[jira] [Commented] (STREAMPIPES-519) multiple insecure libs used in streampipes

Sat, 02 Apr 2022 02:44:05 -0700 


    [ 
https://issues.apache.org/jira/browse/STREAMPIPES-519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17516266#comment-17516266
 ] 

ASF subversion and git services commented on STREAMPIPES-519:
-------------------------------------------------------------

Commit 9bc8cb426da2e32e22197aed383679f876ffe5a3 in incubator-streampipes's 
branch refs/heads/dev from Dominik Riemer
[ https://gitbox.apache.org/repos/asf?p=incubator-streampipes.git;h=9bc8cb4 ]

[STREAMPIPES-519] Cleanup dependencies


> multiple insecure libs used in streampipes
> ------------------------------------------
>
>                 Key: STREAMPIPES-519
>                 URL: https://issues.apache.org/jira/browse/STREAMPIPES-519
>             Project: StreamPipes
>          Issue Type: Improvement
>            Reporter: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>
> I ran a dependabot analysis using github and there were 74 issues - some are 
> the ame issue appearing in multiple subprojects.
> Unfortunately, github do not appear to allow me to share these results. To 
> reprodice, fork streampipes in github and go to security tab and enable 
> dependabot alerts.
> some java issues
> * log4j should be upgraded https://logging.apache.org/log4j/2.x/security.html
> * jetty should be upgraded (eg 9.4.45) 
> https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server
> * commons-beanutils upgrade to 1.9.4 
> https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
> * guava https://mvnrepository.com/artifact/com.google.guava/guava
> * shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
> * log4jv1 is used in some places - this jar is end of life and full of CVE 
> issues - eg 
> https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * commons-compress needs upgrading - eg 
> https://github.com/apache/incubator-streampipes/blob/dev/streampipes-wrapper-spark/pom.xml
> * snakeyaml needs upgrading in 
> https://github.com/pjfanning/incubator-streampipes/blob/dev/streampipes-maven-plugin/pom.xml
> * postgresql jar needs upgrading - see 
> https://github.com/advisories/GHSA-673j-qm5f-xpv8
> * nimbus-jose-jwt - https://github.com/advisories/GHSA-f6vf-pq8c-69m4
> * amqp-client - https://github.com/advisories/GHSA-w4g2-9hj6-5472
> * netty - https://github.com/advisories/GHSA-grg4-wf29-r9vv and others
> pips
> * waitress eg https://github.com/advisories/GHSA-4f7p-27jc-3c36
> * jinja eg https://github.com/advisories/GHSA-g3rq-g295-4j3m
> npms
> * many
> * including lodash https://github.com/advisories/GHSA-35jh-r3h4-6jhm



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to