[spark] branch master updated: [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from `htmlunit`

Thu, 11 Aug 2022 15:11:34 -0700 

This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/master by this push:
     new 7f3baa77acb [SPARK-40047][TEST] Exclude unused `xalan` transitive 
dependency from `htmlunit`
7f3baa77acb is described below

commit 7f3baa77acbf7747963a95d0f24e3b8868c7b16a
Author: yangjie01 <yangji...@baidu.com>
AuthorDate: Thu Aug 11 15:10:42 2022 -0700

    [SPARK-40047][TEST] Exclude unused `xalan` transitive dependency from 
`htmlunit`
    
    ### What changes were proposed in this pull request?
    This pr exclude `xalan` from `htmlunit` to clean warning of CVE-2022-34169:
    
    ```
    Provides transitive vulnerable dependency xalan:xalan:2.7.2
    CVE-2022-34169 7.5 Integer Coercion Error vulnerability with medium 
severity found
    Results powered by Checkmarx(c)
    ```
    `xalan:xalan:2.7.2` is the latest version, the code base has not been 
updated for 5 years, so can't solve by upgrading `xalan`.
    
    ### Why are the changes needed?
    The vulnerability is described is 
[CVE-2022-34169](https://github.com/advisories/GHSA-9339-86wc-4qgf), better to 
exclude it although it's just test dependency for Spark.
    
    ### Does this PR introduce _any_ user-facing change?
    No.
    
    ### How was this patch tested?
    
    - Pass GitHub Actions
    - Manual test:
    
    run `mvn dependency:tree -Phadoop-3 -Phadoop-cloud -Pmesos -Pyarn 
-Pkinesis-asl -Phive-thriftserver -Pspark-ganglia-lgpl -Pkubernetes -Phive | 
grep xalan` to check that `xalan` is not matched after this pr
    
    Closes #37481 from LuciferYang/exclude-xalan.
    
    Authored-by: yangjie01 <yangji...@baidu.com>
    Signed-off-by: Dongjoon Hyun <dongj...@apache.org>
---
 pom.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pom.xml b/pom.xml
index c197987cd53..b6bbfef1854 100644
--- a/pom.xml
+++ b/pom.xml
@@ -712,6 +712,12 @@
         <groupId>net.sourceforge.htmlunit</groupId>
         <artifactId>htmlunit</artifactId>
         <version>${htmlunit.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+          </exclusion>
+        </exclusions>
         <scope>test</scope>
       </dependency>
       <dependency>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org

Reply via email to