Hello Apache Drill Devs, We are looking to make use of Apache Drill for a project, as a member of our product security team I was asked to perform a dependency analysis of Drill. I identified 24 dependencies with known vulnerabilities using OWASP Dependency Scan.
I found this in the archives from two years ago http://mail-archives.apache.org/mod_mbox/drill-dev/201709.mbox/%3cb4df2a35-121c-11a5-a666-4af7bd98b...@apache.org%3E discussing the potential of integrating OWASP into the project. Aside from Kafka [DRILL-6739] and Avro [DRILL-7302] I was unable to find mention in Jira of updates to the remaining 22 libraries. Is it reasonable to assume there is no plan to upgrade at this time then? I’m more than willing to step up and raise these and future dependency vulnerabilities I am aware of in Jira to get the discussions started. I think that is a good place to raise these security issues, and from there the community can discuss upgrading the affected dependencies, or rule them out as not applicable. Thank you for your time, -Brad For reference, the list of vulnerabilities identified by the OWASP tool: Package: avro-1.8.2 Should be: 1.9.0 Max CVE (CVSS): CVE-2018-10237 (5.9) Complete CVE list: CVE-2018-10237 Package: commons-beanutils-1.9.2 Should be: 1.9.4 Max CVE (CVSS): CVE-2019-10086 (7.3) Complete CVE list: CVE-2019-10086 Package: commons-beanutils-core-1.8.0 Should be: Moved to commons-beanutils Max CVE (CVSS): CVE-2014-0114 (7.5) Complete CVE list: CVE-2014-0114 Package: converter-jackson Should be: 2.5.0 Max CVE (CVSS): CVE-2018-1000850 (7.5) Complete CVE list: CVE-2018-1000850 Package: derby-10.10.2.0 Should be: 10.14.2.0 Max CVE (CVSS): CVE-2015-1832 (9.1) Complete CVE list: CVE-2015-1832 CVE-2018-1313 Package: drill-hive-exec-shaded Should be: New release needed with updated Guava Max CVE (CVSS): CVE-2018-10237 (7.5) Complete CVE list: CVE-2018-10237 Package: drill-java-exec Should be: New release needed with updated JjQuery and Bootstrap Max CVE (CVSS): CVE-2019-11358 (6.1) Complete CVE list: CVE-2018-14040 CVE-2018-14041 CVE-2018-14042 CVE-2019-8331 CVE-2019-11358 Package: drill-shaded-guava-23 Should be: New release needed with updated Guava Max CVE (CVSS): CVE-2018-10237 (5.9) Complete CVE list: CVE-2018-10237 Package: guava-19.0 Should be: 24.1.1 Max CVE (CVSS): CVE-2018-10237 (5.9) Complete CVE list: CVE-2018-10237 Package: hadoop-yarn-common-2.7.4 Should be: 3.2.1 Max CVE (CVSS): CVE-2019-11358 (6.1) Complete CVE list: CVE-2012-6708 CVE-2015-9251 CVE-2019-11358 CVE-2010-5312 CVE-2016-7103 Package: hbase-http-2.1.1.jar Should be: 2.1.4 Max CVE (CVSS): CVE-2019-0212 (7.5) Complete CVE list: CVE-2019-0212 Package: httpclient-4.2.5.jar Should be: 4.3.6 Max CVE (CVSS): CVE-2014-3577 (5.8) Complete CVE list: CVE-2014-3577 CVE-2015-5262 Package: jackson-databind-2.9.5 Should be: 2.10.0 Max CVE (CVSS): CVE-2018-14721 (10) Complete CVE list: CVE-2019-17267 CVE-2019-16943 CVE-2019-16942 CVE-2019-16335 CVE-2019-14540 CVE-2019-14439 CVE-2019-14379 CVE-2018-11307 CVE-2019-12384 CVE-2019-12814 CVE-2019-12086 CVE-2018-12023 CVE-2018-12022 CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-14718 CVE-2018-1000873 Package: Kafka 0.11.0.1 Should be: 2.1.0 Max CVE (CVSS): CVE-2018-17196 (8.8) Complete CVE list: CVE-2018-17196 CVE-2018-1288 CVE-2017-12610 Package: kudu-client-1.3.0.jar Should be: 1.10.0 Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs to update their netty (this is not unexpected as this CVE is newer) Max CVE (CVSS): CVE-2015-5237 (8.8) Complete CVE list: CVE-2018-10237 CVE-2015-5237 CVE-2019-16869 Package: libfb303-0.9.3.jar Should be: libthrift 0.12.0 Moved to libthrift Max CVE (CVSS): CVE-2018-1320 (7.5) Complete CVE list: CVE-2018-1320 Package: okhttp-3.3.0 Should be: 3.12.0 Max CVE (CVSS): CVE-2018-20200 (5.9) Complete CVE list: CVE-2018-20200 Package: protobuf-java-2.5.0 Should be: 3.4.0 Max CVE (CVSS): CVE-2015-5237 (8.8) Complete CVE list: CVE-2015-5237 Package: retrofit-2.1.0 Should be: 2.5.0 Max CVE (CVSS): CVE-2018-1000850 (7.5) Complete CVE list: CVE-2018-1000850 Package: scala-library-2.11.0 Should be: 2.11.12 Max CVE (CVSS): CVE-2017-15288 (7.8) Complete CVE list: CVE-2017-15288 Package: serializer-2.7.1 Should be: 2.7.2 Max CVE (CVSS): CVE-2014-0107 (7.5) Complete CVE list: CVE-2014-0107 Package: xalan-2.7.1 Should be: 2.7.2 Max CVE (CVSS): CVE-2014-0107 (7.5) Complete CVE list: CVE-2014-0107 Package: xercesImpl-2.11.0 Should be: 2.12.0 Max CVE (CVSS): CVE-2012-0881 (7.5) Complete CVE list: CVE-2012-0881 Package: zookeeper-3.4.12. Should be: 3.4.14 Max CVE (CVSS): CVE-2019-0201 (5.9) Complete CVE list: CVE-2019-0201
