[
https://issues.apache.org/jira/browse/YARN-11389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17644761#comment-17644761
]
ASF GitHub Bot commented on YARN-11389:
---------------------------------------
dmmkr commented on PR #5192:
URL: https://github.com/apache/hadoop/pull/5192#issuecomment-1342593030
Thanks @steveloughran for the review,
I agree that spring version upgrade should come with the plugin, I tried
upgrading the maven plugin to the latest available version of 1.10.1, it still
has the vulnerable spring version of 5.3.1
I can a comment similar to https://github.com/apache/hadoop/pull/421 to
ensure that the spring dependencies get removed in the later versions of plugin
upgrade.
We are adding spring as the first level dependency for the plugin, whereas
the existing spring is coming from the second level of dependency. Maven
ensures that the nearest level of dependency gets picked up.
> Upgrade spring-core to 5.3.20 in wro4j-maven-plugin
> ----------------------------------------------------
>
> Key: YARN-11389
> URL: https://issues.apache.org/jira/browse/YARN-11389
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: build, yarn-ui-v2
> Affects Versions: 3.4.0
> Reporter: D M Murali Krishna Reddy
> Assignee: D M Murali Krishna Reddy
> Priority: Minor
> Labels: pull-request-available, transitive-cve
>
> Currently during yarn-ui build we are using vulnerable version of
> spring-core-3.1.1.RELEASE.jar which has serveral critical and high
> vulnerablilites, we need to upgrade to a version 5.3.20+
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
