You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/09/08 23:10:37 UTC

[GitHub] [dolphinscheduler] sekikn commented on pull request #11832: [Improve] Upgrade Hadoop to 3.2.4

sekikn commented on PR #11832:
URL: https://github.com/apache/dolphinscheduler/pull/11832#issuecomment-1241323932

   Currently, running `./mvnw dependency-check:aggregate` on the dev branch reports the following errors.
   
   ```
   [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337(9.8)
   [ERROR] avro-1.7.4.jar: CVE-2021-43045(7.5)
   [ERROR] commons-compress-1.4.1.jar: CVE-2021-35517(7.5), CVE-2021-36090(7.5)
   [ERROR] derby-10.10.2.0.jar: CVE-2015-1832(9.1)
   [ERROR] gson-2.8.6.jar: CVE-2022-25647(7.5)
   [ERROR] hadoop-common-2.7.7.jar: CVE-2022-25168(9.8)
   [ERROR] hadoop-hdfs-2.7.7.jar: CVE-2020-9492(8.8), CVE-2018-11768(7.5)
   [ERROR] hive-jdbc-2.3.3.jar: CVE-2021-34538(7.5), CVE-2021-4125(8.1), CVE-2018-11777(8.1), CVE-2020-13949(7.5)
   [ERROR] hive-service-2.3.3.jar: CVE-2021-34538(7.5), CVE-2021-4125(8.1), CVE-2018-11777(8.1), CVE-2020-13949(7.5)
   [ERROR] hive-storage-api-2.4.0.jar: CVE-2021-34538(7.5), CVE-2021-4125(8.1)
   [ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-7525(9.8), CVE-2018-7489(9.8), CVE-2020-35491(8.1), CVE-2020-35490(8.1), CVE-2020-36518(7.5)
   [ERROR] jackson-databind-2.13.0.jar: CVE-2020-36518(7.5)
   [ERROR] jackson-mapper-asl-1.9.13.jar: CVE-2017-7525(9.8), CVE-2019-10172(7.5)
   [ERROR] jetcd-core-0.5.11.jar: CVE-2020-15113(7.1)
   [ERROR] jetty-client-9.4.31.v20200723.jar: CVE-2021-28165(7.5), CVE-2022-2048(7.5), CVE-2020-27216(7.0)
   [ERROR] junit-platform-commons-1.6.2.jar: CVE-2022-31514(9.3)
   [ERROR] junit-platform-commons-1.8.2.jar: CVE-2022-31514(9.3)
   [ERROR] libfb303-0.9.3.jar: CVE-2016-5397(8.8), CVE-2018-1320(7.5), CVE-2019-0210(7.5), CVE-2020-13949(7.5), CVE-2019-0205(7.5)
   [ERROR] libthrift-0.9.3.jar: CVE-2016-5397(8.8), CVE-2018-1320(7.5), CVE-2019-0210(7.5), CVE-2020-13949(7.5), CVE-2019-0205(7.5)
   [ERROR] log4j-1.2-api-2.6.2.jar: CVE-2021-44832(6.6), CVE-2017-5645(9.8), CVE-2021-44228(10.0), CVE-2021-45046(9.0)
   [ERROR] log4j-1.2.17.jar: CVE-2021-4104(7.5), CVE-2020-9493(9.8), CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8), CVE-2022-23302(8.8)
   [ERROR] mybatis-plus-3.5.2.jar: CVE-2020-26945(8.1), CVE-2022-25517(9.8)
   [ERROR] mybatis-plus-core-3.5.2.jar: CVE-2020-26945(8.1)
   [ERROR] netty-3.6.2.Final.jar: CVE-2019-16869(7.5), CVE-2015-2156(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1)
   [ERROR] netty-transport-4.1.53.Final.jar: CVE-2021-37136(7.5), CVE-2021-37137(7.5)
   [ERROR] netty-transport-4.1.63.Final.jar: CVE-2021-37136(7.5), CVE-2021-37137(7.5)
   [ERROR] okhttp-3.12.12.jar: CVE-2021-0341(7.5)
   [ERROR] okhttp-3.14.9.jar: CVE-2021-0341(7.5)
   [ERROR] orc-core-1.3.3.jar: CVE-2018-8015(7.5)
   [ERROR] pom.xml: CVE-2018-11804(7.5), CVE-2018-17190(9.8)
   [ERROR] pom.xml: CVE-2018-11804(7.5), CVE-2018-17190(9.8)
   [ERROR] snakeyaml-1.30.jar: CVE-2022-25857(7.5)
   [ERROR] spring-cloud-starter-kubernetes-fabric8-config-2.1.3.jar: CVE-2020-5410(7.5)
   [ERROR] spring-core-5.3.19.jar: CVE-2016-1000027(9.8)
   [ERROR] spring-ldap-1.1.2.jar: CVE-2018-11040(7.5), CVE-2011-2730(7.5), CVE-2016-9878(7.5), CVE-2016-1000027(9.8), CVE-2018-1270(9.8), CVE-2022-22965(9.8)
   [ERROR] spring-plugin-core-2.0.0.RELEASE.jar: CVE-2018-11040(7.5), CVE-2016-1000027(9.8), CVE-2022-22965(9.8)
   [ERROR] spring-retry-1.3.1.jar: CVE-2018-11040(7.5), CVE-2016-1000027(9.8), CVE-2022-22965(9.8)
   [ERROR] spring-retry-1.3.3.jar: CVE-2018-11040(7.5), CVE-2016-1000027(9.8), CVE-2022-22965(9.8)
   [ERROR] spring-security-rsa-1.0.10.RELEASE.jar: CVE-2022-22978(9.8)
   [ERROR] spring-tx-5.3.22.jar: CVE-2016-1000027(9.8)
   [ERROR] websocket-client-9.4.31.v20200723.jar: CVE-2021-28165(7.5), CVE-2022-2048(7.5), CVE-2020-27216(7.0)
   [ERROR] websocket-common-9.4.31.v20200723.jar: CVE-2021-28165(7.5), CVE-2022-2048(7.5), CVE-2020-27216(7.0)
   [ERROR] xercesImpl-2.9.1.jar: CVE-2012-0881(7.5), CVE-2013-4002(7.1)
   ```
   
