CleWang opened a new issue #2276: Dependencies causes CVEs in your execution path URL: https://github.com/apache/bookkeeper/issues/2276 I found you uses some dependencies with CVEs and the buggy methods of the CVEs are in the program execution path of your project. This makes your project insecure. I have suggested some version updates. Here is the detailed information: * **Vulnerable Dependency:** org.apache.hadoop : hadoop-common : 2.7.3 * **Call Chain to Buggy Methods:** * **Some files in your project call the library method org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach the buggy method of [CVE-2017-15713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713).** * Files in your project: stream/distributedlog/io/dlfs/src/main/java/org/apache/distributedlog/fs/DLFileSystem.java * One of the possible call chain: ``` org.apache.hadoop.conf.Configuration.get(java.lang.String) org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method] ``` * **Update suggestion:** version 3.2.1 3.2.1 is a safe version without CVEs. From 2.7.3 to 3.2.1, 3 of the APIs (called by 9 times in your project) were modified.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
