Re: [I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

hpvd commented on issue #12341: URL: https://github.com/apache/pinot/issues/12341#issuecomment-2183467978 if we need a tool which tells us to which version we need to upgrade at least, trivy maybe a good choice... https://github.com/aquasecurity/trivy it is used e.g. on artifac

Re: [I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

hpvd commented on issue #12341: URL: https://github.com/apache/pinot/issues/12341#issuecomment-2183461835 just a question: shouldn't the already running dependabot find most of the updates needed and update a good part of them automatically? -- This is an automated message from the Ap

Re: [I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

robertzych commented on issue #12341: URL: https://github.com/apache/pinot/issues/12341#issuecomment-1925824498 @snleee Of the dependencies that I upgraded, all but calcite-core hasn't been upgraded yet. I will create a PR to upgrade calcite-core to the latest version (1.36.0), but because

Re: [I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

snleee commented on issue #12341: URL: https://github.com/apache/pinot/issues/12341#issuecomment-1925506633 @robertzych Would you help on filing pr for the above changes? By the way, I think that we should bump up one library per PR to make the rollback process easy if any issue happens due

Re: [I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

robertzych commented on issue #12341: URL: https://github.com/apache/pinot/issues/12341#issuecomment-1924921750 The only dependency that had to be whitelisted was avatica-core 1.24.0 as it couldn't be excluded without introducing a regression. It's CVE ([CVE-2022-39135](https://nvd.nist.gov

Re: [I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

robertzych commented on issue #12341: URL: https://github.com/apache/pinot/issues/12341#issuecomment-1917690129 No, the scan results don't include the versions to upgrade to. I'm in the process of upgrading calcite-core to 1.32.0 and should have updated scan results later today. -- This

Re: [I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

snleee commented on issue #12341: URL: https://github.com/apache/pinot/issues/12341#issuecomment-1917628228 - [ ] typesafe.netty.netty-reactive-streams-2.0.4 - [ ] org.apache.logging.log4j.log4j-1.2-api-2.17.1 - [ ] org.apache.calcite.avatica.avatica-core-1.20.0 - [ ] org.apache.calc

[I] CVEs detected in dependencies of pinot-java-client and pinot-common [pinot]

robertzych opened a new issue, #12341: URL: https://github.com/apache/pinot/issues/12341 In using `pinot-java-client : 1.0.0-hotfix` and `pinot-common : 1.0.0` and scanning the dependencies with Anchore the following CVEs were detected: ``` CVE-2022-39135+org.apache.calcite.avatica