You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Prerana (Jira)" <ji...@apache.org> on 2022/03/02 10:44:00 UTC

[jira] [Commented] (BEAM-13995) Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas and numpy

    [ https://issues.apache.org/jira/browse/BEAM-13995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500045#comment-17500045 ] 

Prerana  commented on BEAM-13995:
---------------------------------

[~bhulette] gcp was just missed in above comment. We are using apache-beam[gcp]==2.23.0 and apache-beam[gcp]=2.36.0. with both the versions vulnerabilities are there.

> Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas and numpy
> --------------------------------------------------------------------------------------
>
>                 Key: BEAM-13995
>                 URL: https://issues.apache.org/jira/browse/BEAM-13995
>             Project: Beam
>          Issue Type: Bug
>          Components: dependencies, sdk-py-core
>    Affects Versions: 2.23.0, 2.35.0, 2.36.0
>            Reporter: Prerana 
>            Priority: P1
>         Attachments: Tensorflow  vulnerabilities.xlsx
>
>
> We are using apache-beam[gcp]==2.23.0 and apache-beam=2.36.0.
> The following vulnerabilities are detected in white source with apache-beam.
> [CVE-2020-13091|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2020-13091;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c] - pandas-0.25.3-cp37-cp37m-manylinux1_x86_64.whl - {*}Fix{*}({color:#4c9aff}Upgrade to version pandas - 0.3.0.beta,1.0.4;autovizwidget - 0.12.7;pandas - 1.0.4,1.1.0rc0{color})
> [CVE-2021-41496 - |https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-41496;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl - {*}Fix{*}({color:#4c9aff}Upgrade to version autovizwidget - 0.12.7;numpy - 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4{color})
> [CVE-2021-21240|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-21240;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c] -httplib2-0.17.4-py3-none-any.whl - {*}Fix{*}({color:#4c9aff}Upgrade to version v0.19.0{color})
> {color:#0747a6}See attached xls{color} - tensorflow-1.14.0-cp37-cp37m-manylinux1_x86_64.whl - {*}Fix({*}{color:#4c9aff}attached xls{color}{*}){*}
> please upgrade the packages to the mentioned versions with fix.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)