[
https://issues.apache.org/jira/browse/KYLIN-5159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489075#comment-17489075
]
ASF GitHub Bot commented on KYLIN-5159:
---------------------------------------
pjfanning opened a new pull request #1814:
URL: https://github.com/apache/kylin/pull/1814
## Proposed changes
Try to fix some old dependencies that have known security vulnerabilities
## Types of changes
What types of changes does your code introduce to Kylin?
_Put an `x` in the boxes that apply_
- [X] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation Update (if none of the other choices apply)
## Checklist
_Put an `x` in the boxes that apply. You can also fill these out after
creating the PR. If you're unsure about any of them, don't hesitate to ask.
We're here to help! This is simply a reminder of what we are going to look for
before merging your code._
- [X] I have create an issue on [Kylin's
jira](https://issues.apache.org/jira/browse/KYLIN), and have described the
bug/feature there in detail
- [X] Commit messages in my PR start with the related jira ID, like
"KYLIN-0000 Make Kylin project open-source"
- [ ] Compiling and unit tests pass locally with my changes
- [ ] I have added tests that prove my fix is effective or that my feature
works
- [ ] I have added necessary documentation (if appropriate)
- [ ] Any dependent changes have been merged
## Further comments
If this is a relatively large or complex change, kick off the discussion at
user@kylin or dev@kylin by explaining why you chose the solution you did and
what alternatives you considered, etc...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
> there are several dependencies in main branch with CVEs
> -------------------------------------------------------
>
> Key: KYLIN-5159
> URL: https://issues.apache.org/jira/browse/KYLIN-5159
> Project: Kylin
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> Some of the more readily addressed ones include:
> * upgrade to commons-compress 1.21 - see cves in
> [https://mvnrepository.com/artifact/org.apache.commons/commons-compress]
> * upgrade to h2 2.1.210 - see cves in
> [https://mvnrepository.com/artifact/com.h2database/h2]
> * upgrade to httpclient 4.5.13 - see cves in
> [https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient]
> * update to commons-io 2.7 (or 2.11.0 to get latest code) - see
> [https://github.com/advisories/GHSA-gwrp-pvrq-jmwv]
> * upgrade to xerces 2.12.2 - see cves in
> [https://mvnrepository.com/artifact/xerces/xercesImpl]
> * many others - but I may be looking at the wrong branch given the large
> number of vulnerable jarsĀ
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
