You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by do...@apache.org on 2022/08/11 22:12:41 UTC

[spark] branch branch-3.2 updated: [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`

This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-3.2 by this push:
     new 45d42e17199 [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
45d42e17199 is described below

commit 45d42e1719933667981e7e490a2a21623501e6dd
Author: yangjie01 <ya...@baidu.com>
AuthorDate: Thu Aug 11 15:10:42 2022 -0700

    [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
    
    ### What changes were proposed in this pull request?
    This pr exclude `xalan` from `htmlunit` to clean warning of CVE-2022-34169:
    
    ```
    Provides transitive vulnerable dependency xalan:xalan:2.7.2
    CVE-2022-34169 7.5 Integer Coercion Error vulnerability with medium severity found
    Results powered by Checkmarx(c)
    ```
    `xalan:xalan:2.7.2` is the latest version, the code base has not been updated for 5 years, so can't solve by upgrading `xalan`.
    
    ### Why are the changes needed?
    The vulnerability is described is [CVE-2022-34169](https://github.com/advisories/GHSA-9339-86wc-4qgf), better to exclude it although it's just test dependency for Spark.
    
    ### Does this PR introduce _any_ user-facing change?
    No.
    
    ### How was this patch tested?
    
    - Pass GitHub Actions
    - Manual test:
    
    run `mvn dependency:tree -Phadoop-3 -Phadoop-cloud -Pmesos -Pyarn -Pkinesis-asl -Phive-thriftserver -Pspark-ganglia-lgpl -Pkubernetes -Phive | grep xalan` to check that `xalan` is not matched after this pr
    
    Closes #37481 from LuciferYang/exclude-xalan.
    
    Authored-by: yangjie01 <ya...@baidu.com>
    Signed-off-by: Dongjoon Hyun <do...@apache.org>
    (cherry picked from commit 7f3baa77acbf7747963a95d0f24e3b8868c7b16a)
    Signed-off-by: Dongjoon Hyun <do...@apache.org>
---
 pom.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pom.xml b/pom.xml
index 9165d62fd18..81c5d5f6370 100644
--- a/pom.xml
+++ b/pom.xml
@@ -670,6 +670,12 @@
         <groupId>net.sourceforge.htmlunit</groupId>
         <artifactId>htmlunit</artifactId>
         <version>${htmlunit.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+          </exclusion>
+        </exclusions>
         <scope>test</scope>
       </dependency>
       <dependency>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org