[jira] [Commented] (CARBONDATA-3729) Please avoid using libraries with CVEs

[PJ Fanning (Jira)]

Title: Message Title


 
 
 
 

 
 
 

 
   
 PJ Fanning commented on  CARBONDATA-3729  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: Please avoid using libraries with CVEs   
 

  
 
 
 
 

 
 There are a large number of open pull requests that attempt to upgrade libs that have security issues. https://github.com/apache/carbondata/pulls?q=is%3Apr+is%3Aopen+label%3Adependencies Would someone be able to merge them?  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian Jira (v8.20.10#820010-sha1:ace47f9)  
 
 

 
   
 

  
 

  
 

   

[jira] [Commented] (CARBONDATA-3729) Please avoid using libraries with CVEs

[XuCongying (Jira)]

[ 
https://issues.apache.org/jira/browse/CARBONDATA-3729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17049326#comment-17049326
 ] 

XuCongying commented on CARBONDATA-3729:


I found that the buggy methods of the CVEs are in the program execution path of 
your project, which makes your project at risk. I have suggested some version 
updates. Here is the detailed information:
 * *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.7.2

 * *Call Chain to Buggy Methods:*

 ** *Some files in your project call the library method 
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String), 
which can reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration), 
which can reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
processing/src/main/java/org/apache/carbondata/processing/loading/csvinput/CSVInputFormat.java,
 core/src/main/java/org/apache/carbondata/core/datastore/impl/FileFactory.java

 *** One of the possible call chain:
org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.get(java.net.URI,org.apache.hadoop.conf.Configuration)
org.apache.hadoop.fs.FileSystem.getDefaultUri(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.security.UserGroupInformation.getCurrentUser(), which can 
reach the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
processing/src/main/java/org/apache/carbondata/processing/util/Auditor.java， 
common/src/main/java/org/apache/carbondata/common/logging/LogService.java, 

 *** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getCurrentUser()
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.security.UserGroupInformation.getLoginUser(), which can reach 
the buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
core/src/main/java/org/apache/carbondata/core/util/CarbonUtil.java

 *** One of the possible call chain:
org.apache.hadoop.security.UserGroupInformation.getLoginUser()
org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(javax.security.auth.Subject)
org.apache.hadoop.security.UserGroupInformation.ensureInitialized()
org.apache.hadoop.security.UserGroupInformation.initialize(org.apache.hadoop.conf.Configuration,boolean)
org.apache.hadoop.security.SecurityUtil.getAuthenticationMethod(org.apache.hadoop.conf.Configuration)
org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Some files in your project call the library method 
org.apache.hadoop.conf.Configuration.get(java.lang.String), which can reach the 
buggy method of 
[CVE-2017-15713|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15713].*

 *** Files in your project:  
processing/src/main/java/org/apache/carbondata/processing/loading/jsoninput/JsonInputFormat.java,
 core/src/main/java/org/apache/carbondata/core/datamap/DataMapUtil.java, 
core/src/main/java/org/apache/carbondata/core/util/CarbonProperties.java

 *** One of the possible call chain:
org.apache.hadoop.conf.Configuration.get(java.lang.String)
org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy 
method]
 ** *Update suggestion:* version 3.2.1 3.2.1 is a safe version without CVEs. 
From 2.7.2 to 3.2.1, 20 of the APIs (called by 81 times in your project) were