gyokketto commented on PR #8991: URL: https://github.com/apache/pinot/pull/8991#issuecomment-1181517528
Hi @Jackie-Jiang , > Any specific reason why we want to update these dependencies? We have lots of (> 100) vulnerabilities in old packages. Here is an excerpt from a twistlock scan on the latest image release (only JAR-s, letting alone the OS ones): > low org.eclipse.jetty_jetty-http version 9.3.24.v20180605 has 1 vulnerability > medi com.google.guava_guava version 20.0 has 2 vulnerabilities > medi com.google.guava_guava version 14.0.1 has 2 vulnerabilities > mode io.netty_netty-codec-http version 4.1.54.Final has 3 vulnerabilities > mode io.netty_netty-codec-http2 version 4.1.54.Final has 2 vulnerabilities > medi org.eclipse.jetty_jetty-io version 9.3.24.v20180605 has 3 vulnerabilities > medi org.eclipse.jetty_jetty-servlet version 9.3.24.v20180605 has 1 vulnerability > mode org.eclipse.jetty_jetty-servlets version 9.3.24.v20180605 has 1 vulnerability > mode org.glassfish.jersey.core_jersey-common version 2.28 has 1 vulnerability > high com.fasterxml.jackson.core_jackson-databind version 2.10.0 has 3 vulnerabilities > high com.google.oauth-client_google-oauth-client version 1.31.0 has 1 vulnerability > high com.google.protobuf_protobuf-java version 3.12.0 has 1 vulnerability > high com.google.protobuf_protobuf-java version 3.11.4 has 1 vulnerability > high io.netty_netty-all version 4.1.54.Final has 7 vulnerabilities > high io.netty_netty-codec version 4.1.54.Final has 7 vulnerabilities > high org.apache.zookeeper_zookeeper version 3.5.8 has 1 vulnerability > high org.eclipse.jetty_jetty-server version 9.3.24.v20180605 has 6 vulnerabilities > high org.yaml_snakeyaml version 1.16 has 1 vulnerability > crit com.fasterxml.jackson.core_jackson-databind version 2.9.10 has 40 vulnerabilities > crit com.fasterxml.jackson.core_jackson-databind version 2.4.0 has 4 vulnerabilities > crit io.netty_netty version 3.9.6.Final has 10 vulnerabilities > crit log4j_log4j version 1.2.17 has 6 vulnerabilities > crit org.apache.hadoop_hadoop-common version 2.7.0 has 6 vulnerabilities > crit org.apache.hadoop_hadoop-hdfs version 2.7.0 has 10 vulnerabilities > crit org.apache.spark_spark-core_2.11 version 2.4.0 has 1 vulnerability With all those vulnerabilities we are not allowed to push our pinot deployment to higher environments. > How do we ensure there is no dependency conflict updating so many of them in one shot? Yes, that is concerning, but I think we have to trust the test coverage we have currently to detect package upgrade related failures. > There is a on-going work trying to update helix to 1.0.4 in #8325 which is not trivial itself. Yes, it is far from trivial. I really appreciate your efforts especially after I started working on it and seeing those difficulties myself. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
