You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by do...@apache.org on 2022/08/11 22:12:41 UTC
[spark] branch branch-3.2 updated: [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
This is an automated email from the ASF dual-hosted git repository.
dongjoon pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-3.2 by this push:
new 45d42e17199 [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
45d42e17199 is described below
commit 45d42e1719933667981e7e490a2a21623501e6dd
Author: yangjie01 <ya...@baidu.com>
AuthorDate: Thu Aug 11 15:10:42 2022 -0700
[SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`
### What changes were proposed in this pull request?
This pr exclude `xalan` from `htmlunit` to clean warning of CVE-2022-34169:
```
Provides transitive vulnerable dependency xalan:xalan:2.7.2
CVE-2022-34169 7.5 Integer Coercion Error vulnerability with medium severity found
Results powered by Checkmarx(c)
```
`xalan:xalan:2.7.2` is the latest version, the code base has not been updated for 5 years, so can't solve by upgrading `xalan`.
### Why are the changes needed?
The vulnerability is described is [CVE-2022-34169](https://github.com/advisories/GHSA-9339-86wc-4qgf), better to exclude it although it's just test dependency for Spark.
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
- Pass GitHub Actions
- Manual test:
run `mvn dependency:tree -Phadoop-3 -Phadoop-cloud -Pmesos -Pyarn -Pkinesis-asl -Phive-thriftserver -Pspark-ganglia-lgpl -Pkubernetes -Phive | grep xalan` to check that `xalan` is not matched after this pr
Closes #37481 from LuciferYang/exclude-xalan.
Authored-by: yangjie01 <ya...@baidu.com>
Signed-off-by: Dongjoon Hyun <do...@apache.org>
(cherry picked from commit 7f3baa77acbf7747963a95d0f24e3b8868c7b16a)
Signed-off-by: Dongjoon Hyun <do...@apache.org>
---
pom.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pom.xml b/pom.xml
index 9165d62fd18..81c5d5f6370 100644
--- a/pom.xml
+++ b/pom.xml
@@ -670,6 +670,12 @@
<groupId>net.sourceforge.htmlunit</groupId>
<artifactId>htmlunit</artifactId>
<version>${htmlunit.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
+ </exclusion>
+ </exclusions>
<scope>test</scope>
</dependency>
<dependency>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org