[ https://issues.apache.org/jira/browse/FLINK-27654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539886#comment-17539886 ]
Yang Wang edited comment on FLINK-27654 at 5/20/22 2:54 AM: ------------------------------------------------------------ [~jbusche] You are right. The kubernetes-client in Flink project is a little old and I am not against with bumping the version. The reason we are lazy to update the kubernetes-client is that Flink only depends some core features(e.g. creating deployment/pod/configmap/service, leader election, watch/informer) and they are stable enough now. Currently, these functionalities has already been covered by the e2e tests in Flink project[1]. It is not a burden to bump the version. If you want to do this, we could create a new dedicated ticket. I have to clarify one more thing. In Flink project, we do not need to bump the kubernetes-client version to update the jackson-databind. Actually, the version is managed by parent pom[2] via maven dependencyManagement. This ticket also inspires me to verify the bundled the jackson-databind in the flink-kubernetes-operator module. The version is "com.fasterxml.jackson.core:jackson-databind:jar:2.13.1:compile". It is introduced by "io.fabric8:kubernetes-client:jar:5.12.1:compile". From the maven repository, 2.13.1 has one known vulnerability[3]. Would you like to create a PR to fix this? I believe it is simple since we could use dependencyManagement in the parent pom to pin the jackson version just like Flink project. [1]. https://github.com/apache/flink/blob/release-1.15/flink-end-to-end-tests/test-scripts [2]. https://github.com/apache/flink/blob/release-1.15/pom.xml#L563 [3]. https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind was (Author: fly_in_gis): [~jbusche] You are right. The kubernetes-client in Flink project is a little old and I am not against with bumping the version. The reason we are lazy to update the kubernetes-client is that Flink only depends some core features(e.g. creating deployment/pod/configmap/service, leader election, watch/informer) and they are stable enough now. Currently, these functionalities has already been covered by the e2e tests in Flink project[1]. It is not a burden to bump the version. If you want to do this, we could create a new dedicated ticket. I have to clarify one more thing. In Flink project, we do not need to bump the kubernetes-client version to update the jackson-databind. Actually, the version is managed by parent pom[2] via maven dependencyManagement. This ticket also inspires me to verify the bundled the jackson-databind in the flink-kubernetes-operator module. The version is "com.fasterxml.jackson.core:jackson-databind:jar:2.13.1:compile". It is introduced by "io.javaoperatorsdk:operator-framework:jar:2.1.4:compile" -> "io.fabric8:kubernetes-client:jar:5.12.1:compile". From the maven repository, 2.13.1 has one known vulnerability[3]. Would you like to create a PR to fix this? I believe it is simple since we could use dependencyManagement in the parent pom to pin the jackson version just like Flink project. [1]. https://github.com/apache/flink/blob/release-1.15/flink-end-to-end-tests/test-scripts [2]. https://github.com/apache/flink/blob/release-1.15/pom.xml#L563 [3]. https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind > Older jackson-databind found in /flink-kubernetes-shaded-1.0-SNAPSHOT.jar > ------------------------------------------------------------------------- > > Key: FLINK-27654 > URL: https://issues.apache.org/jira/browse/FLINK-27654 > Project: Flink > Issue Type: Bug > Components: Kubernetes Operator > Affects Versions: kubernetes-operator-0.1.0 > Reporter: James Busche > Priority: Major > Fix For: kubernetes-operator-1.0.0 > > > A twistlock security scan of the latest kubernetes flink operator is showing > an older version of jackson-databind in the > /flink-kubernetes-shaded-1.0-SNAPSHOT.jar file. I don't know how to > control/update the contents of this snapshot file. > I see this in the report (Otherwise, everything else looks good!): > ====== > severity: High > cvss: 7.5 > riskFactors: Attack complexity: low,Attack vector: network,DoS,Has fix,High > severity > cve: CVE-2020-36518 > Link: [https://nvd.nist.gov/vuln/detail/CVE-2020-36518] > packageName: com.fasterxml.jackson.core_jackson-databind > packagePath: /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar > description: jackson-databind before 2.13.0 allows a Java StackOverflow > exception and denial of service via a large depth of nested objects. > ===== > I'd be glad to try to fix it, I'm just not sure how the jackson-databind > versions are controlled in this > /flink-kubernetes-operator-1.0-SNAPSHOT-shaded.jar -- This message was sent by Atlassian Jira (v8.20.7#820007)