Greetings!
Looks like most of the Vulnerabilities come from Hadoop Dependencies
and most of them are not needed for Writing a Parquet File, so I have
excluded:
// avoid using old Logging APIs with security issues
resolutionStrategy {
force 'org.apache.logging.log4j:log4j-api:2.+'
force 'org.apache.logging.log4j:log4j-core:2.+'
force 'org.apache.logging.log4j:log4j-slf4j-impl:2.+'
force 'org.apache.logging.log4j:log4j-jul:2.+'
force 'org.slf4j:slf4j-log4j12:2.+'
exclude(group: 'io.netty')
exclude(group: 'org.codehaus.jettison')
exclude(group: 'org.mortbay.jetty')
exclude(group: 'javax.servlet.jsp')
exclude(group: 'com.sun.jersey')
exclude(group: 'org.apache.curator')
exclude(group: 'org.apache.zookeeper')
exclude(group: 'org.apache.kerby')
exclude(group: 'com.google.protobuf')
exclude(group: 'org.yaml')
exclude(group: 'net.minidev', module: 'json-smart')
exclude(group: 'org.codehaus.jackson', module: 'jackson-mapper-
asl')
exclude(group: 'org.apache.hadoop', module: 'hadoop-hdfs-client')
exclude(group: 'com.google.guava', module: 'guava')
}
This leaves ossIndexAudit with 1 remaining low-risk concern, that can't
be excluded:
[1/1] - pkg:maven/org.apache.commons/[email protected] - 1
vulnerability found!
Vulnerability Title: 1 vulnerability found
ID: sonatype-2023-1627
Description: 1 non-CVE vulnerability found. To see more details, please
create a free account at https://ossindex.sonatype.org/ and request for this
i...
CVSS Score: (2.7/10, Low)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
CVE: Unspecified
Reference: https://ossindex.sonatype.org/vulnerability/sonatype-2023-1627
So the remaining question was: Would it not make sense to document
those Excludes on the Website, where the Dependencies are mentioned? So
nobody needs to re-invent the wheel when using Parquet?
Cheers
Andreas
