[
https://issues.apache.org/jira/browse/AVRO-3111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17426123#comment-17426123
]
Ryan Skraba commented on AVRO-3111:
-----------------------------------
Thanks for keeping an eye on this!
As you note, avro-tools (and only avro-tools) _does_ bring in Hadoop artifacts
in the *compile (optional)* scope.
To be very clear, on the *release-1.10.2* branch: *{{mvn dependency:tree
-Dverbose}}*
Avro core does not have any hadoop dependencies:
{code:java}
[INFO] ------------------------< org.apache.avro:avro >------------------------
[INFO] Building Apache Avro 1.10.2 [3/23]
[INFO] -------------------------------[ bundle ]-------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ avro ---
[INFO] Verbose not supported since maven-dependency-plugin 3.0
[INFO] org.apache.avro:avro:bundle:1.10.2
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.12.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.2:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.2:compile
[INFO] +- org.apache.commons:commons-compress:jar:1.20:compile
[INFO] +- org.xerial.snappy:snappy-java:jar:1.1.8.4:compile (optional)
[INFO] +- org.tukaani:xz:jar:1.8:compile (optional)
[INFO] +- com.github.luben:zstd-jni:jar:1.4.9-1:compile (optional)
[INFO] +- org.hamcrest:hamcrest-library:jar:2.2:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] | \- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] \- org.slf4j:slf4j-simple:jar:1.7.30:test
{code}
The following artifacts have *{{provided}}* Hadoop artifacts: avro-mapred,
trevni-avro
This is also true for *release-1.10.1*.
Is this something that can be corrected or updated?
> Update Hadoop versions to prevent false-positive security reports
> -----------------------------------------------------------------
>
> Key: AVRO-3111
> URL: https://issues.apache.org/jira/browse/AVRO-3111
> Project: Apache Avro
> Issue Type: Bug
> Components: java
> Affects Versions: 1.10.1, 1.10.2
> Environment: Docker image built on library/buildpack-deps:buster-curl
> ([buildpack-deps (docker.com)|https://hub.docker.com/_/buildpack-deps])
> Reporter: David L. Day
> Assignee: Ismaël Mejía
> Priority: Major
> Fix For: 1.11.0
>
>
> When installing avro-tools in a container on a debian image, my company's
> image scanner reports CVE-2019-17195:
> _Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions
> while parsing a JWT, which could result in an application crash (potential
> information disclosure) or a potential authentication bypass._
> I see other Apache projects have had this CVE reported and have been fixed,
> but did not see where this was reported for Apache Avro Tools specifically.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
