robertzych opened a new issue, #12341: URL: https://github.com/apache/pinot/issues/12341
In using `pinot-java-client : 1.0.0-hotfix` and `pinot-common : 1.0.0` and scanning the dependencies with Anchore the following CVEs were detected: ``` CVE-2022-39135+org.apache.calcite.avatica.avatica-core-1.20.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.avatica.avatica-core-1.20.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135) CVE-2022-39135+org.apache.calcite.calcite-linq4j-1.30.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-linq4j-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135) CVE-2021-37136+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2021-37136 - https://nvd.nist.gov/vuln/detail/CVE-2021-37136) CVE-2022-41881+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2022-41881 - https://nvd.nist.gov/vuln/detail/CVE-2022-41881) CVE-2019-20444+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-20444 - https://nvd.nist.gov/vuln/detail/CVE-2019-20444) CVE-2019-20445+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-20445 - https://nvd.nist.gov/vuln/detail/CVE-2019-20445) CVE-2015-2156+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2015-2156 - https://nvd.nist.gov/vuln/detail/CVE-2015-2156) CVE-2019-16869+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-16869 - https://nvd.nist.gov/vuln/detail/CVE-2019-16869) CVE-2023-26464+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2023-26464 - https://nvd.nist.gov/vuln/detail/CVE-2023-26464) CVE-2022-39135+org.apache.calcite.calcite-core-1.30.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-core-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135) CVE-2019-17571+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2019-17571 - https://nvd.nist.gov/vuln/detail/CVE-2019-17571) CVE-2019-20444+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2019-20444 - https://nvd.nist.gov/vuln/detail/CVE-2019-20444) CVE-2022-41881+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2022-41881 - https://nvd.nist.gov/vuln/detail/CVE-2022-41881) CVE-2022-23302+org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.logging.log4j.log4j-1.2-api-2.17.1.jar (CVE-2022-23302 - https://nvd.nist.gov/vuln/detail/CVE-2022-23302) CVE-2021-37137+com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar:netty-reactive-streams (CVE-2021-37137 - https://nvd.nist.gov/vuln/detail/CVE-2021-37137) CVE-2023-2976+com.google.guava.guava-32.0.0-jre.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.google.guava.guava-32.0.0-jre.jar (CVE-2023-2976 - https://nvd.nist.gov/vuln/detail/CVE-2023-2976) CVE-2019-16869+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-16869 - https://nvd.nist.gov/vuln/detail/CVE-2019-16869) CVE-2021-37136+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2021-37136 - https://nvd.nist.gov/vuln/detail/CVE-2021-37136) CVE-2022-39135+org.apache.calcite.calcite-babel-1.30.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.calcite-babel-1.30.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135) CVE-2021-37137+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2021-37137 - https://nvd.nist.gov/vuln/detail/CVE-2021-37137) CVE-2023-2976+com.google.guava.failureaccess-1.0.1.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.google.guava.failureaccess-1.0.1.jar (CVE-2023-2976 - https://nvd.nist.gov/vuln/detail/CVE-2023-2976) CVE-2015-2156+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2015-2156 - https://nvd.nist.gov/vuln/detail/CVE-2015-2156) CVE-2019-20445+com.typesafe.netty.netty-reactive-streams-2.0.4.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/com.typesafe.netty.netty-reactive-streams-2.0.4.jar (CVE-2019-20445 - https://nvd.nist.gov/vuln/detail/CVE-2019-20445) CVE-2022-39135+org.apache.calcite.avatica.avatica-metrics-1.20.0.jar vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/quarkus-app/lib/main/org.apache.calcite.avatica.avatica-metrics-1.20.0.jar (CVE-2022-39135 - https://nvd.nist.gov/vuln/detail/CVE-2022-39135) ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For additional commands, e-mail: commits-h...@pinot.apache.org
