spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Grinter (JIRA)" <>
Subject [jira] [Commented] (SPARK-25762) Upgrade guava version in spark dependency lists due to CVE issue
Date Tue, 20 Nov 2018 11:21:00 GMT


James Grinter commented on SPARK-25762:

We also just bumped into CVE-2018-10237, as it's now started triggering the OWASP dependency
checker in our Spark application builds because of the included Guava dependency.

But I'm going to note that the Guava code itself does not use `AtomicDoubleArray` (one of
the problematic classes) internally, and instantiates a `CompoundOrdering` object only via
its `Ordering` collection class and `compound` method.

Spark does not use `AtomicDoubleArray` but it *does* use `Ordering`. It doesn't invoke the
`compound` method that would create a `CompoundOrdering` object.

> Upgrade guava version in spark dependency lists due to  CVE issue
> -----------------------------------------------------------------
>                 Key: SPARK-25762
>                 URL:
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Spark Core
>    Affects Versions: 2.2.1, 2.2.2, 2.3.1, 2.3.2
>            Reporter: Debojyoti
>            Priority: Major
> In spark2.x dependency list we have guava-14.0.1.jar. However there are lot vulnerabilities
exists in this CVE-2018-10237
> []
> Do we have any solution to resolve it or is there any plan to upgrade guava version any
of the spark's future release?

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message