[
https://issues.apache.org/jira/browse/BEAM-13995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500374#comment-17500374
]
Brian Hulette commented on BEAM-13995:
--------------------------------------
I see, sorry about that. I'm still not sure this is a Beam issue though, with
the possible exception of the numpy one. I created a new python 3.7 venv and
installed {{tensorflow==1.14.0}} (because tensorflow is not a beam dependency,
except in that it is preinstalled in some containers), and
{{apache-beam[gcp]==2.36.0}} and the following versions were resolved:
{code}
❯ pip freeze | grep -E 'pandas|httplib2|tensorflow|numpy'
httplib2==0.19.1
numpy==1.21.5
tensorflow==1.14.0
tensorflow-estimator==1.14.0
{code}
Note pandas wasn't installed at all, and httplib2 is an acceptable version.
tensorflow is a vulnerable version, but that was explicitly requested. [~pd3]
Are you sure you don't have other version specs bringing in the vulnerable
dependencies? If you'd be willing to share a full requirements.txt maybe we
could help.
Regarding numpy there is a CVE for 1.21.5 and we require <1.22.0, but the CVE
is marked [disputed|https://nvd.nist.gov/vuln/detail/CVE-2021-41496] so I'm not
sure what to make of it. Is this something we're tracking [~tvalentyn]?
> Apache beam is having vulnerable dependencies - Tensorflow, httplib2, pandas
> and numpy
> --------------------------------------------------------------------------------------
>
> Key: BEAM-13995
> URL: https://issues.apache.org/jira/browse/BEAM-13995
> Project: Beam
> Issue Type: Bug
> Components: dependencies, sdk-py-core
> Affects Versions: 2.23.0, 2.35.0, 2.36.0
> Reporter: Prerana
> Priority: P1
> Attachments: Tensorflow vulnerabilities.xlsx
>
>
> We are using apache-beam[gcp]==2.23.0 and apache-beam=2.36.0.
> The following vulnerabilities are detected in white source with apache-beam.
> [CVE-2020-13091|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2020-13091;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]
> - pandas-0.25.3-cp37-cp37m-manylinux1_x86_64.whl -
> {*}Fix{*}({color:#4c9aff}Upgrade to version pandas -
> 0.3.0.beta,1.0.4;autovizwidget - 0.12.7;pandas - 1.0.4,1.1.0rc0{color})
> [CVE-2021-41496 -
> |https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-41496;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]numpy-1.21.5-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl
> - {*}Fix{*}({color:#4c9aff}Upgrade to version autovizwidget - 0.12.7;numpy -
> 1.22.0rc1;numcodecs - 0.6.2;numpy-base - 1.11.3;numpy - 1.17.4{color})
> [CVE-2021-21240|https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!securityVulnerability;id=CVE-2021-21240;orgToken=4b33dfdb-afc6-46a5-ae17-ea4bf6ebb98c]
> -httplib2-0.17.4-py3-none-any.whl - {*}Fix{*}({color:#4c9aff}Upgrade to
> version v0.19.0{color})
> {color:#0747a6}See attached xls{color} -
> tensorflow-1.14.0-cp37-cp37m-manylinux1_x86_64.whl -
> {*}Fix({*}{color:#4c9aff}attached xls{color}{*}){*}
> please upgrade the packages to the mentioned versions with fix.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
