[jira] [Updated] (CALCITE-2379) CVSS dependency-check-maven fails for calcite-spark module

Thu, 28 Jun 2018 01:54:00 -0700 


     [ 
https://issues.apache.org/jira/browse/CALCITE-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Volodymyr Vysotskyi updated CALCITE-2379:
-----------------------------------------
    Description: 
Check for vulnerabilities among dependencies fails for {{calcite-spark}} module.

"{{mvn install -Ppedantic -DskipTests=true}}" fails for lib {{py4j-0.10.4.jar}}.

  was:
Check for vulnerabilities among dependencies fails for {{calcite-spark}} module.

Output for "{{mvn install -Ppedantic -DskipTests=true}}":
{noformat}
One or more dependencies were identified with known vulnerabilities in Calcite 
Spark:

jackson-databind-2.9.4.jar (com.fasterxml.jackson.core:jackson-databind:2.9.4, 
cpe:/a:fasterxml:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson:2.9.4) : 
CVE-2018-7489
protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0, 
cpe:/a:google:protobuf:3.3.0) : CVE-2015-5237
commons-beanutils-core-1.8.0.jar 
(commons-beanutils:commons-beanutils-core:1.8.0, 
cpe:/a:apache:commons_beanutils:1.8.0) : CVE-2014-0114
commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0, 
cpe:/a:apache:commons_beanutils:1.7.0) : CVE-2014-0114
commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1, 
cpe:/a:apache:commons-httpclient:3.1, cpe:/a:apache:httpclient:3.1) : 
CVE-2015-5262, CVE-2014-3577
javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2, 
javax.annotation:javax.annotation-api:1.2) : CVE-2015-2808, CVE-2013-2566
mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) : 
CVE-2015-9097
validation-api-1.1.0.Final.jar (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~, 
javax.validation:validation-api:1.1.0.Final) : CVE-2013-4499
jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2, 
javax.xml.bind:jaxb-api:2.2.2) : CVE-2015-2808, CVE-2013-2566
pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13) : 
CVE-2007-1100
py4j-0.10.4.jar (cpe:/a:python:python:0.10.4, 
cpe:/a:python_software_foundation:python:0.10.4, net.sf.py4j:py4j:0.10.4) : 
CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158, 
CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652, 
CVE-2014-7185, CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150, 
CVE-2012-0845, CVE-2011-4940, CVE-2010-3492, CVE-2008-5983, CVE-2008-3143, 
CVE-2008-3142, CVE-2008-2315, CVE-2008-1887, CVE-2008-1721, CVE-2008-1679, 
CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7, 
org.apache.avro:avro-mapred:1.7.7) : CVE-2017-3162, CVE-2017-3161, CVE-2016-5001
curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0, 
org.apache.curator:curator-recipes:2.6.0) : CVE-2016-5017, CVE-2014-0085
api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30, 
org.apache.directory.api:api-util:1.0.0-M20) : CVE-2015-3250
xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6, 
org.apache.zookeeper:zookeeper:3.4.6) : CVE-2017-5637, CVE-2016-5017, 
CVE-2014-0085
jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13, 
cpe:/a:fasterxml:jackson:1.9.13, org.codehaus.jackson:jackson-xc:1.9.13) : 
CVE-2018-5968, CVE-2017-17485
jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908, 
cpe:/a:jetty:jetty:9.2.19.v20160908, 
org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26, cpe:/a:mortbay:jetty:6.1.26, 
cpe:/a:mortbay_jetty:jetty:6.1.26, org.mortbay.jetty:jetty-util:6.1.26) : 
CVE-2011-4461
unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0, 
org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:serializer:2.7.1) : 
CVE-2014-0107
xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) : 
CVE-2014-0107
xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1, 
xerces:xercesImpl:2.9.1) : CVE-2012-0881
htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
 (com.fasterxml.jackson.core:jackson-databind:2.4.0, 
cpe:/a:fasterxml:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson:2.4.0) : 
CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485, CVE-2017-15095
spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml 
(cpe:/a:eclipse:jetty:9.3.11.v20160721, cpe:/a:jetty:jetty:9.3.11.v20160721, 
org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
{noformat}


> CVSS dependency-check-maven fails for calcite-spark module
> ----------------------------------------------------------
>
>                 Key: CALCITE-2379
>                 URL: https://issues.apache.org/jira/browse/CALCITE-2379
>             Project: Calcite
>          Issue Type: Bug
>          Components: spark
>            Reporter: Volodymyr Vysotskyi
>            Assignee: Julian Hyde
>            Priority: Major
>             Fix For: 1.17.0
>
>
> Check for vulnerabilities among dependencies fails for {{calcite-spark}} 
> module.
> "{{mvn install -Ppedantic -DskipTests=true}}" fails for lib 
> {{py4j-0.10.4.jar}}.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to