[GitHub] [dolphinscheduler] sekikn commented on pull request #11832: [Improve] Upgrade Hadoop to 3.2.4

Thu, 08 Sep 2022 16:10:45 -0700 


sekikn commented on PR #11832:
URL: 
https://github.com/apache/dolphinscheduler/pull/11832#issuecomment-1241323932

   Currently, running `./mvnw dependency-check:aggregate` on the dev branch 
reports the following errors.
   
   ```
   [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337(9.8)
   [ERROR] avro-1.7.4.jar: CVE-2021-43045(7.5)
   [ERROR] commons-compress-1.4.1.jar: CVE-2021-35517(7.5), CVE-2021-36090(7.5)
   [ERROR] derby-10.10.2.0.jar: CVE-2015-1832(9.1)
   [ERROR] gson-2.8.6.jar: CVE-2022-25647(7.5)
   [ERROR] hadoop-common-2.7.7.jar: CVE-2022-25168(9.8)
   [ERROR] hadoop-hdfs-2.7.7.jar: CVE-2020-9492(8.8), CVE-2018-11768(7.5)
   [ERROR] hive-jdbc-2.3.3.jar: CVE-2021-34538(7.5), CVE-2021-4125(8.1), 
CVE-2018-11777(8.1), CVE-2020-13949(7.5)
   [ERROR] hive-service-2.3.3.jar: CVE-2021-34538(7.5), CVE-2021-4125(8.1), 
CVE-2018-11777(8.1), CVE-2020-13949(7.5)
   [ERROR] hive-storage-api-2.4.0.jar: CVE-2021-34538(7.5), CVE-2021-4125(8.1)
   [ERROR] 
htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml:
 CVE-2017-7525(9.8), CVE-2018-7489(9.8), CVE-2020-35491(8.1), 
CVE-2020-35490(8.1), CVE-2020-36518(7.5)
   [ERROR] jackson-databind-2.13.0.jar: CVE-2020-36518(7.5)
   [ERROR] jackson-mapper-asl-1.9.13.jar: CVE-2017-7525(9.8), 
CVE-2019-10172(7.5)
   [ERROR] jetcd-core-0.5.11.jar: CVE-2020-15113(7.1)
   [ERROR] jetty-client-9.4.31.v20200723.jar: CVE-2021-28165(7.5), 
CVE-2022-2048(7.5), CVE-2020-27216(7.0)
   [ERROR] junit-platform-commons-1.6.2.jar: CVE-2022-31514(9.3)
   [ERROR] junit-platform-commons-1.8.2.jar: CVE-2022-31514(9.3)
   [ERROR] libfb303-0.9.3.jar: CVE-2016-5397(8.8), CVE-2018-1320(7.5), 
CVE-2019-0210(7.5), CVE-2020-13949(7.5), CVE-2019-0205(7.5)
   [ERROR] libthrift-0.9.3.jar: CVE-2016-5397(8.8), CVE-2018-1320(7.5), 
CVE-2019-0210(7.5), CVE-2020-13949(7.5), CVE-2019-0205(7.5)
   [ERROR] log4j-1.2-api-2.6.2.jar: CVE-2021-44832(6.6), CVE-2017-5645(9.8), 
CVE-2021-44228(10.0), CVE-2021-45046(9.0)
   [ERROR] log4j-1.2.17.jar: CVE-2021-4104(7.5), CVE-2020-9493(9.8), 
CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8), 
CVE-2022-23302(8.8)
   [ERROR] mybatis-plus-3.5.2.jar: CVE-2020-26945(8.1), CVE-2022-25517(9.8)
   [ERROR] mybatis-plus-core-3.5.2.jar: CVE-2020-26945(8.1)
   [ERROR] netty-3.6.2.Final.jar: CVE-2019-16869(7.5), CVE-2015-2156(7.5), 
CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), 
CVE-2019-20444(9.1)
   [ERROR] netty-transport-4.1.53.Final.jar: CVE-2021-37136(7.5), 
CVE-2021-37137(7.5)
   [ERROR] netty-transport-4.1.63.Final.jar: CVE-2021-37136(7.5), 
CVE-2021-37137(7.5)
   [ERROR] okhttp-3.12.12.jar: CVE-2021-0341(7.5)
   [ERROR] okhttp-3.14.9.jar: CVE-2021-0341(7.5)
   [ERROR] orc-core-1.3.3.jar: CVE-2018-8015(7.5)
   [ERROR] pom.xml: CVE-2018-11804(7.5), CVE-2018-17190(9.8)
   [ERROR] pom.xml: CVE-2018-11804(7.5), CVE-2018-17190(9.8)
   [ERROR] snakeyaml-1.30.jar: CVE-2022-25857(7.5)
   [ERROR] spring-cloud-starter-kubernetes-fabric8-config-2.1.3.jar: 
CVE-2020-5410(7.5)
   [ERROR] spring-core-5.3.19.jar: CVE-2016-1000027(9.8)
   [ERROR] spring-ldap-1.1.2.jar: CVE-2018-11040(7.5), CVE-2011-2730(7.5), 
CVE-2016-9878(7.5), CVE-2016-1000027(9.8), CVE-2018-1270(9.8), 
CVE-2022-22965(9.8)
   [ERROR] spring-plugin-core-2.0.0.RELEASE.jar: CVE-2018-11040(7.5), 
CVE-2016-1000027(9.8), CVE-2022-22965(9.8)
   [ERROR] spring-retry-1.3.1.jar: CVE-2018-11040(7.5), CVE-2016-1000027(9.8), 
CVE-2022-22965(9.8)
   [ERROR] spring-retry-1.3.3.jar: CVE-2018-11040(7.5), CVE-2016-1000027(9.8), 
CVE-2022-22965(9.8)
   [ERROR] spring-security-rsa-1.0.10.RELEASE.jar: CVE-2022-22978(9.8)
   [ERROR] spring-tx-5.3.22.jar: CVE-2016-1000027(9.8)
   [ERROR] websocket-client-9.4.31.v20200723.jar: CVE-2021-28165(7.5), 
CVE-2022-2048(7.5), CVE-2020-27216(7.0)
   [ERROR] websocket-common-9.4.31.v20200723.jar: CVE-2021-28165(7.5), 
CVE-2022-2048(7.5), CVE-2020-27216(7.0)
   [ERROR] xercesImpl-2.9.1.jar: CVE-2012-0881(7.5), CVE-2013-4002(7.1)
   ```
   
