Hi all, I found that a check for vulnerabilities among dependencies fails for calcite-spark module. The same problem is observed for 1.16 version.
Should we block the release until this issue is fixed, or fix it after the release in Calcite 1.18? Output for "mvn install -Ppedantic -DskipTests=true": One or more dependencies were identified with known vulnerabilities in Calcite Spark: jackson-databind-2.9.4.jar (com.fasterxml.jackson.core:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) : CVE-2018-7489 protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0, cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237 commons-beanutils-core-1.8.0.jar (commons-beanutils:commons-beanutils-core:1.8.0, cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114 commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0, cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114 commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1, cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) : CVE-2015-5262, CVE-2014-3577 javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2, javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566 mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) : CVE-2015-9097 validation-api-1.1.0.Final.jar (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~, javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499 jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2, javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566 pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13) : CVE-2007-1100 py4j-0.10.4.jar (cpe:/a:python:python:0.10.4, cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) : CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158, CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652, CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150, CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143, CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679, CVE-2007-4559, CVE-2006-1542, CVE-2002-1119 avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7, org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161, CVE-2016-5001 curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0, org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085 api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30, org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250 xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732 zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6, org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017, CVE-2014-0085 jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13, cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) : CVE-2018-5968, CVE-2017-17485 jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908, cpe:/a:jetty:jetty:9.2.19.v20160908, org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735 jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26, cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26, org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461 unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0, org.spark-project.spark:unused:1.0.0) : CVE-2017-7678 xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035 serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:serializer:2.7.1) : CVE-2014-0107 xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) : CVE-2014-0107 xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1, xerces:xercesImpl:2.9.1) : CVE-2012-0881 htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml (com.fasterxml.jackson.core:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) : CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095 spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml (cpe:/a:eclipse:jetty:9.3.11.v20160721, cpe:/a:jetty:jetty:9.3.11.v20160721, org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735 Kind regards, Volodymyr Vysotskyi
