klwilson227 opened a new issue #7928: URL: https://github.com/apache/pulsar/issues/7928
**Describe the bug** CVE exposure in pulsar-functions and other modules. We are planning on using pulsar functions, in our next release however, we have found that a library with the below CVE is referenced by the pulsar jar files that are outlined below. https://nvd.nist.gov/vuln/detail/CVE-2017-18640 snakeyaml < 1.26 STAT analysis of pulsar docker images shows CVE. **To Reproduce** Steps to reproduce the behavior: mvn dependency:tree 2>&1 |grep snakeyaml|grep -v 1.26 [INFO] | +- org.yaml:snakeyaml:jar:1.19:compile [INFO] | \- org.yaml:snakeyaml:jar:1.16:compile [INFO] | +- org.yaml:snakeyaml:jar:1.18:compile [INFO] | +- org.yaml:snakeyaml:jar:1.18:compile [INFO] | \- org.yaml:snakeyaml:jar:1.16:compile [INFO] | \- org.yaml:snakeyaml:jar:1.16:compile [INFO] | +- org.yaml:snakeyaml:jar:1.11:test [INFO] | | | | +- org.yaml:snakeyaml:jar:1.17:test **Expected behavior** expected no reports of snakeyaml with the above query. **Screenshots** N/A **Desktop (please complete the following information):** N/A **Additional context** After doing some additional analysis, I have identified the following that may be helpful... 1.11, 1.17 are used in test code so these are a lower priority for us. 1.18 is used in message generation and again a lower priority as I believe these modules are only used in testing. 1.16 , 1.19 references are in the pulsar-functions area and appear to not be related to test code. So these are HIGH priority to resolve. Updating these modules to use 1.26 or better of snakeyaml is expected. 1.19 appears to be included from dependency on org.apache.pulsar:pulsar-functions-secrets:jar:2.6.1 based on included dependency of io.kubernetes:client-java-api:jar:2.0.0:compile Fixed in 9.0.2 1.18 org.apache.pulsar:pulsar-io-data-generator:jar:2.6.1 depends on io.codearte.jfairy:jfairy:jar:0.5.9 NO fix available. 1.17 org.apache.pulsar.tests:integration:test-jar:tests:2.6.1:test depends on org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:test Fixed in elasticsearch >= 7.7.1 (7.9.1 current) 1.16 appears to be included from the dependency on org.apache.pulsar:pulsar-functions-instance:jar:2.6.1 based on io.prometheus.jmx:collector:jar:0.12.0 Fixed in 0.13.0 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