   Compared with it, this PR removes the following vulnerabilities.
   
   * api-util-1.0.0-M20.jar: CVE-2018-1337(9.8)
   * commons-compress-1.4.1.jar: CVE-2021-35517(7.5), CVE-2021-36090(7.5)
   * hadoop-common-2.7.7.jar: CVE-2022-25168(9.8)
   * hadoop-hdfs-2.7.7.jar: CVE-2020-9492(8.8), CVE-2018-11768(7.5)
   * netty-3.6.2.Final.jar: CVE-2019-16869(7.5), CVE-2015-2156(7.5), 
CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2019-20445(9.1), 
CVE-2019-20444(9.1)
   * xercesImpl-2.9.1.jar: CVE-2012-0881(7.5), CVE-2013-4002(7.1)
   
   On the other hand, this PR newly introduces the following vulnerabilities. 
But their scores are relatively lower than the removed ones and 3 out of 4 are 
duplicated with the ones already reported. 
   
   * jetty-server-9.4.43.v20210629.jar: CVE-2022-2048(7.5)
   * jetty-util-9.4.43.v20210629.jar: CVE-2022-2048(7.5)
   * nimbus-jose-jwt-9.8.1.jar/META-INF/maven/net.minidev/json-smart/pom.xml: 
CVE-2021-31684(7.5)
   * okhttp-2.7.5.jar: CVE-2021-0341(7.5)
   
   Given that, I think we can consider this PR improves our security, though 
[the OWASP check failed on 
CI](https://github.com/apache/dolphinscheduler/runs/8252203049?check_suite_focus=true).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to