[jira] [Created] (IGNITE-12738) CVEs in the dependencies are in the execution path of your project

Tue, 03 Mar 2020 00:56:54 -0800 

XuCongying created IGNITE-12738:
-----------------------------------

             Summary: CVEs in the dependencies are in the execution path of 
your project
                 Key: IGNITE-12738
                 URL: https://issues.apache.org/jira/browse/IGNITE-12738
             Project: Ignite
          Issue Type: Bug
            Reporter: XuCongying
         Attachments: apache-ignite_CVE-report.md

Your project uses some depenidencies with CVEs. I found that the buggy methods 
of the CVEs are in the program execution path of your project, which makes your 
project at risk. I have suggested some version updates. The details are as 
follows.
 * *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.9.1

 * *Call Chain to Buggy Methods:*

 ** *Some files in your project call the library method 
org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File), which can reach 
the buggy method of 
[CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*

 *** Files in your project:  
modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java

 *** One of the possible call chain:
org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File) [buggy method]
 ** Files in your project:  
modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java

 *** One of the possible call chain:
org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File)
org.apache.hadoop.fs.FileUtil.unTarUsingJava(java.io.File,java.io.File,boolean)
org.apache.hadoop.fs.FileUtil.unpackEntries(org.apache.commons.compress.archivers.tar.TarArchiveInputStream,org.apache.commons.compress.archivers.tar.TarArchiveEntry,java.io.File)
 [buggy method]
 ** *Update suggestion:* version 3.2.0 3.2.0 is a safe version without CVEs. 
From 2.9.1 to 3.2.0, 4 of the APIs (called by 5 times in your project) were 
removed, 14 APIs (called by 44 times in your project) were modified.

 ** *Some files in your project call the library method 
org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File), which can reach 
the buggy method of 
[CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to