Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

Sat, 03 Jul 2021 11:03:33 -0700 

Thanks for replying.

But I am also observing the following being flagged

*flink-hadoop-fs-1.13.1*

   - *CVE-2016-5001
   <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5001>*
   - *CVE-2017-3161
   <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3161>*
   - *CVE-2017-3162
   <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3162>*

*flink-connector-kafka_2.12-1.13.1*

   - *CVE-2018-17196
   <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17196>*




On Fri, Jul 2, 2021 at 7:19 PM Chesnay Schepler <ches...@apache.org> wrote:

> Its unlikely to be relevant for you since the vulnerability only affects
> the scaladocs, i.e., documentation.
>
> On 7/2/2021 2:10 PM, Debraj Manna wrote:
>
> Hi,
>
> I was running owasp-dependency-check
> <https://owasp.org/www-project-dependency-check/> in a java application
> based on flink-1.13.0 (scala 2.12). scala 2.12.7 was getting flagged for
> this
> <https://ossindex.sonatype.org/vulnerability/bd61dd10-4348-45cd-a09e-094e9d588715?component-type=maven&component-name=org.scala-lang.scala-library&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.6>.
>
>
> Relevant Dependency for this -
>
> FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
> [INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
> [INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
> [INFO] |  |  +-
> org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile
> [INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
> [INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
> [INFO] |  |  +-
> org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
> [INFO] |  |  +-
> org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
> [INFO] |  |  +-
> org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile
> [INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
> [INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile
>
> Can anyone suggest if flink app is vulnerable to this or can safely be
> ignored?
>
> Thanks
>
>
>

Reply via email to