You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "David Pilato (Jira)" <ji...@apache.org> on 2022/11/02 10:43:00 UTC

[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies

    [ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627609#comment-17627609 ] 

David Pilato commented on TIKA-2536:
------------------------------------

Hey team

netcdf 4.5.5 depends on cdm 4.5.5 which depends on protobuf-java 2.5.0.

This protobuf version has [CVE-2022-3171|https://ossindex.sonatype.org/vulnerability/CVE-2022-3171?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1] which makes my project failing the ossindex audit:

 
{code:java}
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project fscrawler-tika: Detected 1 vulnerable components:
[ERROR]   com.google.protobuf:protobuf-java:jar:2.5.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/protobuf-java@2.5.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]     * [CVE-2022-3171] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-3171?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1{code}

I believe this could not be solved until we upgrade netcdf.

 

My project depends on {{tika-parser-scientific-module}} 2.5.0.

 

> Move to later edu.ucar version to avoid EOL dependencies
> --------------------------------------------------------
>
>                 Key: TIKA-2536
>                 URL: https://issues.apache.org/jira/browse/TIKA-2536
>             Project: Tika
>          Issue Type: Improvement
>          Components: parser
>    Affects Versions: 1.16, 1.17
>         Environment: All
>            Reporter: Richard Jones
>            Priority: Major
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm (released in Mar 2015), as well as being branch EOL themselves, depend on many other project/branch/version EOL artifacts for which much later and active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted on the Google Code site, which was shut down for active development in 2015.  The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of org.quartz-scheduler:quartz for which active versions are available. In turn org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts to address all the above EOL issues (lack of active support for vulnerabilities and bugs).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)