Thanks for noting this. Agreed with Francis that we should fix before the release if possible. Hopefully, it's as simple as upgrading the dependencies and running tests to ensure no breaking changes have been introduced. -- Michael Mior [email protected]
Le lun. 25 juin 2018 à 06:20, Volodymyr Vysotskyi <[email protected]> a écrit : > Hi all, > > I found that a check for vulnerabilities among dependencies fails > for calcite-spark module. > The same problem is observed for 1.16 version. > > Should we block the release until this issue is fixed, or fix it after the > release in Calcite 1.18? > > Output for "mvn install -Ppedantic -DskipTests=true": > One or more dependencies were identified with known vulnerabilities in > Calcite Spark: > > jackson-databind-2.9.4.jar > (com.fasterxml.jackson.core:jackson-databind:2.9.4, > cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) : > CVE-2018-7489 > protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0, > cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237 > commons-beanutils-core-1.8.0.jar > (commons-beanutils:commons-beanutils-core:1.8.0, > cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114 > commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0, > cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114 > commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1, > cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) : > CVE-2015-5262, CVE-2014-3577 > javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2, > javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566 > mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) : > CVE-2015-9097 > validation-api-1.1.0.Final.jar > (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~, > javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499 > jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2, > javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566 > pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13) > : CVE-2007-1100 > py4j-0.10.4.jar (cpe:/a:python:python:0.10.4, > cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) : > CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158, > CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652, > CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150, > CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143, > CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679, > CVE-2007-4559, CVE-2006-1542, CVE-2002-1119 > avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7, > org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161, > CVE-2016-5001 > curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0, > org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085 > api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30, > org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250 > xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732 > zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6, > org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017, > CVE-2014-0085 > jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13, > cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) : > CVE-2018-5968, CVE-2017-17485 > jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908, > cpe:/a:jetty:jetty:9.2.19.v20160908, > org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735 > jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26, > cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26, > org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461 > unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0, > org.spark-project.spark:unused:1.0.0) : CVE-2017-7678 > xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035 > serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, > xalan:serializer:2.7.1) : CVE-2014-0107 > xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) : > CVE-2014-0107 > xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1, > xerces:xercesImpl:2.9.1) : CVE-2012-0881 > > htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml > (com.fasterxml.jackson.core:jackson-databind:2.4.0, > cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) : > CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095 > > spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml > (cpe:/a:eclipse:jetty:9.3.11.v20160721, > cpe:/a:jetty:jetty:9.3.11.v20160721, > org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735 > > Kind regards, > Volodymyr Vysotskyi >
