Greg created ATLAS-4497:
---------------------------
Summary: Large number of CVE's (vulnerabilities) when building
2.2.0 from source
Key: ATLAS-4497
URL: https://issues.apache.org/jira/browse/ATLAS-4497
Project: Atlas
Issue Type: Bug
Components: atlas-core
Affects Versions: 2.2.0
Environment: Redhat UBI (Universal Base Image) 8.5
Reporter: Greg
Atlas 2.2.0 when built from source has a large number of jar packages that
suffer from known exploits / vulnerabilities. I've performed an Anchore and a
Twistlock scan of the compiled application and here's the list of the High and
Critical vulnerabilities found:
[https://pastebin.com/raw/t59rcyH8]
I am attempting to put together a public docker image of Atlas compiled from
source. You can see my build process here to see how I arrived at the compiled
build that I performed the scans on:
[https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
I'm not a Java developer, but I would think that a different version of Maven
(I'm using 3.6.3) or an updated pom.xml that has more current (vulnerability
free) versions of packages may help remedy my findings.
I am not sure whether or not this has to do with my downgrading the pom.xml
file to use buildtools 0.8.1 since the packages for 1.0 do not seem to be
available.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
