Hi Ayush, I agree that we should address these, especially the critical ones, for the upcoming release. While achieving an "A" rating might be difficult, we should at least clean up the high-impact vulnerabilities to improve our security posture and perception.
I'm planning to create an umbrella JIRA to track this effort and will link individual issues for each CVE we decide to tackle. I think prioritizing the critical issues for this cycle is definitely worth it. I'll start the umbrella ticket so we can coordinate the work. Thanks, Sai On Tue, Jun 23, 2026 at 6:03 PM Ayush Saxena <[email protected]> wrote: > Hi Folks, > I was randomly browsing our DockerHub page and noticed that our Docker > images currently show a big "E" security rating. I've attached a > screenshot along with the local text output (assuming the attachment > makes it through). > > If not, the following command should provide the vulnerability details > locally: > docker scout cves apache/hive:nightly > > I realize this isn't a problem we can completely eliminate. Given the > number of dependencies in the Hadoop/Hive ecosystem, achieving an "A" > rating is probably unrealistic. However, there may be a few > low-hanging issues that we could address without a significant > engineering effort. > > My understanding is that many of these reported CVEs are unlikely to > be directly exploitable in Hive deployments or may not impact Hive > functionality at all. Because of that, I don't see this as a "drop > everything and fix it" effort. That said, improving the score where > practical could help with the project's presentation and perception, > especially for users evaluating Hive from a security standpoint. > > Curious what others think: > * Do we have any plans or strategy around this? > * Are there easy wins worth pursuing? > * Or is the consensus simply that the current state is acceptable and > not worth spending cycles on? Maybe newbie tickets? > > Interested in hearing everyone's thoughts. > > -Ayush >
