[
https://issues.apache.org/jira/browse/ATLAS-4497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg updated ATLAS-4497:
------------------------
Affects Version/s: 3.0.0
> Large number of CVE's (vulnerabilities) when building 2.2.0 and
> 3.0.0-SNAPSHOT from source
> ------------------------------------------------------------------------------------------
>
> Key: ATLAS-4497
> URL: https://issues.apache.org/jira/browse/ATLAS-4497
> Project: Atlas
> Issue Type: Bug
> Components: atlas-core
> Affects Versions: 3.0.0, 2.2.0
> Environment: Redhat UBI (Universal Base Image) 8.5
> Reporter: Greg
> Priority: Critical
> Labels: security
>
> Atlas 2.2.0 and 3.0.0-SNAPSHOT when built from source both have a large
> number of jar packages that suffer from known exploits / vulnerabilities.
> I've performed an Anchore and a Twistlock scan of the compiled Atlas
> application from the released 2.2.0 codebase and 3.0.0-SNAPSHOT git master.
> Here are the lists of the High and Critical vulnerabilities discovered:
>
> ATLAS 2.2.0
> [https://repo1.dso.mil/dsop/opensource/apache/atlas/-/jobs/8351429]
> ATLAS 3.0.0-SNAPSHOT (git-master 2021.1201)
> [https://repo1.dso.mil/dsop/opensource/apache/atlas/-/jobs/8401537]
>
> This effort was attempting to put together a public docker image of Atlas
> compiled from source. The build process source codes is hosted here:
> [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
>
> Thoughts:
> * an updated pom.xml that has newer (vulnerability free) versions of the
> package chain may remediate these findings in a future build
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
