You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@streampipes.apache.org by GitBox <gi...@apache.org> on 2022/11/26 15:20:55 UTC

[GitHub] [streampipes] dominikriemer opened a new issue, #688: multiple insecure libs used in streampipes

dominikriemer opened a new issue, #688:
URL: https://github.com/apache/streampipes/issues/688

   I ran a dependabot analysis using github and there were 74 issues - some are the ame issue appearing in multiple subprojects.
   Unfortunately, github do not appear to allow me to share these results. To reprodice, fork streampipes in github and go to security tab and enable dependabot alerts.
   
   some java issues
   * log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
   * jetty should be upgraded (eg 9.4.45) https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
   * commons-beanutils upgrade to 1.9.4 https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
   * guava https://mvnrepository.com/artifact/com.google.guava/guava
   * shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
   * log4jv1 is used in some places - this jar is end of life and full of CVE issues - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
   * commons-compress needs upgrading - eg https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
   * snakeyaml needs upgrading in https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
   * postgresql jar needs upgrading - see https://github.com/advisories/GHSA-673j-qm5f-xpv8
   * nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
   * amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
   * netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
   
   pips
   * waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
   * jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
   
   npms
   * many
   * including lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm
   
   
   
   Imported from Jira [STREAMPIPES-519](https://issues.apache.org/jira/browse/STREAMPIPES-519). Original Jira may contain additional context.
   Reported by: pj.fanning.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampipes.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [streampipes] dominikriemer closed issue #688: multiple insecure libs used in streampipes

Posted by GitBox <gi...@apache.org>.

dominikriemer closed issue #688: multiple insecure libs used in streampipes
URL: https://github.com/apache/streampipes/issues/688


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampipes.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org