mehradpk opened a new issue, #14084: URL: https://github.com/apache/hudi/issues/14084
### Bug Description **What happened:** While upgrading to `Apache Hudi 1.0.2`, we observed vulnerability scanner flagged 68 false-positive CVE detections originating from the META-INF directory of the `hudi-presto-bundle` jar. Observations : These CVEs are flagged by scanners even though: - The vulnerable classes do not seem to be actually present in runtime. - They appear only in META-INF. - The vulnerable versions are not loaded or part of Hudi’s runtime dependency graph. This was identified while integrating Hudi 1.0.2 into IBM watsonx.data (WXD). **Impact:** Causes false-positive vulnerability alerts in downstream builds Blocks automated security pipelines due to misinterpreted META-INF metadata. **What you expected:** Please confirm that these CVEs are false positives and Hudi runtime jars are unaffected. if false positives, clean up redundant META-INF entries in Hudi bundles to avoid future scanner warnings. Currently, downstream users may consider forking the module to remove redundant META-INF entries. We would appreciate it if the Hudi maintainers could provide a solution or cleanup in the main module to avoid the need for forking. ### Environment **Hudi version:** 1.0.2 **Query engine:** Presto **Module:** hudi-presto-bundle ### Logs and Stack Trace This is not a security risk, but a metadata false-positive issue caused by shading and Maven metadata inclusion. Attaching CVE Scan results : [security-report-hudi-cves-only.csv](https://github.com/user-attachments/files/22890774/security-report-hudi-cves-only.csv) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
