[ https://issues.apache.org/jira/browse/AMBARI-25490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
XuCongying updated AMBARI-25490: -------------------------------- Attachment: apache-ambari_CVE-report.md > CVEs in the dependencies are in the execution path of your project > ------------------------------------------------------------------ > > Key: AMBARI-25490 > URL: https://issues.apache.org/jira/browse/AMBARI-25490 > Project: Ambari > Issue Type: Bug > Reporter: XuCongying > Priority: Major > Attachments: apache-ambari_CVE-report.md > > > Hello, Your project uses some dependencies with CVEs. I found that the buggy > methods of the CVEs are in the program execution path of your project, which > makes your project at risk. I have suggested some version updates. Here is > the details: > # *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.2 > * *Call Chain to Buggy Methods:* > ** *Some files in your project call the library method > org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[]), > which can reach the buggy method of > [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].* > *** Files in your project: > ambari-server/src/main/java/org/apache/ambari/server/credentialapi/CredentialUtil.java > *** One of the possible call chain: > org.apache.hadoop.util.ToolRunner.run(org.apache.hadoop.conf.Configuration,org.apache.hadoop.util.Tool,java.lang.String[]) > org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,java.lang.String[]) > org.apache.hadoop.util.GenericOptionsParser.<init>(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.Options,java.lang.String[]) > org.apache.hadoop.util.GenericOptionsParser.parseGeneralOptions(org.apache.commons.cli.Options,org.apache.hadoop.conf.Configuration,java.lang.String[]) > org.apache.hadoop.util.GenericOptionsParser.processGeneralOptions(org.apache.hadoop.conf.Configuration,org.apache.commons.cli.CommandLine) > org.apache.hadoop.util.GenericOptionsParser.getLibJars(org.apache.hadoop.conf.Configuration) > org.apache.hadoop.conf.Configuration.get(java.lang.String) > org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy > method] > ** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. > From 2.7.2 to 3.2.1, 3 of the APIs (called by 6 times in your project) were > modified. > ## *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.2.0 > ** *Call Chain to Buggy Methods:* > *** *Some files in your project call the library method > org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach > the buggy method of > [CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].* > **** Files in your project: > contrib/ambari-scom/metrics-sink/src/main/java/org/apache/hadoop/metrics2/sink/SqlSink.java > **** One of the possible call chain: > org.apache.hadoop.conf.Configuration.get(java.lang.String) > org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy > method] > *** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. > From 2.2.0 to 3.2.1, 1 of the APIs (called by 2 times in your project) was > modified. -- This message was sent by Atlassian Jira (v8.3.4#803005)