[
https://issues.apache.org/jira/browse/STREAMPIPES-519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
PJ Fanning updated STREAMPIPES-519:
-----------------------------------
Description:
I ran a dependabot analysis using github and there were 74 issues - some are
the ame issue appearing in multiple subprojects.
Unfortunately, github do not appear to allow me to share these results. To
reprodice, fork streampipes in github and go to security tab and enable
dependabot alerts.
some java issues
* log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
* jetty should be upgraded (eg 9.4.45)
https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
* commons-beanutils upgrade to 1.9.4
https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
* guava https://mvnrepository.com/artifact/com.google.guava/guava
* shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
* log4jv1 is used in some places - this jar is end of life and full of CVE
issues - eg
https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
* commons-compress needs upgrading - eg
https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
* snakeyaml needs upgrading in
https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
* postgresql jar needs upgrading - see
https://github.com/advisories/GHSA-673j-qm5f-xpv8
* nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
* amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
* netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
pips
* waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
* jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
npms
* many
* including lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm
was:
I ran a dependabot analysis using github and there were 74 issues - some are
the ame issue appearing in multiple subprojects.
Unfortunately, github do not appear to allow me to share these results. To
reprodice, fork streampipes in github and go to security tab and enable
dependabot alerts.
some java issues
* log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
* jetty should be upgraded (eg 9.4.45)
https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
* commons-beanutils upgrade to 1.9.4
https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
* guava https://mvnrepository.com/artifact/com.google.guava/guava
* shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
* log4jv1 is used in some places - this jar is end of life and full of CVE
issues - eg
https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
* commons-compress needs upgrading - eg
https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
* snakeyaml needs upgrading in
https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
* postgresql jar needs upgrading - see
https://github.com/advisories/GHSA-673j-qm5f-xpv8
* nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
* amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
* netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
pips
* waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
* jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
npms
* many
* incluing lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm
> multiple insecure libs used in streampipes
> ------------------------------------------
>
> Key: STREAMPIPES-519
> URL: https://issues.apache.org/jira/browse/STREAMPIPES-519
> Project: StreamPipes
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> I ran a dependabot analysis using github and there were 74 issues - some are
> the ame issue appearing in multiple subprojects.
> Unfortunately, github do not appear to allow me to share these results. To
> reprodice, fork streampipes in github and go to security tab and enable
> dependabot alerts.
> some java issues
> * log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
> * jetty should be upgraded (eg 9.4.45)
> https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
> * commons-beanutils upgrade to 1.9.4
> https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
> * guava https://mvnrepository.com/artifact/com.google.guava/guava
> * shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
> * log4jv1 is used in some places - this jar is end of life and full of CVE
> issues - eg
> https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * commons-compress needs upgrading - eg
> https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * snakeyaml needs upgrading in
> https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
> * postgresql jar needs upgrading - see
> https://github.com/advisories/GHSA-673j-qm5f-xpv8
> * nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
> * amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
> * netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
> pips
> * waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
> * jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
> npms
> * many
> * including lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
