Good question. I'd suggest creating one, and if issues arise in the process, create a separate issue for that. But it seems excessive to create separate issues for each update especially if all you are doing is updating a pom file. That's just my .02. -- C
> On Oct 18, 2019, at 11:59 AM, Bradley Parker <bradp...@ca.ibm.com> wrote: > > Thank you Charles, will do. Is it more appropriate to open one JIRA for all > the packages or to break each package into a separate issue? > > -Brad > > -----Charles Givre <cgi...@gmail.com> wrote: ----- > To: dev@drill.apache.org > From: Charles Givre <cgi...@gmail.com> > Date: 10/17/2019 04:57PM > Cc: Glen Bizeau <glen.biz...@ca.ibm.com>, Sean Peppard > <sean.pepp...@ca.ibm.com> > Subject: [EXTERNAL] Re: Dependencies used by Drill contain known > vulnerabilities > > HI Brad, > Thanks for your interest in Drill. Can you please create a JIRA > (issues.apache.org > <https://urldefense.proofpoint.com/v2/url?u=http-3A__issues.apache.org_&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=hsBDWgqUN16IByrh81JE1VQ3XJqGyuoBQmD8uAV4Rng&m=H9jTPsQZwIWD4ceIRB0dLwxapVuh3uL9ZJZE6101xLg&s=WA1z2Z2XlMfr9fX247y4RD4Q3QmXmN0nE1xWr4dwinA&e= > >) and start the discussion. > Thanks, > -- C > >> On Oct 17, 2019, at 3:40 PM, Bradley Parker <bradp...@ca.ibm.com> wrote: >> >> Hello Apache Drill Devs, >> >> We are looking to make use of Apache Drill for a project, as a member of our >> product security team I was asked to perform a dependency analysis of Drill. >> I identified 24 dependencies with known vulnerabilities using OWASP >> Dependency Scan. >> >> >> I found this in the archives from two years ago >> https://urldefense.proofpoint.com/v2/url?u=http-3A__mail-2Darchives.apache.org_mod-5Fmbox_drill-2Ddev_201709.mbox_-253Cb4df2a35-2D121c-2D11a5-2Da666-2D4af7bd98b1db-40apache.org-253E&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=hsBDWgqUN16IByrh81JE1VQ3XJqGyuoBQmD8uAV4Rng&m=H9jTPsQZwIWD4ceIRB0dLwxapVuh3uL9ZJZE6101xLg&s=IqIyU0LrcQNtu_EpyatX56_ZawBUPxgU1my6Y721l48&e= >> >> discussing the potential of integrating OWASP into the project. >> >> >> Aside from Kafka [DRILL-6739] and Avro [DRILL-7302] I was unable to find >> mention >> in Jira of updates to the remaining 22 libraries. Is it reasonable to assume >> there is no plan to upgrade at this time then? >> >> >> I’m more than willing to step up and raise these and future dependency >> vulnerabilities I am aware of in Jira to get the discussions started. >> I think that is a good place to raise these security issues, and from there >> the >> community can discuss upgrading the affected dependencies, or rule them out >> as >> not applicable. >> >> >> Thank you for your time, >> -Brad >> >> >> >> For reference, the list of vulnerabilities identified by the OWASP tool: >> >> >> Package: avro-1.8.2 >> Should be: 1.9.0 >> Max CVE (CVSS): CVE-2018-10237 (5.9) >> Complete CVE list: >> CVE-2018-10237 >> >> >> Package: commons-beanutils-1.9.2 >> Should be: 1.9.4 >> Max CVE (CVSS): CVE-2019-10086 (7.3) >> Complete CVE list: >> CVE-2019-10086 >> >> >> Package: commons-beanutils-core-1.8.0 >> Should be: Moved to commons-beanutils >> Max CVE (CVSS): CVE-2014-0114 (7.5) >> Complete CVE list: >> CVE-2014-0114 >> >> >> Package: converter-jackson >> Should be: 2.5.0 >> Max CVE (CVSS): CVE-2018-1000850 (7.5) >> Complete CVE list: >> CVE-2018-1000850 >> >> >> Package: derby-10.10.2.0 >> Should be: 10.14.2.0 >> Max CVE (CVSS): CVE-2015-1832 (9.1) >> Complete CVE list: >> CVE-2015-1832 >> CVE-2018-1313 >> >> >> Package: drill-hive-exec-shaded >> Should be: New release needed with updated Guava >> Max CVE (CVSS): CVE-2018-10237 (7.5) >> Complete CVE list: >> CVE-2018-10237 >> >> >> Package: drill-java-exec >> Should be: New release needed with updated JjQuery and Bootstrap >> Max CVE (CVSS): CVE-2019-11358 (6.1) >> Complete CVE list: >> CVE-2018-14040 >> CVE-2018-14041 >> CVE-2018-14042 >> CVE-2019-8331 >> CVE-2019-11358 >> >> >> Package: drill-shaded-guava-23 >> Should be: New release needed with updated Guava >> Max CVE (CVSS): CVE-2018-10237 (5.9) >> Complete CVE list: >> CVE-2018-10237 >> >> >> Package: guava-19.0 >> Should be: 24.1.1 >> Max CVE (CVSS): CVE-2018-10237 (5.9) >> Complete CVE list: >> CVE-2018-10237 >> >> >> Package: hadoop-yarn-common-2.7.4 >> Should be: 3.2.1 >> Max CVE (CVSS): CVE-2019-11358 (6.1) >> Complete CVE list: >> CVE-2012-6708 >> CVE-2015-9251 >> CVE-2019-11358 >> CVE-2010-5312 >> CVE-2016-7103 >> >> >> Package: hbase-http-2.1.1.jar >> Should be: 2.1.4 >> Max CVE (CVSS): CVE-2019-0212 (7.5) >> Complete CVE list: >> CVE-2019-0212 >> >> >> Package: httpclient-4.2.5.jar >> Should be: 4.3.6 >> Max CVE (CVSS): CVE-2014-3577 (5.8) >> Complete CVE list: >> CVE-2014-3577 >> CVE-2015-5262 >> >> >> Package: jackson-databind-2.9.5 >> Should be: 2.10.0 >> Max CVE (CVSS): CVE-2018-14721 (10) >> Complete CVE list: >> CVE-2019-17267 >> CVE-2019-16943 >> CVE-2019-16942 >> CVE-2019-16335 >> CVE-2019-14540 >> CVE-2019-14439 >> CVE-2019-14379 >> CVE-2018-11307 >> CVE-2019-12384 >> CVE-2019-12814 >> CVE-2019-12086 >> CVE-2018-12023 >> CVE-2018-12022 >> CVE-2018-19362 >> CVE-2018-19361 >> CVE-2018-19360 >> CVE-2018-14721 >> CVE-2018-14720 >> CVE-2018-14719 >> CVE-2018-14718 >> CVE-2018-1000873 >> >> >> Package: Kafka 0.11.0.1 >> Should be: 2.1.0 >> Max CVE (CVSS): CVE-2018-17196 (8.8) >> Complete CVE list: >> CVE-2018-17196 >> CVE-2018-1288 >> CVE-2017-12610 >> >> >> Package: kudu-client-1.3.0.jar >> Should be: 1.10.0 >> Only a partial fix, no fix for netty CVE-2019-16869 (7.5), kudu still needs >> to >> update their netty (this is not unexpected as this CVE is newer) >> Max CVE (CVSS): CVE-2015-5237 (8.8) >> Complete CVE list: >> CVE-2018-10237 >> CVE-2015-5237 >> CVE-2019-16869 >> >> >> Package: libfb303-0.9.3.jar >> Should be: libthrift 0.12.0 >> Moved to libthrift >> Max CVE (CVSS): CVE-2018-1320 (7.5) >> Complete CVE list: >> CVE-2018-1320 >> >> >> Package: okhttp-3.3.0 >> Should be: 3.12.0 >> Max CVE (CVSS): CVE-2018-20200 (5.9) >> Complete CVE list: >> CVE-2018-20200 >> >> >> Package: protobuf-java-2.5.0 >> Should be: 3.4.0 >> Max CVE (CVSS): CVE-2015-5237 (8.8) >> Complete CVE list: >> CVE-2015-5237 >> >> >> Package: retrofit-2.1.0 >> Should be: 2.5.0 >> Max CVE (CVSS): CVE-2018-1000850 (7.5) >> Complete CVE list: >> CVE-2018-1000850 >> >> >> Package: scala-library-2.11.0 >> Should be: 2.11.12 >> Max CVE (CVSS): CVE-2017-15288 (7.8) >> Complete CVE list: >> CVE-2017-15288 >> >> >> Package: serializer-2.7.1 >> Should be: 2.7.2 >> Max CVE (CVSS): CVE-2014-0107 (7.5) >> Complete CVE list: >> CVE-2014-0107 >> >> >> Package: xalan-2.7.1 >> Should be: 2.7.2 >> Max CVE (CVSS): CVE-2014-0107 (7.5) >> Complete CVE list: >> CVE-2014-0107 >> >> >> Package: xercesImpl-2.11.0 >> Should be: 2.12.0 >> Max CVE (CVSS): CVE-2012-0881 (7.5) >> Complete CVE list: >> CVE-2012-0881 >> >> >> Package: zookeeper-3.4.12. >> Should be: 3.4.14 >> Max CVE (CVSS): CVE-2019-0201 (5.9) >> Complete CVE list: >> CVE-2019-0201 >> > >
