git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vulnerabilities in calcite-spark module


Hi all,

I found that a check for vulnerabilities among dependencies fails
for calcite-spark module.
The same problem is observed for 1.16 version.

Should we block the release until this issue is fixed, or fix it after the
release in Calcite 1.18?

Output for "mvn install -Ppedantic -DskipTests=true":
One or more dependencies were identified with known vulnerabilities in
Calcite Spark:

jackson-databind-2.9.4.jar
(com.fasterxml.jackson.core:jackson-databind:2.9.4,
cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) :
CVE-2018-7489
protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0,
cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
commons-beanutils-core-1.8.0.jar
(commons-beanutils:commons-beanutils-core:1.8.0,
cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0,
cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1,
cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) :
CVE-2015-5262, CVE-2014-3577
javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2,
javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) :
CVE-2015-9097
validation-api-1.1.0.Final.jar
(cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~,
javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2,
javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13)
: CVE-2007-1100
py4j-0.10.4.jar (cpe:/a:python:python:0.10.4,
cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) :
CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652,
CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150,
CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143,
CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679,
CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7,
org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161,
CVE-2016-5001
curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0,
org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30,
org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6,
org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017,
CVE-2014-0085
jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13,
cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) :
CVE-2018-5968, CVE-2017-17485
jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908,
cpe:/a:jetty:jetty:9.2.19.v20160908,
org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26,
cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0,
org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1,
xalan:serializer:2.7.1) : CVE-2014-0107
xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) :
CVE-2014-0107
xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1,
xerces:xercesImpl:2.9.1) : CVE-2012-0881
htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
(com.fasterxml.jackson.core:jackson-databind:2.4.0,
cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) :
CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
(cpe:/a:eclipse:jetty:9.3.11.v20160721,
cpe:/a:jetty:jetty:9.3.11.v20160721,
org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735

Kind regards,
Volodymyr Vysotskyi