You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@streampipes.apache.org by "Philipp Zehnder (Jira)" <ji...@apache.org> on 2022/04/01 05:09:00 UTC

[jira] [Commented] (STREAMPIPES-519) multiple insecure libs used in streampipes

    [ https://issues.apache.org/jira/browse/STREAMPIPES-519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515707#comment-17515707 ] 

Philipp Zehnder commented on STREAMPIPES-519:
---------------------------------------------

Thanks a lot for reporting the issue.

I already removed some legacy modules that are not used anymore and which were responsible for some of the problems.

We will focus on this issue for the next release. I hope we will be able to activate dependabot to direclty provide PRs.

> multiple insecure libs used in streampipes
> ------------------------------------------
>
>                 Key: STREAMPIPES-519
>                 URL: https://issues.apache.org/jira/browse/STREAMPIPES-519
>             Project: StreamPipes
>          Issue Type: Improvement
>            Reporter: PJ Fanning
>            Priority: Major
>
> I ran a dependabot analysis using github and there were 74 issues - some are the ame issue appearing in multiple subprojects.
> Unfortunately, github do not appear to allow me to share these results. To reprodice, fork streampipes in github and go to security tab and enable dependabot alerts.
> some java issues
> * log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
> * jetty should be upgraded (eg 9.4.45) https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
> * commons-beanutils upgrade to 1.9.4 https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
> * guava https://mvnrepository.com/artifact/com.google.guava/guava
> * shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
> * log4jv1 is used in some places - this jar is end of life and full of CVE issues - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * commons-compress needs upgrading - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * snakeyaml needs upgrading in https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
> * postgresql jar needs upgrading - see https://github.com/advisories/GHSA-673j-qm5f-xpv8
> * nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
> * amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
> * netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
> pips
> * waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
> * jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
> npms
> * many
> * including lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm



--
This message was sent by Atlassian Jira
(v8.20.1#820001)