[jira] [Updated] (IGNITE-12738) CVEs in the dependencies are in the execution path of your project

Tue, 03 Mar 2020 00:56:53 -0800 


     [ 
https://issues.apache.org/jira/browse/IGNITE-12738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

XuCongying updated IGNITE-12738:
--------------------------------
    Attachment: apache-ignite_CVE-report.md

> CVEs in the dependencies are in the execution path of your project
> ------------------------------------------------------------------
>
>                 Key: IGNITE-12738
>                 URL: https://issues.apache.org/jira/browse/IGNITE-12738
>             Project: Ignite
>          Issue Type: Bug
>            Reporter: XuCongying
>            Priority: Major
>         Attachments: apache-ignite_CVE-report.md
>
>
> Your project uses some depenidencies with CVEs. I found that the buggy 
> methods of the CVEs are in the program execution path of your project, which 
> makes your project at risk. I have suggested some version updates. The 
> details are as follows.
>  * *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.9.1
>  * *Call Chain to Buggy Methods:*
>  ** *Some files in your project call the library method 
> org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File), which can 
> reach the buggy method of 
> [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*
>  *** Files in your project:  
> modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java
>  *** One of the possible call chain:
> org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File) [buggy method]
>  ** Files in your project:  
> modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java
>  *** One of the possible call chain:
> org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File)
> org.apache.hadoop.fs.FileUtil.unTarUsingJava(java.io.File,java.io.File,boolean)
> org.apache.hadoop.fs.FileUtil.unpackEntries(org.apache.commons.compress.archivers.tar.TarArchiveInputStream,org.apache.commons.compress.archivers.tar.TarArchiveEntry,java.io.File)
>  [buggy method]
>  ** *Update suggestion:* version 3.2.0 3.2.0 is a safe version without CVEs. 
> From 2.9.1 to 3.2.0, 4 of the APIs (called by 5 times in your project) were 
> removed, 14 APIs (called by 44 times in your project) were modified.
>  ** *Some files in your project call the library method 
> org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File), which can 
> reach the buggy method of 
> [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to