[GitHub] [pulsar] timmyyuan opened a new issue #13152: Update the vulnerable packages in pulsar-all image

Mon, 06 Dec 2021 06:28:36 -0800 


timmyyuan opened a new issue #13152:
URL: https://github.com/apache/pulsar/issues/13152


   **Describe the bug**
   Currently, the pulsar-all image has many CVEs due to dependency packages. We 
can list them by using image scanners such as 
[grype](https://github.com/anchore/grype):
   
   ```
   PyYAML                                                   5.3.1               
      5.4                      GHSA-8q59-q68h-6hv4  Critical
   com.typesafe.netty-netty-reactive-streams                2.0.4               
                               CVE-2019-20444       Critical
   com.typesafe.netty-netty-reactive-streams                2.0.4               
                               CVE-2019-20445       Critical
   maven-aether-provider                                    3.0.5               
                               CVE-2021-26291       Critical
   maven-artifact                                           3.0.5               
                               CVE-2021-26291       Critical
   maven-compat                                             3.0.5               
                               CVE-2021-26291       Critical
   maven-core                                               3.0.5               
                               CVE-2021-26291       Critical
   maven-embedder                                           3.0.5               
                               CVE-2021-26291       Critical
   maven-model                                              3.0.5               
                               CVE-2021-26291       Critical
   maven-model-builder                                      3.0.5               
                               CVE-2021-26291       Critical
   maven-repository-metadata                                3.0.5               
                               CVE-2021-26291       Critical
   maven-settings                                           3.0.5               
                               CVE-2021-26291       Critical
   maven-settings-builder                                   3.0.5               
                               CVE-2021-26291       Critical
   netty                                                    3.10.6.Final        
                               CVE-2019-20444       Critical
   netty                                                    3.10.6.Final        
                               CVE-2019-20445       Critical
   netty-reactive-streams                                   2.0.4               
                               CVE-2019-20444       Critical
   netty-reactive-streams                                   2.0.4               
                               CVE-2019-20445       Critical
   org.apache.logging.log4j-log4j                           1.2-api-2.14.0      
                               CVE-2019-17571       Critical
   
   ```
   
   
   **To Reproduce**
   
   ```
   $ docker pull apachepulsar/pulsar-all:latest
   $ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh 
| sh -s -- -b /usr/local/bin
   $ grype apachepulsar/pulsar-all:latest | grep Critical
   ```
   
   **Expected behavior**
   No critical CVE exists here
   
   **Additional context**
   Most of CVEs above are introduced by `presto` and for users do not need 
pulsar-sql, we can simply remove `presto` from pulsar-all image. But the log4j 
package yet has no corresponding fix in latest 2.14.x. I think we need to 
upgrade it to a CVE-free version. 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to