Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

Sat, 03 Jul 2021 12:59:14 -0700

The Kafka one is incorrect because the 1.13.1 connector relies on Kafka 2.4.1.
Whether the hadoop-fs ones are relevant for you depends entirely on which Hadoop version you are using, because we expect the user to provide Hadoop (and you can use later and more secure versions if you wish). IOW, the Hadoop 2.4 dependency in flink-hadoop-fs is just a hint to the user that this version _can_ be used. 

On 7/3/2021 8:03 PM, Debraj Manna wrote:

Thanks for replying.

But I am also observing the following being flagged

*_flink-hadoop-fs-1.13.1_*

  * *CVE-2016-5001
    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5001>*
  * *CVE-2017-3161
    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3161>*
  * *CVE-2017-3162
    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3162>*

*_flink-connector-kafka_2.12-1.13.1_*

  * *CVE-2018-17196
    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17196>*




On Fri, Jul 2, 2021 at 7:19 PM Chesnay Schepler <ches...@apache.org 
<mailto:ches...@apache.org>> wrote:


    Its unlikely to be relevant for you since the vulnerability only
    affects the scaladocs, i.e., documentation.

    On 7/2/2021 2:10 PM, Debraj Manna wrote:

    Hi,

    I was running owasp-dependency-check
    <https://owasp.org/www-project-dependency-check/> in a java
    application based on flink-1.13.0 (scala 2.12). scala 2.12.7 was
    getting flagged for this
    
<https://ossindex.sonatype.org/vulnerability/bd61dd10-4348-45cd-a09e-094e9d588715?component-type=maven&component-name=org.scala-lang.scala-library&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.6>.


    Relevant Dependency for this -

    FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
    [INFO] |  +-
    org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
    [INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
    [INFO] |  |  +-
    org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile
    [INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
    [INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
    [INFO] |  |  +-
    org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
    [INFO] |  |  +-
    org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
    [INFO] |  |  +-
    org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile
    [INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
    [INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile

    Can anyone suggest if flink app is vulnerable to this or can
    safely be ignored?

    Thanks



























					Reply via email to