You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Kenneth Knowles (Jira)" <ji...@apache.org> on 2022/03/17 17:55:00 UTC

[jira] [Commented] (BEAM-14118) beam-vendor-grpc-1_43_2 shades vulnerable Netty version

    [ https://issues.apache.org/jira/browse/BEAM-14118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17508350#comment-17508350 ] 

Kenneth Knowles commented on BEAM-14118:
----------------------------------------

I expect this impacts most runners. It would require an upgrade to the vendored gRPC version. Can you link to the vulnerability flagged by your tooling so we can have an analysis?

> beam-vendor-grpc-1_43_2 shades vulnerable Netty version
> -------------------------------------------------------
>
>                 Key: BEAM-14118
>                 URL: https://issues.apache.org/jira/browse/BEAM-14118
>             Project: Beam
>          Issue Type: Improvement
>          Components: runner-flink, runner-spark, sdk-java-harness
>    Affects Versions: 2.37.0
>            Reporter: Arkadiusz Gasinski
>            Priority: P1
>
> The [beam-vendor-grpc-1_43_2|https://mvnrepository.com/artifact/org.apache.beam/beam-vendor-grpc-1_43_2] dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: [https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final]
> In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments. 
> Because Netty is shaded, we can't simply override the version in the build tool.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)