calcite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Volodymyr Vysotskyi (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CALCITE-2379) CVSS dependency-check-maven fails for calcite-spark module
Date Mon, 25 Jun 2018 12:16:00 GMT
Volodymyr Vysotskyi created CALCITE-2379:
--------------------------------------------

             Summary: CVSS dependency-check-maven fails for calcite-spark module
                 Key: CALCITE-2379
                 URL: https://issues.apache.org/jira/browse/CALCITE-2379
             Project: Calcite
          Issue Type: Bug
            Reporter: Volodymyr Vysotskyi
            Assignee: Julian Hyde


Check for vulnerabilities among dependencies fails for {{calcite-spark}} module.

Output for "{{mvn install -Ppedantic -DskipTests=true}}":
{noformat}
One or more dependencies were identified with known vulnerabilities in Calcite Spark:

jackson-databind-2.9.4.jar (com.fasterxml.jackson.core:jackson-databind:2.9.4, cpe:/a:fasterxml:jackson-databind:2.9.4,
cpe:/a:fasterxml:jackson:2.9.4) : CVE-2018-7489
protobuf-java-3.3.0.jar (com.google.protobuf:protobuf-java:3.3.0, cpe:/a:google:protobuf:3.3.0)
: CVE-2015-5237
commons-beanutils-core-1.8.0.jar (commons-beanutils:commons-beanutils-core:1.8.0, cpe:/a:apache:commons_beanutils:1.8.0)
: CVE-2014-0114
commons-beanutils-1.7.0.jar (commons-beanutils:commons-beanutils:1.7.0, cpe:/a:apache:commons_beanutils:1.7.0)
: CVE-2014-0114
commons-httpclient-3.1.jar (commons-httpclient:commons-httpclient:3.1, cpe:/a:apache:commons-httpclient:3.1,
cpe:/a:apache:httpclient:3.1) : CVE-2015-5262, CVE-2014-3577
javax.annotation-api-1.2.jar (cpe:/a:oracle:glassfish:1.2, javax.annotation:javax.annotation-api:1.2)
: CVE-2015-2808, CVE-2013-2566
mail-1.4.7.jar (cpe:/a:mail_project:mail:1.4.7, javax.mail:mail:1.4.7) : CVE-2015-9097
validation-api-1.1.0.Final.jar (cpe:/a:bean_project:bean:7.x-1.1::~~~drupal~~, javax.validation:validation-api:1.1.0.Final)
: CVE-2013-4499
jaxb-api-2.2.2.jar (cpe:/a:fish:fish:2.2.2, cpe:/a:oracle:glassfish:2.2.2, javax.xml.bind:jaxb-api:2.2.2)
: CVE-2015-2808, CVE-2013-2566
pyrolite-4.13.jar (cpe:/a:pickle:pickle:4.13, net.razorvine:pyrolite:4.13) : CVE-2007-1100
py4j-0.10.4.jar (cpe:/a:python:python:0.10.4, cpe:/a:python_software_foundation:python:0.10.4,
net.sf.py4j:py4j:0.10.4) : CVE-2018-1000030, CVE-2017-18207, CVE-2017-17522, CVE-2017-1000158,
CVE-2016-5699, CVE-2016-5636, CVE-2016-1494, CVE-2016-0772, CVE-2015-5652, CVE-2014-7185,
CVE-2014-3539, CVE-2013-7440, CVE-2013-7338, CVE-2012-1150, CVE-2012-0845, CVE-2011-4940,
CVE-2010-3492, CVE-2008-5983, CVE-2008-3143, CVE-2008-3142, CVE-2008-2315, CVE-2008-1887,
CVE-2008-1721, CVE-2008-1679, CVE-2007-4559, CVE-2006-1542, CVE-2002-1119
avro-mapred-1.7.7-hadoop2.jar (cpe:/a:apache:hadoop:1.7.7, org.apache.avro:avro-mapred:1.7.7)
: CVE-2017-3162, CVE-2017-3161, CVE-2016-5001
curator-recipes-2.6.0.jar (cpe:/a:apache:zookeeper:2.6.0, org.apache.curator:curator-recipes:2.6.0)
: CVE-2016-5017, CVE-2014-0085
api-util-1.0.0-M20.jar (cpe:/a:apache:directory_ldap_api:1.0.0.m30, org.apache.directory.api:api-util:1.0.0-M20)
: CVE-2015-3250
xbean-asm5-shaded-4.4.jar (cpe:/a:apache:geronimo:4.4) : CVE-2008-0732
zookeeper-3.4.6.jar (cpe:/a:apache:zookeeper:3.4.6, org.apache.zookeeper:zookeeper:3.4.6)
: CVE-2017-5637, CVE-2016-5017, CVE-2014-0085
jackson-xc-1.9.13.jar (cpe:/a:fasterxml:jackson-databind:1.9.13, cpe:/a:fasterxml:jackson:1.9.13,
org.codehaus.jackson:jackson-xc:1.9.13) : CVE-2018-5968, CVE-2017-17485
jetty-http-9.2.19.v20160908.jar (cpe:/a:eclipse:jetty:9.2.19.v20160908, cpe:/a:jetty:jetty:9.2.19.v20160908,
org.eclipse.jetty:jetty-http:9.2.19.v20160908) : CVE-2017-9735
jetty-util-6.1.26.jar (cpe:/a:jetty:jetty:6.1.26, cpe:/a:mortbay:jetty:6.1.26, cpe:/a:mortbay_jetty:jetty:6.1.26,
org.mortbay.jetty:jetty-util:6.1.26) : CVE-2011-4461
unused-1.0.0.jar (cpe:/a:apache:spark:1.0.0, org.spark-project.spark:unused:1.0.0) : CVE-2017-7678
xz-1.0.jar (cpe:/a:tukaani:xz:1.0, org.tukaani:xz:1.0) : CVE-2015-4035
serializer-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:serializer:2.7.1) : CVE-2014-0107
xalan-2.7.1.jar (cpe:/a:apache:xalan-java:2.7.1, xalan:xalan:2.7.1) : CVE-2014-0107
xercesImpl-2.9.1.jar (cpe:/a:apache:xerces2_java:2.9.1, xerces:xercesImpl:2.9.1) : CVE-2012-0881
htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
(com.fasterxml.jackson.core:jackson-databind:2.4.0, cpe:/a:fasterxml:jackson-databind:2.4.0,
cpe:/a:fasterxml:jackson:2.4.0) : CVE-2018-7489, CVE-2018-5968, CVE-2017-7525, CVE-2017-17485,
CVE-2017-15095
spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml (cpe:/a:eclipse:jetty:9.3.11.v20160721,
cpe:/a:jetty:jetty:9.3.11.v20160721, org.eclipse.jetty:jetty-plus:9.3.11.v20160721) : CVE-2017-9735
{noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message