Hello. My team uses Pentaho, an off the shelf, a box and arrow diagrammy flowcharty tool. It has steps for stuff like reading CSV, use an SQL query to insert, etc.
Recently, our company decided to use Orca for vuln scans. Orca has been driving me bat-shit crazy with reports of vuln jars in dirs. That don't have the vuln jar in question. I got access to the actual Orca scan results, and discovered the following pattern that occurs in a few places in the product: * It complains about com.fasterxml.jackson.core:jackson-databind 2.4.0, which is a legit vuln * The path on disk is plugins/pentaho-big-data-plugin/hadoop-configurations/cdh61/lib/pmr/hbase-protocol-shaded-2.1.0-cdh6.1.0.jar * The file hbase-protocol-shaded-2.1.0-cdh6.1.0.jar is obviously not jackson-databind. It does not even contain jackson-databind compiled classes. What it does contain is the following files: META-INF/maven/com.fasterxml.jackson.core/jackson-databind/ META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.properties META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml Some of those files contain textual references to jackson databind 2.4.0. The only copy of Jackson databind is in the lib dir. Since I only know vaguely that OSGi is being used here, and have never heard of this Apache Felix Bundle plugin before, I am not clear on how to address the vuln. Can I just modify these text files and say the version is 2.4.0, given that is what is actually now in the lib dir? Greg Hall (He/Him) | Sr Developer 1 Applied Systems Canada www.appliedsystems.ca<https://www1.appliedsystems.com/en-ca/>|emailaddr...@appliedsystems.com<mailto:emailaddr...@appliedsystems.com> M: 902-329-0649 24/7 Customer Support: 800.617.4666 |supp...@appliedsystems.com<mailto:supp...@appliedsystems.com> [cid:image001.png@01DB2FA3.4DD4AD80]<https://interact.appliedsystems.com/40th-anniversary-en-ca/p/1?utm_campaign=&utm_medium=Signature&utm_source=&utm_content=&utm_term=> This message is for the designated recipient only and may contain confidential, proprietary, or otherwise private information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use or distribution of this information is prohibited.
