HI Brad, Thanks for your interest in Drill. Can you please create a JIRA (issues.apache.org <http://issues.apache.org/>) and start the discussion. Thanks, -- C
> On Oct 17, 2019, at 3:40 PM, Bradley Parker <bradp...@ca.ibm.com> wrote: > > Hello Apache Drill Devs, > > We are looking to make use of Apache Drill for a project, as a member of our > product security team I was asked to perform a dependency analysis of Drill. > I identified 24 dependencies with known vulnerabilities using OWASP > Dependency Scan. > > > I found this in the archives from two years ago > http://mail-archives.apache.org/mod_mbox/drill-dev/201709.mbox/%3cb4df2a35-121c-11a5-a666-4af7bd98b...@apache.org%3E > > discussing the potential of integrating OWASP into the project. > > > Aside from Kafka [DRILL-6739] and Avro [DRILL-7302] I was unable to find > mention > in Jira of updates to the remaining 22 libraries. Is it reasonable to assume > there is no plan to upgrade at this time then? > > > I’m more than willing to step up and raise these and future dependency > vulnerabilities I am aware of in Jira to get the discussions started. > I think that is a good place to raise these security issues, and from there > the > community can discuss upgrading the affected dependencies, or rule them out > as > not applicable. > > > Thank you for your time, > -Brad > > > > For reference, the list of vulnerabilities identified by the OWASP tool: > > > Package: avro-1.8.2 > Should be: 1.9.0 > Max CVE (CVSS): CVE-2018-10237 (5.9) > Complete CVE list: > CVE-2018-10237 > > > Package: commons-beanutils-1.9.2 > Should be: 1.9.4 > Max CVE (CVSS): CVE-2019-10086 (7.3) > Complete CVE list: > CVE-2019-10086 > > > Package: commons-beanutils-core-1.8.0 > Should be: Moved to commons-beanutils > Max CVE (CVSS): CVE-2014-0114 (7.5) > Complete CVE list: > CVE-2014-0114 > > > Package: converter-jackson > Should be: 2.5.0 > Max CVE (CVSS): CVE-2018-1000850 (7.5) > Complete CVE list: > CVE-2018-1000850 > > > Package: derby-10.10.2.0 > Should be: 10.14.2.0 > Max CVE (CVSS): CVE-2015-1832 (9.1) > Complete CVE list: > CVE-2015-1832 > CVE-2018-1313 > > > Package: drill-hive-exec-shaded > Should be: New release needed with updated Guava > Max CVE (CVSS): CVE-2018-10237 (7.5) > Complete CVE list: > CVE-2018-10237 > > > Package: drill-java-exec > Should be: New release needed with updated JjQuery and Bootstrap > Max CVE (CVSS): CVE-2019-11358 (6.1) > Complete CVE list: > CVE-2018-14040 > CVE-2018-14041 > CVE-2018-14042 > CVE-2019-8331 > CVE-2019-11358 > > > Package: drill-shaded-guava-23 > Should be: New release needed with updated Guava > Max CVE (CVSS): CVE-2018-10237 (5.9) > Complete CVE list: > CVE-2018-10237 > > > Package: guava-19.0 > Should be: 24.1.1 > Max CVE (CVSS): CVE-2018-10237 (5.9) > Complete CVE list: > CVE-2018-10237 > > > Package: hadoop-yarn-common-2.7.4 > Should be: 3.2.1 > Max CVE (CVSS): CVE-2019-11358 (6.1) > Complete CVE list: > CVE-2012-6708 > CVE-2015-9251 > CVE-2019-11358 > CVE-2010-5312 > CVE-2016-7103 > > > Package: hbase-http-2.1.1.jar > Should be: 2.1.4 > Max CVE (CVSS): CVE-2019-0212 (7.5) > Complete CVE list: > CVE-2019-0212 > > > Package: httpclient-4.2.5.jar > Should be: 4.3.6 > Max CVE (CVSS): CVE-2014-3577 (5.8) > Complete CVE list: > CVE-2014-3577 > CVE-2015-5262 > > > Package: jackson-databind-2.9.5 > Should be: 2.10.0 > Max CVE (CVSS): CVE-2018-14721 (10) > Complete CVE list: > CVE-2019-17267 > CVE-2019-16943 > CVE-2019-16942 > CVE-2019-16335 > CVE-2019-14540 > CVE-2019-14439 > CVE-2019-14379 > CVE-2018-11307 > CVE-2019-12384 > CVE-2019-12814 > CVE-2019-12086 > CVE-2018-12023 > CVE-2018-12022 > CVE-2018-19362 > CVE-2018-19361 > CVE-2018-19360 > CVE-2018-14721 > CVE-2018-14720 > CVE-2018-14719 > CVE-2018-14718 > CVE-2018-1000873 > > > Package: Kafka 0.11.0.1 > Should be: 2.1.0 > Max CVE (CVSS): CVE-2018-17196 (8.8) > Complete CVE list: > CVE-2018-17196 > CVE-2018-1288 > CVE-2017-12610 > > > Package: kudu-client-1.3.0.jar > Should be: 1.10.0 > Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs > to > update their netty (this is not unexpected as this CVE is newer) > Max CVE (CVSS): CVE-2015-5237 (8.8) > Complete CVE list: > CVE-2018-10237 > CVE-2015-5237 > CVE-2019-16869 > > > Package: libfb303-0.9.3.jar > Should be: libthrift 0.12.0 > Moved to libthrift > Max CVE (CVSS): CVE-2018-1320 (7.5) > Complete CVE list: > CVE-2018-1320 > > > Package: okhttp-3.3.0 > Should be: 3.12.0 > Max CVE (CVSS): CVE-2018-20200 (5.9) > Complete CVE list: > CVE-2018-20200 > > > Package: protobuf-java-2.5.0 > Should be: 3.4.0 > Max CVE (CVSS): CVE-2015-5237 (8.8) > Complete CVE list: > CVE-2015-5237 > > > Package: retrofit-2.1.0 > Should be: 2.5.0 > Max CVE (CVSS): CVE-2018-1000850 (7.5) > Complete CVE list: > CVE-2018-1000850 > > > Package: scala-library-2.11.0 > Should be: 2.11.12 > Max CVE (CVSS): CVE-2017-15288 (7.8) > Complete CVE list: > CVE-2017-15288 > > > Package: serializer-2.7.1 > Should be: 2.7.2 > Max CVE (CVSS): CVE-2014-0107 (7.5) > Complete CVE list: > CVE-2014-0107 > > > Package: xalan-2.7.1 > Should be: 2.7.2 > Max CVE (CVSS): CVE-2014-0107 (7.5) > Complete CVE list: > CVE-2014-0107 > > > Package: xercesImpl-2.11.0 > Should be: 2.12.0 > Max CVE (CVSS): CVE-2012-0881 (7.5) > Complete CVE list: > CVE-2012-0881 > > > Package: zookeeper-3.4.12. > Should be: 3.4.14 > Max CVE (CVSS): CVE-2019-0201 (5.9) > Complete CVE list: > CVE-2019-0201 >