[jira] [Commented] (BEAM-13995) Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas and numpy

Thu, 24 Feb 2022 08:46:06 -0800 


    [ 
https://issues.apache.org/jira/browse/BEAM-13995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17497534#comment-17497534
 ] 

Kenneth Knowles commented on BEAM-13995:
----------------------------------------

[~bhulette] would be likely to have an opinion about pandas (from the versions 
it looks like they haven't got a stable release with a fix just yet?)

> Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas 
> and numpy
> --------------------------------------------------------------------------------------
>
>                 Key: BEAM-13995
>                 URL: https://issues.apache.org/jira/browse/BEAM-13995
>             Project: Beam
>          Issue Type: Task
>          Components: dependencies, sdk-py-core
>    Affects Versions: 2.23.0, 2.35.0, 2.36.0
>            Reporter: Prerana 
>            Priority: P1
>         Attachments: Tensorflow  vulnerabilities.xlsx
>
>
> We are using apache-beam[gcp]==2.23.0 and apache-beam=2.36.0.
> The following vulnerabilities are detected in white source with apache-beam.
> [CVE-2020-13091|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2020-13091;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]
>  - pandas-0.25.3-cp37-cp37m-manylinux1_x86_64.whl - 
> {*}Fix{*}({color:#4c9aff}Upgrade to version pandas - 
> 0.3.0.beta,1.0.4;autovizwidget - 0.12.7;pandas - 1.0.4,1.1.0rc0{color})
> [CVE-2021-41496 - 
> |https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-41496;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whlnumpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
>  - {*}Fix{*}({color:#4c9aff}Upgrade to version autovizwidget - 0.12.7;numpy - 
> 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4{color})
> [CVE-2021-21240|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-21240;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]
>  -httplib2-0.17.4-py3-none-any.whl - {*}Fix{*}({color:#4c9aff}Upgrade to 
> version v0.19.0{color})
> {color:#0747a6}See attached xls{color} - 
> tensorflow-1.14.0-cp37-cp37m-manylinux1_x86_64.whl - 
> {*}Fix({*}{color:#4c9aff}attached xls{color}{*}){*}
> please upgrade the packages to the mentioned versions with fix.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to