[jira] [Created] (BIGTOP-3321) CVEs in the dependencies are in the execution path of your project

Thu, 05 Mar 2020 03:26:22 -0800 

XuCongying created BIGTOP-3321:
----------------------------------

             Summary: CVEs in the dependencies are in the execution path of 
your project
                 Key: BIGTOP-3321
                 URL: https://issues.apache.org/jira/browse/BIGTOP-3321
             Project: Bigtop
          Issue Type: Improvement
            Reporter: XuCongying


Your project uses some dependencies with CVEs. I found that the buggy methods 
of the CVEs are in the program execution path of your project, which makes your 
project at risk. I have suggested some version updates. See below for more 
details:
 # *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.3

 * *Call Chain to Buggy Methods:*

 ** *Some files in your project call the library method 
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String), 
which can reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[]),
 which can reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/smoke/IncrementalPELoad.java

 *** One of the possible call chain:
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine)
org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[]),
 which can reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java

 *** One of the possible call chain:
org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[])
org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine)
org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.conf.Configuration.getInt(java.lang.String,int), which can 
reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.getInt(java.lang.String,int)
org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean), 
which can reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
bigtop-tests/test-artifacts/hbase/src/main/groovy/org/apache/bigtop/itest/hbase/system/TestLoadAndVerify.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.getBoolean(java.lang.String,boolean)
org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 * *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. 
From 2.7.3 to 3.2.1, 8 of the APIs (called by 11 times in your project) were 
modified.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to