[
https://issues.apache.org/jira/browse/LIVY-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645690#comment-17645690
]
Damon Cortesi commented on LIVY-900:
------------------------------------
Will need to come up with a useful way to track these - attached the recent
dependency check report and there's a lot to sift through. Even some things
like
[CVE-2021-34538|https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354]
are vulnerable up until Hive 3.1.3 and only fixed in Hive 4.
> Security and CVE Remediation Process for 0.8.0
> ----------------------------------------------
>
> Key: LIVY-900
> URL: https://issues.apache.org/jira/browse/LIVY-900
> Project: Livy
> Issue Type: Improvement
> Components: Build
> Reporter: Larry McCay
> Priority: Major
> Fix For: 0.8.0
>
> Attachments: dependency-check-report.html
>
>
> As part of the revival of the Livy project, we indicated that an immediate
> goal would be to establish a process for CVE and dependency hygiene. There
> are a number of ways that we can address this and we need to consider which
> ones would be most appropriate. Off the top of my head:
> * Dependabot is being used in many projects and I believe there are a couple
> different ways to integrate this either at the github or gitbox (ASF) level.
> ** Some automatically create PRs for instance
> * External tooling that can be run such as OWASP dependency-check. I have
> run this locally to discover the currently outstanding upgrades that need to
> be addressed
> FYI - this can be run via mvn:
> mvn org.owasp:dependency-check-maven:7.3.0:aggregate
> I'd like to gather ideas for productive ways to maintain proper dependency
> hygiene and file tasks to get at least some of these done for 0.8.0 release.
> With the remediation of most if not all of the Critical and High CVEs
> addressed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
