edwardcapriolo commented on PR #507:
URL: https://github.com/apache/incubator-livy/pull/507#issuecomment-3780857911
@lmccay I am sure you may know this but I will give my playbook here for
those following the ticket:
I run two commands:
```shell
mvn -Pspark3 org.owasp:dependency-check-maven:check > /tmp/oss.txt
mvn -Pspark3 dependency:tree > /tmp/oss_tree.txt
```
Then I look for things to fix:
ivy-2.5.1.jar (pkg:maven/org.apache.ivy/[email protected],
cpe:2.3:a:apache:ivy:2.5.1:*:*:*:*:*:*:*) : CVE-2022-46751
Then i look at dependency:tree. Who brings in ivy? If the next version of
spark will fix the problem it is possible to hotfix, force ivy in my deps,
however then I need some plan to make sure it works, and in the future I also
have to remove it, or set the version to "at least" the fix version so if the
problem is fixed upstream you dont know how to remove the override here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
