damccorm opened a new issue, #19991:
URL: https://github.com/apache/beam/issues/19991
Hello, Your project uses some dependencies with CVEs. I found that the buggy
methods of the CVEs are in the program execution path of your project, which
makes your project at risk. I suggest a library update. See details below:
* *Vulnerable Dependency:* org.apache.hive : hive-exec : 2.1.0
* *Call Chain to Buggy Methods:*
** *Some files in your project call the library method
org.apache.hadoop.hive.ql.Driver.run(java.lang.String), which can reach the
buggy method of
[CVE-2017-12625](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625).*
*** Files in your project:
sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/test/EmbeddedMetastoreService.java
*** One of the possible call chain:
org.apache.hadoop.hive.ql.Driver.run(java.lang.String)
org.apache.hadoop.hive.ql.Driver.run(java.lang.String,boolean)
org.apache.hadoop.hive.ql.Driver.runInternal(java.lang.String,boolean)
org.apache.hadoop.hive.ql.Driver.compileInternal(java.lang.String)
org.apache.hadoop.hive.ql.Driver.compile(java.lang.String)
org.apache.hadoop.hive.ql.Driver.compile(java.lang.String,boolean)
org.apache.hadoop.hive.ql.parse.ParseDriver.parse(java.lang.String,org.apache.hadoop.hive.ql.Context)
[buggy method]
** *Update suggestion:* version 3.1.2 3.1.2 is a safe version without CVEs.
From 2.1.0 to 3.1.2, 2 of the APIs (called by 2 times in your project) were
removed, 3 APIs (called by 3 times in your project) were modified.
Imported from Jira
[BEAM-9428](https://issues.apache.org/jira/browse/BEAM-9428). Original Jira may
contain additional context.
Reported by: XuCY.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
