You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@atlas.apache.org by "Greg (Jira)" <ji...@apache.org> on 2021/12/01 12:51:00 UTC
[jira] [Updated] (ATLAS-4497) Large number of CVE's (vulnerabilities) when building 2.2.0 from source
[ https://issues.apache.org/jira/browse/ATLAS-4497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Greg updated ATLAS-4497:
------------------------
Description:
Atlas 2.2.0 when built from source has a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled application and here's the list of the High and Critical vulnerabilities found:
[https://pastebin.com/raw/tQNYMZd9]
I am attempting to put together a public docker image of Atlas compiled from source. You can see my build process here to see how I arrived at the compiled build that I performed the scans on:
[https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
I'm not a Java developer, but I would think that an updated pom.xml that has more current (vulnerability free) versions of packages may help remedy these findings. How to update this maven package tree is above my current skill level.
was:
Atlas 2.2.0 when built from source has a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled application and here's the list of the High and Critical vulnerabilities found:
[https://pastebin.com/raw/t59rcyH8]
I am attempting to put together a public docker image of Atlas compiled from source. You can see my build process here to see how I arrived at the compiled build that I performed the scans on:
[https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
I'm not a Java developer, but I would think that a different version of Maven (I'm using 3.6.3) or an updated pom.xml that has more current (vulnerability free) versions of packages may help remedy my findings.
I am not sure whether or not this has to do with my downgrading the pom.xml file to use buildtools 0.8.1 since the packages for 1.0 do not seem to be available.
> Large number of CVE's (vulnerabilities) when building 2.2.0 from source
> -----------------------------------------------------------------------
>
> Key: ATLAS-4497
> URL: https://issues.apache.org/jira/browse/ATLAS-4497
> Project: Atlas
> Issue Type: Bug
> Components: atlas-core
> Affects Versions: 2.2.0
> Environment: Redhat UBI (Universal Base Image) 8.5
> Reporter: Greg
> Priority: Critical
> Labels: security
>
> Atlas 2.2.0 when built from source has a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled application and here's the list of the High and Critical vulnerabilities found:
>
> [https://pastebin.com/raw/tQNYMZd9]
>
> I am attempting to put together a public docker image of Atlas compiled from source. You can see my build process here to see how I arrived at the compiled build that I performed the scans on:
>
> [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
>
> I'm not a Java developer, but I would think that an updated pom.xml that has more current (vulnerability free) versions of packages may help remedy these findings. How to update this maven package tree is above my current skill level.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)