spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Grinter (JIRA)" <>
Subject [jira] [Commented] (SPARK-23897) Guava version
Date Tue, 20 Nov 2018 11:22:00 GMT


James Grinter commented on SPARK-23897:

We also just bumped into CVE-2018-10237, as it's now started triggering the OWASP dependency
checker in our Spark application builds because of the included Guava dependency.

But I'm going to note that the Guava code itself does not use `AtomicDoubleArray` (one of
the problematic classes) internally, and instantiates a `CompoundOrdering` object only via
its `Ordering` collection class and `compound` method.

Spark does not use `AtomicDoubleArray` but it *does* use `Ordering`. It doesn't invoke the
`compound` method that would create a `CompoundOrdering` object.

Someone else has asked about this specific CVE at

> Guava version
> -------------
>                 Key: SPARK-23897
>                 URL:
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Spark Core
>    Affects Versions: 2.3.0
>            Reporter: Sercan Karaoglu
>            Priority: Minor
> Guava dependency version 14 is pretty old, needs to be updated to at least 16, google
cloud storage connector uses newer one which causes pretty popular error with guava; "java.lang.NoSuchMethodError:;)Ljava/util/List;" and
causes app to crash

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message