[
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627609#comment-17627609
]
David Pilato commented on TIKA-2536:
------------------------------------
Hey team
netcdf 4.5.5 depends on cdm 4.5.5 which depends on protobuf-java 2.5.0.
This protobuf version has
[CVE-2022-3171|https://ossindex.sonatype.org/vulnerability/CVE-2022-3171?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1]
which makes my project failing the ossindex audit:
{code:java}
[ERROR] Failed to execute goal
org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
(audit-dependencies) on project fscrawler-tika: Detected 1 vulnerable
components:
[ERROR] com.google.protobuf:protobuf-java:jar:2.5.0:compile;
https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/protobuf-java@2.5.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2022-3171] CWE-400: Uncontrolled Resource Consumption
('Resource Exhaustion') (7.5);
https://ossindex.sonatype.org/vulnerability/CVE-2022-3171?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1{code}
I believe this could not be solved until we upgrade netcdf.
My project depends on {{tika-parser-scientific-module}} 2.5.0.
> Move to later edu.ucar version to avoid EOL dependencies
> --------------------------------------------------------
>
> Key: TIKA-2536
> URL: https://issues.apache.org/jira/browse/TIKA-2536
> Project: Tika
> Issue Type: Improvement
> Components: parser
> Affects Versions: 1.16, 1.17
> Environment: All
> Reporter: Richard Jones
> Priority: Major
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm
> (released in Mar 2015), as well as being branch EOL themselves, depend on
> many other project/branch/version EOL artifacts for which much later and
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted
> on the Google Code site, which was shut down for active development in 2015.
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of
> org.quartz-scheduler:quartz for which active versions are available. In turn
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts
> to address all the above EOL issues (lack of active support for
> vulnerabilities and bugs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
