[
https://issues.apache.org/jira/browse/ATLAS-4497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg updated ATLAS-4497:
------------------------
Description:
Atlas 2.2.0 when built from source has a large number of jar packages that
suffer from known exploits / vulnerabilities. I've performed an Anchore and a
Twistlock scan of the compiled application and here's the list of the High and
Critical vulnerabilities found:
[https://pastebin.com/raw/tQNYMZd9]
I am attempting to put together a public docker image of Atlas compiled from
source. You can see my build process here to see how I arrived at the compiled
build that I performed the scans on:
[https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
I'm not a Java developer, but I would think that an updated pom.xml that has
more current (vulnerability free) versions of packages may help remedy these
findings. How to update this maven package tree is above my current skill level.
was:
Atlas 2.2.0 when built from source has a large number of jar packages that
suffer from known exploits / vulnerabilities. I've performed an Anchore and a
Twistlock scan of the compiled application and here's the list of the High and
Critical vulnerabilities found:
[https://pastebin.com/raw/t59rcyH8]
I am attempting to put together a public docker image of Atlas compiled from
source. You can see my build process here to see how I arrived at the compiled
build that I performed the scans on:
[https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
I'm not a Java developer, but I would think that a different version of Maven
(I'm using 3.6.3) or an updated pom.xml that has more current (vulnerability
free) versions of packages may help remedy my findings.
I am not sure whether or not this has to do with my downgrading the pom.xml
file to use buildtools 0.8.1 since the packages for 1.0 do not seem to be
available.
> Large number of CVE's (vulnerabilities) when building 2.2.0 from source
> -----------------------------------------------------------------------
>
> Key: ATLAS-4497
> URL: https://issues.apache.org/jira/browse/ATLAS-4497
> Project: Atlas
> Issue Type: Bug
> Components: atlas-core
> Affects Versions: 2.2.0
> Environment: Redhat UBI (Universal Base Image) 8.5
> Reporter: Greg
> Priority: Critical
> Labels: security
>
> Atlas 2.2.0 when built from source has a large number of jar packages that
> suffer from known exploits / vulnerabilities. I've performed an Anchore and a
> Twistlock scan of the compiled application and here's the list of the High
> and Critical vulnerabilities found:
>
> [https://pastebin.com/raw/tQNYMZd9]
>
> I am attempting to put together a public docker image of Atlas compiled from
> source. You can see my build process here to see how I arrived at the
> compiled build that I performed the scans on:
>
> [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
>
> I'm not a Java developer, but I would think that an updated pom.xml that has
> more current (vulnerability free) versions of packages may help remedy these
> findings. How to update this maven package tree is above my current skill
> level.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
