[jira] [Commented] (HADOOP-18148) json smart 1.3.2 still appears in Trivy scan of build

Wed, 01 Mar 2023 10:43:06 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695257#comment-17695257
 ] 

Steve Loughran commented on HADOOP-18148:
-----------------------------------------

license-bin of the 3.3.5 RC2 thinks there is one more recent; why don't you 
have a look

Trying to get all our dependencies is under control is a losing battle.

https://steveloughran.blogspot.com/2022/08/transitive-issues.html

If you can do your own release where you do not have to worry about breaking 
Applications two hops away then I cherish your freedom. Build against java11, 
bump up all your dependencies clean build all generated Avro and parquet 
classes and do something about jetty. The secret here is too completely rebuild 
the entire day to stack with locked down transient dependencies. Even there you 
will find things like jetty being unresolvable consistently.

You might also want to pick up HADOOP-18487 to cut protobuf out of scope. we 
had, it broke hive, we had to rollback; that should cut it out.

Let me know how everything went. 

> json smart 1.3.2 still appears in Trivy scan of build 
> ------------------------------------------------------
>
>                 Key: HADOOP-18148
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18148
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common
>    Affects Versions: 3.3.2
>            Reporter: Fred Purcell
>            Priority: Major
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> when building 3.3.2 Hadoop is still failing CVE scans showing the following 
> error. We are unable to use Hadoop with this CVE showing
>  
> "VulnerabilityID": "CVE-2021-31684", 
> "PkgName": "net.minidev:json-smart", 
> "PkgPath": "...lib/org.apache.hadoop.hadoop-client-runtime-3.3.2.jar", 
> "InstalledVersion": "1.3.2", 
> "FixedVersion": "2.4.5, 1.3.3",
>  
> more specifically
>  
> "VulnerabilityID": "CVE-2021-31684", 
> "PkgName": "net.minidev:json-smart", 
> "PkgPath": ".../lib/com.nimbusds.nimbus-jose-jwt-9.8.1.jar", 
> "InstalledVersion": "1.3.2", 
> "FixedVersion": "2.4.5, 1.3.3", 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to