Thanks for the quick reply. Yes, since it is included in the jars then it is unclear whether it is used internally at least to me.
I can substitute the jar in the distro to avoid the scanner from finding it but then it is unclear whether I could be breaking something or not. Given that 3.1.2 is the latest release, I guess you might expect that it would pass the scanners but I am not sure if that version spans 3.0.x and 3.1.x or not either. I can report findings in an issue where I am pretty darn sure it is a valid vulnerability if that is ok? That at least would raise the visibility. Will 3.2.x be Scala 2.13.x only or cross compiled with 2.12? I realize Spark is a beast so I just want to help if I can but also not create extra work if it is not useful for me or the Spark team/contributors. On Mon, Jun 21, 2021 at 3:43 PM Sean Owen <sro...@gmail.com> wrote: > Whether it matters really depends on whether the CVE affects Spark. > Sometimes it clearly could and so we'd try to back-port dependency updates > to active branches. > Sometimes it clearly doesn't and hey sometimes the dependency is updated > anyway for good measure (mostly to keep this off static analyzer reports) > but probably wouldn't backport. > > Jackson has been a persistent one but in this case Spark is already on > 2.12.x in master, and it wasn't clear last time I looked at those CVEs that > they can affect Spark itself. End user apps perhaps, but those apps can > supply their own Jackson. > > If someone had a legit view that this is potentially more serious I think > we could _probably backport that update, but Jackson can be a little bit > tricky with compatibility IIRC so would just bear some testing. > > > On Mon, Jun 21, 2021 at 5:27 PM Eric Richardson <ekrichard...@gmail.com> > wrote: > >> Hi, >> >> I am working with Spark 3.1.2 and getting several vulnerabilities popping >> up. I am wondering if the Spark distros are scanned etc. and how people >> resolve these. >> >> For example. I am finding - >> https://nvd.nist.gov/vuln/detail/CVE-2020-25649 >> >> This looks like it is fixed in 2.11.0 - >> https://github.com/FasterXML/jackson-databind/issues/2589 - but Spark >> supplies 2.10.0. >> >> Thanks, >> Eric >> >