Abacn commented on issue #26403: URL: https://github.com/apache/beam/issues/26403#issuecomment-1781100820
> @Abacn FYI, below "critical" vulnerabilities still exist along with the `log4j` vulnerability and are getting blocked by JFrog XRay scans. > > > > [org.yaml:snakeyaml:1.24](https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.24) > > [com.fasterxml.jackson.core:jackson-databind:2.10.0](https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.10.0) > > > > **Apache Beam SQL Extension Version** > > ``` > > <dependency> > > <groupId>org.apache.beam</groupId> > > <artifactId>beam-sdks-java-extensions-sql</artifactId> > > <version>2.51.0</version> > > </dependency> > > ``` > > > > **Which Internally Uses Below Version** > > ``` > > <dependency> > > <groupId>org.apache.beam</groupId> > > <artifactId>beam-vendor-calcite-1_28_0</artifactId> > > <version>0.2</version> > > </dependency> > > ``` Thanks for reminding, both jackson and snakeYAML vulnerabilities are indeed well-known and should be fixed by upgrades. The obstacle is that upgrading calcite for beam SQL is known to be nontrivial due to breaking changes (happened last time vendor upgrade) so it is expected to take more effort than the other two vendor dependency beam currently does. We currently do not have bandwidth and encourage contributors could test with new calcite versions. Generally, vendor calcite and its dependency are shaded and only used by beam SQL artifact and vulnerabilities usually not exploitable (disclaimer - not professional opinion about security). Other part of beam and user code do not depend on the dependencies of vulnerabilities. e.g. Beam Java core depends on more recent version of jackson databind. Nevertheless it should be possible to upgrade these transitive dependencies and keep calcite version which requires much less effort. Could initiate that when I got time. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
