Apache Ignite Developers - Legacy Mail Archive

[jira] [Created] (IGNITE-12738) CVEs in the dependencies are in the execution path of your project

Classic

List

Threaded

1 message

Anton Vinogradov (Jira)

[jira] [Created] (IGNITE-12738) CVEs in the dependencies are in the execution path of your project

XuCongying created IGNITE-12738:
-----------------------------------

Summary: CVEs in the dependencies are in the execution path of your project
Key: IGNITE-12738
URL: https://issues.apache.org/jira/browse/IGNITE-12738
Project: Ignite
Issue Type: Bug
Reporter: XuCongying
Attachments: apache-ignite_CVE-report.md

Your project uses some depenidencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. The details are as follows.
* *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.9.1

* *Call Chain to Buggy Methods:*

** *Some files in your project call the library method org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File), which can reach the buggy method of [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*

*** Files in your project: modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java

*** One of the possible call chain:
org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File) [buggy method]
** Files in your project: modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java

*** One of the possible call chain:
org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File)
org.apache.hadoop.fs.FileUtil.unTarUsingJava(java.io.File,java.io.File,boolean)
org.apache.hadoop.fs.FileUtil.unpackEntries(org.apache.commons.compress.archivers.tar.TarArchiveInputStream,org.apache.commons.compress.archivers.tar.TarArchiveEntry,java.io.File) [buggy method]
** *Update suggestion:* version 3.2.0 3.2.0 is a safe version without CVEs. From 2.9.1 to 3.2.0, 4 of the APIs (called by 5 times in your project) were removed, 14 APIs (called by 44 times in your project) were modified.

** *Some files in your project call the library method org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File), which can reach the buggy method of [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*

--
This message was sent by Atlassian Jira
(v8.3.4#803005)