Hello Hadoop Developers,When running a dependency cve scan on our project we noticed a list of dependencies in hadoop common that have some CVE. There are also several CVEs listed on https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/3.3.4. Many of these CVEs would probably not affect end users, however this is often difficult to determine for the end users themselves.
Is there a procedure in place for handling reported CVEs? Is there a place where the CVEs that do not impact end users are documented?
We would like to work on reducing the number of CVEs encountered in dependencies and document the CVEs that are not easily resolved and don't impact the end users.
Michiel
email signature
* Winner of Dutch Innovation award within Law Enforcement
* Active in 30+ countries
Michiel de Jong
Software Engineer
site:
PGP: web-iq.com <https://web-iq.com>
5E01 D729 326D F933 4A20 C8CF 7D09 6113 7CFD 29DA
The content of this email is confidential and intended for the recipient
specified in message only. It is strictly forbidden to share any part of
this message with any third party, without a written consent of the
sender. If you received this message by mistake, please reply to this
message and follow with its deletion, so that we can ensure such a
mistake does not occur in the future.
OpenPGP_0x7D0961137CFD29DA_and_old_rev.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
