Hi Istvan, as discussed of list, I also ran a scan for a 1.1.3-SNAPSHOT build, and came to similar results (not a perfect match, but an exact science it ain't :)
avro:1.9.2 -> CVE-2024-47561, CVE-2023-394100 netty-codec-http:4.1.97.Final -> CVE-2024-29025, GHSA-xpw8-rcwv-8f8p netty-common:4.1.97.Final -> CVE-2024-47535, CVE-2025-25193 netty-handler:4.1.97.Final -> CVE-2025-24970 protobuf-java:2.5.0 -> CVE-2021-22569, CVE-2021-22570, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2024-7254 So basically the only thing "extra" in that list is Avro, not sure why tbh. But that comes in via Hadoop, so nothing to be done there I guess. I have posted the results in a spreadsheet here as well: https://docs.google.com/spreadsheets/d/11VvFnIgGksun1J3HolV8wpXmPqThI6tZ1R_8UaUAOsE/edit?gid=1478559804#gid=1478559804 in case anybody is interested. I've also included the dependency graphs on extra sheets. But basically I'd say this is as good as it is gonna get and as you said, much much much better than 1.1.2 Best regards, Sönke On Tue, Mar 18, 2025 at 5:15 PM Istvan Toth <st...@cloudera.com.invalid> wrote: > Thanks for the offer Sönke, but the release process requires permissions > that only PMCs have and there is only so much you could do without that. > > Unfortunately your screenshot didn't make it to my Gmail. > Can you attach it or copy-paste the text version ? > > Yes, most (on master all) CVEs are transitive from Hadoop and HBase, and > the new versions are still significantly better than 1.1.2 > > I've run *mvn clean verify -Powasp-dependency-check -DnvdApiKey=<mykey> * > to > get the CVE list > (You need to update the OWASP plugin version to 11.0.2 , and use at least > Java 11) > > I don't want to copy paste it here because it's huge, but it's basically: > > - protobuf 2.5.0. which cannot do anything about until Hbase 3 > - Netty 4.1.97 Final from hbase-thirdparty 4.1.5 > - Jetty 9.4.52 from hbase-thirdparty 4.1.5 > - Netty 4.1.100 from Hadoop (see OMID-302) > - Jetty websocket 9.4.53 from Hadoop. > > Not ideal, but MUCH better than 1.1.2, which has about a dozen more > components with CVEs, many of them REALLY old from Hadoop 3.4.2. > (HBase should probably have bumped the thirdparty version before releasing > 2.5.11, but it's too late now) > > Due to the Hadoop->HBase->Omid release timelines, it's unlikely that we'd > ever get a fully CVE free release, but we should make an effort at least. > > Istvan > > > > On Tue, Mar 18, 2025 at 2:31 PM Sönke Liebau > <soenke.lie...@stackable.tech.invalid> wrote: > > > Hi Istvan, > > > > I have taken a brief look at the results of our vulnerability scanning, > > and while Omid doesn't fare too well there, I think a lot of the > > vulnerabilities we cannot do much about. > > > > 48 of the critical ones are due to jackson databind 2.4.0 which is still > > pulled in by the Hadoop version that is used by the HBase version omid > uses > > (I believe also in the updated version for 1.1.3) which we can't do much > > about in this project I guess.. > > > > > > [image: image.png] > > > > Quite a few of the other vulnerabilities also come in via dependencies of > > Hadoop, so may vanish with the update. I am happy to build and scan an > > image with the current master branch to get a comparison and see if there > > are any low hanging fruits remaining, but you probably did that already > > yourself? > > > > Also, I'd be happy to help with the release, if there is documentation > > that could guide me along the way I could be persuaded to be the release > > manager as well, but that may end up just meaning a lot of questions for > > everybody else :) > > > > Best regards, > > Sönke > > > > > > > > On Tue, Mar 18, 2025 at 10:26 AM Istvan Toth <st...@apache.org> wrote: > > > >> Hi! > >> > >> As we're preparing for Phoenix 5.2.2, I have identified a few transitive > >> CVEs from Omid. > >> The last Phoenix release was a year ago, and there are more than a dozen > >> unreleased CVE, build, and dependency version fixes on the master > branch. > >> > >> I propose releasing Omid 1.1.3 from the current master branch. > >> > >> Do you have any objections ? > >> Are there any open issues that should be fixed for 1.1.3 ? > >> If we decide to release, would anyone volunteer to be the 1.1.3 Release > >> Manager ? > >> > >> Istvan > >> > > > > -- > *István Tóth* | Sr. Staff Software Engineer > *Email*: st...@cloudera.com > cloudera.com <https://www.cloudera.com> > [image: Cloudera] <https://www.cloudera.com/> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera > on LinkedIn] <https://www.linkedin.com/company/cloudera> > ------------------------------ > ------------------------------ >
