You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@streampark.apache.org by "mezhangremoterepository (via GitHub)" <gi...@apache.org> on 2023/05/17 05:09:00 UTC

[GitHub] [incubator-streampark] mezhangremoterepository opened a new issue, #2755: [Bug] Drinking from a vulnerable jar by mistake

mezhangremoterepository opened a new issue, #2755:
URL: https://github.com/apache/incubator-streampark/issues/2755

   ### Search before asking
   
   - [X] I had searched in the [issues](https://github.com/apache/incubator-streampark/issues?q=is%3Aissue+label%3A%22bug%22) and found no similar issues.
   
   
   ### Java Version
   
   _No response_
   
   ### Scala Version
   
   2.11.x
   
   ### StreamPark Version
   
   2.1.0
   
   ### Flink Version
   
   1.14.5
   
   ### deploy mode
   
   None
   
   ### What happened
   
   When I use build to build, I refer to commons-text-1.6.jar, which contains a high-risk vulnerability
   
   ### Error Exception
   
   _No response_
   
   ### Screenshots
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!(您是否要贡献这个PR?)
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] zhoulii commented on issue #2755: [Bug] Drinking from a vulnerable jar by mistake

Posted by "zhoulii (via GitHub)" <gi...@apache.org>.

zhoulii commented on issue #2755:
URL: https://github.com/apache/incubator-streampark/issues/2755#issuecomment-1552436888

   Hi @mezhangremoterepository , Thanks for your feedback. But streampark 2.1.0 does not contains `commons-text-1.6.jar`, so I'm a little confused about this issue, can you provide more info ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] wolfboys commented on issue #2755: [Bug] Drinking from a vulnerable jar by mistake

Posted by "wolfboys (via GitHub)" <gi...@apache.org>.

wolfboys commented on issue #2755:
URL: https://github.com/apache/incubator-streampark/issues/2755#issuecomment-1552400968

   cc @zhoulii 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] mezhangremoterepository commented on issue #2755: [Bug] Drinking from a vulnerable jar by mistake

Posted by "mezhangremoterepository (via GitHub)" <gi...@apache.org>.

mezhangremoterepository commented on issue #2755:
URL: https://github.com/apache/incubator-streampark/issues/2755#issuecomment-1552606063

   发自我的 iPhone在 2023年5月18日，13:40，zhoulii ***@***.***> 写道： When using bulid file to build bin package, the package will be downloaded. Because I configured high-risk vulnerability interception to prevent downloading this package, I can only see relevant interception information. I checked the pom file and found that the package commons-text-1.6.jar was not relied on, so I was also confused about why this package was used.
   Hi @mezhangremoterepository , Thanks for your feedback. But streampark 2.1.0 does not contains commons-text-1.6.jar, so I'm a little confused about this issue, can you provide more info ?
   
   —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-streampark] zhoulii commented on issue #2755: [Bug] Drinking from a vulnerable jar by mistake

Posted by "zhoulii (via GitHub)" <gi...@apache.org>.

zhoulii commented on issue #2755:
URL: https://github.com/apache/incubator-streampark/issues/2755#issuecomment-1552773431

   Hi @mezhangremoterepository , Thanks for your reply. After some digging, I found that  `commons-text-1.6.jar` is a transitive dependency of `spark-core`, it is only used on build stage, and streampack won't pack it into the dist, so It's not a bug to me, sorry for not being helpful.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@streampark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org