[jira] [Updated] (PIG-5345) Use of numerous known vulnerable libraries

[Dave Wichers (JIRA)]

     [ 
https://issues.apache.org/jira/browse/PIG-5345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dave Wichers updated PIG-5345:
------------------------------
    Description: 
I ran a commercial known vulnerable library analysis tool on PIG and it flagged 
numerous direct and transitive dependencies as having known vulnerabilities.

I'd be happy to share the list offline if anyone is interested in the 
list/willing to work on upgrading them. If interested, contact me at: 
dave.wich...@owasp.org.

If it is not doing so already, the project might also want to start using OWASP 
Dependency Check or [https://ossindex.net/] to automate this type of analysis 
so its easier for the project to try to keep up to date as new CVEs in 
libraries are uncovered.

  was:
I ran a commercial known vulnerable library analysis tool on PIG and it flagged 
numerous direct and transitive dependencies as having known vulnerabilities.

I'd be happy to share the list offline if anyone is interested in the 
list/willing to work on upgrading them. If interested, contact me at: 
dave.wich...@owasp.org.

If it is not doing so already, the project might also want to start using OWASP 
Dependency Check or [https://ossindex.net/] to automate this type of analysis 
so its easier for the project to try to keep up to date as new CVEs in 
libraries are uncovered.
the project might also want to start using some known vulnerable library tools 
like OWASP Dependency Check or [https://ossindex.net/] (both are free) to help 
the project identify/avoid issues like this in the future.
the project might also want to start using some known vulnerable library tools 
like OWASP Dependency Check or [https://ossindex.net/] (both are free) to help 
the project identify/avoid issues like this in the future.


> Use of numerous known vulnerable libraries
> ------------------------------------------
>
>                 Key: PIG-5345
>                 URL: https://issues.apache.org/jira/browse/PIG-5345
>             Project: Pig
>          Issue Type: Improvement
>            Reporter: Dave Wichers
>            Priority: Major
>              Labels: CVE, security
>
> I ran a commercial known vulnerable library analysis tool on PIG and it 
> flagged numerous direct and transitive dependencies as having known 
> vulnerabilities.
> I'd be happy to share the list offline if anyone is interested in the 
> list/willing to work on upgrading them. If interested, contact me at: 
> dave.wich...@owasp.org.
> If it is not doing so already, the project might also want to start using 
> OWASP Dependency Check or [https://ossindex.net/] to automate this type of 
> analysis so its easier for the project to try to keep up to date as new CVEs 
> in libraries are uncovered.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)