I have attempted to generate the latest report and found that the dependency packages related to Spark have the highest CVE Count. We should upgrade Spark to a newer version.
Hugh Pearse <hughpea...@gmail.com> 于2024年10月3日周四 06:48写道: > > It looks like these are all ruby dependencies in the site directory. > > https://github.com/apache/calcite/blob/main/site/Gemfile#L18 > > https://github.com/apache/calcite/blob/main/site/Gemfile.lock#L56 > > Used for the website documentation, not the exported jar files. > > On Wed, 2 Oct 2024, 23:41 Xiong Duan, <xi...@apache.org> wrote: > > > Hi, We have a command that generates a report of vulnerabilities that > > occur among dependencies. > > > > ./gradlew dependencyCheckUpdate dependencyCheckAggregate > > > > [1] https://calcite.apache.org/docs/howto.html#publishing-a-release > > > > Julian Hyde <jhyde.apa...@gmail.com> 于2024年10月3日周四 01:01写道: > > > > > > Can someone remind me — is there a Gradle task to update dependencies? > > (Analogous to 'mvn versions:update-properties’.) > > > > > > If so, we should do this every release. > > > > > > Julian > > > > > > > > > > > > > On Oct 2, 2024, at 9:06 AM, Xiong Duan <xi...@apache.org> wrote: > > > > > > > > Hi, Hugh Pearse. Thanks for checking the dependency's vulnerabilities > > > > in Calcite. It is precious. We can create an ISSUE in JIRA. > > > > > > > > Hugh Pearse <hughpea...@gmail.com> 于2024年10月2日周三 15:56写道: > > > >> > > > >> Our security team found these issues: > > > >> > > > >> > > > >> - Scan of *https://github.com/apache/calcite.git > > > >> <https://github.com/apache/calcite.git>* on *Sep 27, 2024* > > > >> Version Scanned: *latest* > > > >> > > > >> Vulnerabilities > > > >> SeverityPkgNameInstalled VersionFixed VersionVulnerability IDReference > > > >> HIGH webrick 1.7.0 >= 1.8.2 CVE-2024-47220 > > > >> https://avd.aquasec.com/nvd/cve-2024-47220 > > > >> MEDIUM nokogiri 1.14.3 1.15.6, 1.16.2 GHSA-vcc3-rw6f-jv97 > > > >> https://github.com/advisories/GHSA-vcc3-rw6f-jv97 > > > >> MEDIUM nokogiri 1.14.3 ~> 1.15.6, >= 1.16.2 GHSA-xc9x-jj77-9p9j > > > >> https://github.com/advisories/GHSA-xc9x-jj77-9p9j > > > >> MEDIUM rexml 3.2.5 >= 3.2.7 CVE-2024-35176 > > > >> https://avd.aquasec.com/nvd/cve-2024-35176 > > > >> MEDIUM rexml 3.2.5 >= 3.3.2 CVE-2024-39908 > > > >> https://avd.aquasec.com/nvd/cve-2024-39908 > > > >> MEDIUM rexml 3.2.5 >= 3.3.3 CVE-2024-41123 > > > >> https://avd.aquasec.com/nvd/cve-2024-41123 > > > >> MEDIUM rexml 3.2.5 >= 3.3.3 CVE-2024-41946 > > > >> https://avd.aquasec.com/nvd/cve-2024-41946 > > > >> MEDIUM rexml 3.2.5 >= 3.3.6 CVE-2024-43398 > > > >> https://avd.aquasec.com/nvd/cve-2024-43398 > > > >> > > > >> From, > > > >> Hugh Pearse > > > > >
