Hi Jeremy thanks for your response. ill take a look at the scan reports. To be more specific we are running into the following issue We are using Ignite standalone, from https://ignite.apache.org/download.cgi, version 2.16.0. We are using thin client to connect to Ignite. When running Ignite itself, it is using ignite-spring-2.16.0 and this one is using Tomcat 9.0.63 and org.springframework 5.2.25.RELEASE, that both have known vulnerabilities. So, we are not using the components listed above as dependencies for our project ( or not all of them, just the ones needed for thin client), our concern is about the standalone distribution of Ignite and its current dependencies on vulnerable versions of Tomcat and Spring . So our questions are as follows: 1) Is there a plan to address these 2 dependencies and upgrade them to newer versions? if so when can we see this in the upcoming releases(3.0 release etc) 2) Can we consume ignite in such a way that we can update those dependencies for Tomcat and Spring to leverage versions that dont have vulnerabilities? 3) CAn we build ignite from source and update these versions ? Is this even receommended?
thanks in advance Vishy Vishy Ramaswamy Modernization Architect | Workload Automation Mainframe Division | Broadcom mobile: +1.236.638.9672 CAN-British Columbia Remote Location vishy.ramasw...@broadcom.com | broadcom.com On Fri, Aug 2, 2024 at 10:38 AM Jeremy McMillan <j...@gridgain.com> wrote: > Apache Ignite release notes contain details about fixes including CVEs > addressed. > https://github.com/apache/ignite/blob/master/RELEASE_NOTES.txt > > Current known vulnerabilities are determined by vulnerability testing, > which differs depending on who (test/scan tool vendor, stakeholder/user) > does the testing. All scanner tools are different, and most support > configurable policy around what to recognize and what to report. GridGain > performs security audits of commercial distributions, but the Ignite > community is responsible to perform its own testing. > > Some public vulnerability scan reports are available. YMMV: > https://security.snyk.io/package/maven/org.apache.ignite:ignite-core > > > On Thu, Aug 1, 2024 at 7:53 PM Vishy Ramaswamy < > vishy.ramasw...@broadcom.com> wrote: > >> Hi All, >> We are trying out Apache Ignite version 2.16.0. I want to know where I >> can get information about what vulnerabilities (CVE) got addressed in >> 2.16.0 as well as what are the current known vulnerabilities on 2.16 (if >> any). Appreciate the help and thanks in advance for your response >> >> Vishy >> >> >> Vishy Ramaswamy >> Modernization Architect | Workload Automation >> Mainframe Division | Broadcom >> >> mobile: +1.236.638.9672 >> >> CAN-British Columbia Remote Location >> >> vishy.ramasw...@broadcom.com | broadcom.com >> >> This electronic communication and the information and any files >> transmitted with it, or attached to it, are confidential and are intended >> solely for the use of the individual or entity to whom it is addressed and >> may contain information that is confidential, legally privileged, protected >> by privacy laws, or otherwise restricted from disclosure to anyone else. If >> you are not the intended recipient or the person responsible for delivering >> the e-mail to the intended recipient, you are hereby notified that any use, >> copying, distributing, dissemination, forwarding, printing, or copying of >> this e-mail is strictly prohibited. If you received this e-mail in error, >> please return the e-mail to the sender, delete it from your computer, and >> destroy any printed copy of it. > > -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
