[jira] [Commented] (ATLAS-3930) Atlas server distribution contains 180+ CVEs

Thu, 26 Aug 2021 03:05:06 -0700 


    [ 
https://issues.apache.org/jira/browse/ATLAS-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17405115#comment-17405115
 ] 

Syed Atif Akhtar commented on ATLAS-3930:
-----------------------------------------

Any updates on this - i think it would be good to have a CI job that checks for 
vulnerabilities if we don't already have one and have some sort of tolerance 
threshold, this is a major issue that stops Atlas from larger enterprise 
adoption.

> Atlas server distribution contains 180+ CVEs
> --------------------------------------------
>
>                 Key: ATLAS-3930
>                 URL: https://issues.apache.org/jira/browse/ATLAS-3930
>             Project: Atlas
>          Issue Type: Bug
>          Components:  atlas-core, atlas-intg, atlas-webui
>    Affects Versions: 2.1.0
>            Reporter: Gaurav Saini
>            Priority: Blocker
>         Attachments: dependency-check-report.csv, dependency-check-report.html
>
>
> we are working on apache atlas code and started deploying over 
> *[https://github.com/apache/atlas/tree/release-2.1.0-rc3]*
>  Upon scanning using twistlock, we found *180+* vulnerability.
>   
>  Out of these, Jackson-databind and netty_netty-all are the most occurring 
> ones.
>  So, we tried upgrading the versions, but integration tests in atlas-webapp 
> started failing saying *"org.eclise.jetty, utils: Multi exception".*
> The same thing is happening while upgrading versions of any other 
> dependencies in the atlas module. The application breaks for any other 
> dependency which we are trying to upgrade. for example, Hadoop_hdfs uses 
> Jackson-databind as a transitive dependency, hence I am unable to update 
> version.
>  _PFA of dependency check for the project._
> *I do not see any open issue on the Github channel too.*
>  *Have you experienced any such scenario while upgrading earlier?*
>  *Is there a way for me to move ahead to remove vulnerabilities in the 
> current version?*
>  
> *The atlas server distribution should be using the latest version of the 
> dependencies having no or fewer CVEs.*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to