sonatype-lift[bot] commented on a change in pull request #324: URL: https://github.com/apache/solr/pull/324#discussion_r720506575
########## File path: solr/contrib/hdfs/build.gradle ########## @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +apply plugin: 'java-library' + +description = 'HDFS Package' + +dependencies { + + implementation project(':solr:core') + + + //implementation ('org.apache.hadoop:hadoop-hdfs') { transitive = false } + implementation ('org.apache.hadoop:hadoop-annotations') { transitive = false } + implementation ('org.apache.hadoop:hadoop-auth') { transitive = false } Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.hadoop/[email protected] 1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.apache.hadoop/[email protected]</b></summary> <ul> <details> <summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... > In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. > > **CVSS Score:** 8.8 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H </ul> </details> </ul> </details> </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`) ########## File path: solr/contrib/hdfs/build.gradle ########## @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +apply plugin: 'java-library' + +description = 'HDFS Package' + +dependencies { + + implementation project(':solr:core') + + + //implementation ('org.apache.hadoop:hadoop-hdfs') { transitive = false } + implementation ('org.apache.hadoop:hadoop-annotations') { transitive = false } + implementation ('org.apache.hadoop:hadoop-auth') { transitive = false } + implementation ('org.apache.hadoop:hadoop-common') { transitive = false } + implementation ('org.apache.hadoop:hadoop-hdfs-client') { transitive = false } + implementation ('org.apache.hadoop:hadoop-hdfs') { transitive = false } + + + + api('com.github.ben-manes.caffeine:caffeine', { + exclude group: "org.checkerframework", module: "checker-qual" + }) + + // Many HDFS tests are using/subclassing test framework classes + testImplementation project(':solr:test-framework') + + // hadoop dependencies for tests + testImplementation ('org.apache.hadoop:hadoop-hdfs') { transitive = false } + testImplementation ('org.apache.hadoop:hadoop-common::tests') { transitive = false } Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.hadoop/[email protected] 1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.apache.hadoop/[email protected]</b></summary> <ul> <details> <summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... > In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. > > **CVSS Score:** 8.8 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H </ul> </details> </ul> </details> </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`) ########## File path: solr/contrib/hdfs/build.gradle ########## @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +apply plugin: 'java-library' + +description = 'HDFS Package' + +dependencies { + + implementation project(':solr:core') + + + //implementation ('org.apache.hadoop:hadoop-hdfs') { transitive = false } + implementation ('org.apache.hadoop:hadoop-annotations') { transitive = false } + implementation ('org.apache.hadoop:hadoop-auth') { transitive = false } + implementation ('org.apache.hadoop:hadoop-common') { transitive = false } + implementation ('org.apache.hadoop:hadoop-hdfs-client') { transitive = false } Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.hadoop/[email protected] 1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.apache.hadoop/[email protected]</b></summary> <ul> <details> <summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... > In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. > > **CVSS Score:** 8.8 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H </ul> </details> </ul> </details> </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`) ########## File path: solr/test-framework/build.gradle ########## @@ -31,5 +31,16 @@ dependencies { implementation 'io.dropwizard.metrics:metrics-jetty9' implementation 'com.lmax:disruptor' + + // used by the hadoop-specific test framework classes + implementation ('org.apache.hadoop:hadoop-common') { transitive = false } + implementation ('org.apache.hadoop:hadoop-auth') { transitive = false } + implementation ('org.apache.hadoop:hadoop-annotations') { transitive = false } + implementation ('org.apache.hadoop:hadoop-hdfs-client') { transitive = false } + implementation ('org.apache.commons:commons-compress') { transitive = false } Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.commons/[email protected] 4 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.apache.commons/[email protected]</b></summary> <ul> <details> <summary><b>CRITICAL Vulnerabilities (4)</b></summary><br/> <ul> <details> <summary>CVE-2021-36090</summary> > #### [CVE-2021-36090] When reading a specially crafted ZIP archive, Compress can be made to allocate l... > When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H </details> <details> <summary>CVE-2021-35517</summary> > #### [CVE-2021-35517] When reading a specially crafted TAR archive, Compress can be made to allocate l... > When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H </details> <details> <summary>CVE-2021-35515</summary> > #### [CVE-2021-35515] When reading a specially crafted 7Z archive, the construction of the list of cod... > When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H </details> <details> <summary>CVE-2021-35516</summary> > #### [CVE-2021-35516] When reading a specially crafted 7Z archive, Compress can be made to allocate la... > When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H </details> </ul> </details> </ul> </details> </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`) ########## File path: solr/test-framework/build.gradle ########## @@ -31,5 +31,16 @@ dependencies { implementation 'io.dropwizard.metrics:metrics-jetty9' implementation 'com.lmax:disruptor' + + // used by the hadoop-specific test framework classes + implementation ('org.apache.hadoop:hadoop-common') { transitive = false } + implementation ('org.apache.hadoop:hadoop-auth') { transitive = false } Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.hadoop/[email protected] 1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.apache.hadoop/[email protected]</b></summary> <ul> <details> <summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... > In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. > > **CVSS Score:** 8.8 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H </ul> </details> </ul> </details> </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`) ########## File path: solr/test-framework/build.gradle ########## @@ -31,5 +31,16 @@ dependencies { implementation 'io.dropwizard.metrics:metrics-jetty9' implementation 'com.lmax:disruptor' + + // used by the hadoop-specific test framework classes + implementation ('org.apache.hadoop:hadoop-common') { transitive = false } Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.hadoop/[email protected] 1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.apache.hadoop/[email protected]</b></summary> <ul> <details> <summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... > In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. > > **CVSS Score:** 8.8 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H </ul> </details> </ul> </details> </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`) ########## File path: solr/test-framework/build.gradle ########## @@ -31,5 +31,16 @@ dependencies { implementation 'io.dropwizard.metrics:metrics-jetty9' implementation 'com.lmax:disruptor' + + // used by the hadoop-specific test framework classes + implementation ('org.apache.hadoop:hadoop-common') { transitive = false } + implementation ('org.apache.hadoop:hadoop-auth') { transitive = false } + implementation ('org.apache.hadoop:hadoop-annotations') { transitive = false } + implementation ('org.apache.hadoop:hadoop-hdfs-client') { transitive = false } Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.hadoop/[email protected] 1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies <details> <summary><b>Components</b></summary><br/> <ul> <details> <summary><b>pkg:maven/org.apache.hadoop/[email protected]</b></summary> <ul> <details> <summary><b>CRITICAL Vulnerabilities (1)</b></summary><br/> <ul> > #### [CVE-2020-9492] In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.... > In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. > > **CVSS Score:** 8.8 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H </ul> </details> </ul> </details> </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
