects.
> Unfortunately, github do not appear to allow me to share these results. To reprodice, fork streampipes in github and go to security tab and enable dependabot alerts.
> some java issues
> * log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
> * jetty should be upgraded (eg 9.4.45) https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
> * commons-beanutils upgrade to 1.9.4 https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
> * guava https://mvnrepository.com/artifact/com.google.guava/guava
> * shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
> * log4jv1 is used in some places - this jar is end of life and full of CVE issues - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * commons-compress needs upgrading - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * snakeyaml needs upgrading in https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
> * postgresql jar needs upgrading - see https://github.com/advisories/GHSA-673j-qm5f-xpv8
> * nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
> * amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
> * netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
> pips
> * waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
> * jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
> npms
> * many
> * including lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm



--
This message was sent by Atlassian Jira
(v8.20.10#820010)