   Compared with it, this PR removes the following vulnerabilities.
   
   * api-util-1.0.0-M20.jar: CVE-2018-1337(9.8)
   * commons-compress-1.4.1.jar: CVE-2021-35517(7.5), CVE-2021-36090(7.5)
   * hadoop-common-2.7.7.jar: CVE-2022-25168(9.8)
   * hadoop-hdfs-2.7.7.jar: CVE-2020-9492(8.8), CVE-2018-11768(7.5)
   * netty-3.6.2.Final.jar: CVE-2019-16869(7.5), CVE-2015-2156(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1)
   * xercesImpl-2.9.1.jar: CVE-2012-0881(7.5), CVE-2013-4002(7.1)
   
   On the other hand, this PR newly introduces the following vulnerabilities. But their scores are relatively lower than the removed ones and 3 out of 4 are duplicated with the ones already reported. 
   
   * jetty-server-9.4.43.v20210629.jar: CVE-2022-2048(7.5)
   * jetty-util-9.4.43.v20210629.jar: CVE-2022-2048(7.5)
   * nimbus-jose-jwt-9.8.1.jar/META-INF/maven/net.minidev/json-smart/pom.xml: CVE-2021-31684(7.5)
   * okhttp-2.7.5.jar: CVE-2021-0341(7.5)
   
   Given that, I think we can consider this PR improves our security, though [the OWASP check failed on CI](https://github.com/apache/dolphinscheduler/runs/8252203049?check_suite_focus=true).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org