[
https://issues.apache.org/jira/browse/CALCITE-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated CALCITE-3314:
------------------------------------
Labels: pull-request-available (was: )
> CVSS dependency-check-maven fails for calcite-pig, calcite-piglet,
> calcite-spark
> --------------------------------------------------------------------------------
>
> Key: CALCITE-3314
> URL: https://issues.apache.org/jira/browse/CALCITE-3314
> Project: Calcite
> Issue Type: Bug
> Reporter: Stamatis Zampetakis
> Assignee: Stamatis Zampetakis
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 1.21.0
>
>
> Calcite build fails if the CVSS dependency check is active since there are
> serious vulnerabilties in calcite-pig, calcite-piglet, calcite-spark.
> Running mvn install -Ppedantic -fn gives the following errors:
> {noformat}
> ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check
> (default) on project calcite-pig:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '8.0':
> [ERROR]
> [ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
> [ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check
> (default) on project calcite-piglet:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '8.0':
> [ERROR]
> [ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
> [ERROR] jackson-core-asl-1.8.8.jar: CVE-2017-17485, CVE-2017-7525,
> CVE-2017-15095
> [ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
> [ERROR] jackson-xc-1.8.3.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
> [ERROR] hadoop-auth-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
> [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
> [ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
> [ERROR]
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml:
> CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379,
> CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525,
> CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719,
> CVE-2018-14721, CVE-2018-14720
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check
> (default) on project calcite-spark:
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that
> have a CVSS score greater than or equal to '8.0':
> [ERROR]
> [ERROR] spark-core_2.10-2.2.0.jar: CVE-2018-17190
> [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
> [ERROR] hadoop-mapreduce-client-core-2.7.5.jar: CVE-2018-8029,
> CVE-2018-11766, CVE-2018-8009
> [ERROR] bcprov-jdk15on-1.51.jar: CVE-2018-1000613
> [ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
> [ERROR] unused-1.0.0.jar: CVE-2018-17190
> [ERROR]
> htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml:
> CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379,
> CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525,
> CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719,
> CVE-2018-14721, CVE-2018-14720
> [ERROR]
> spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml:
> CVE-2017-7658, CVE-2017-7657
> {noformat}
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
