yihua commented on PR #11957: URL: https://github.com/apache/hudi/pull/11957#issuecomment-2364510676
> > Thanks for your first contribution. Could you check if you can exclude the dependency in the bundle directly? > > Yes @yihua I tried excluding directly, but it did not help and I wanted to do very minimal change so that actual functionality should not break. So found removing meta info is sufficient to get rid of critical CVE issue . > > I welcome your alternate suggestion for fixing this issue. @senthh Thanks for the clarification. I prefer to exclude the dependencies directly or use alternatives to get the same functionality. The reason is that removing the META-INF only tricks the scan to report no security issue (if the scan uses META-INF for checking vulnerabilities, correct me if I'm wrong); the actual security issue in the bundled classes may still exist. This can make security detection worse as the security risk is still there, though there is no report, hiding the actual vulnerabilities. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
