hello. welcome to the hadoop CVE support team!
all this stuff happens on apache JIRA; the search term is project in (HADOOP, YARN, HDFS, MAPREDUCE) AND text ~ cve ORDER BY created DESC And we are cutting the 3.3.5 RC3 today; I just need to do the preflight checks before sending the emails. in the hadoop github repo, branch-3.3.5 is the one this is built off please use that for your audits, not 3.3.4, and when the RC goes up, do as much regression testing as you can On Tue, 14 Mar 2023 at 08:27, Michiel de Jong <michieldej...@web-iq.nl> wrote: > Hello Hadoop Developers, > > When running a dependency cve scan on our project we noticed a list of > dependencies in hadoop common that have some CVE. There are also several > CVEs listed on https://mvnrepository.the > com/artifact/org.apache.hadoop/hadoop-common/3.3.4 > <https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/3.3.4> > . > Many of these CVEs would probably not affect end users, however this is > often difficult to determine for the end users themselves. > > Is there a procedure in place for handling reported CVEs? Is there a place > where the CVEs that do not impact end users are documented? > > We would like to work on reducing the number of CVEs encountered in > dependencies and document the CVEs that are not easily resolved and don't > impact the end users. > > > where we are behind is the javascript stuff -that's the YARN project; i think it is undermaintained. we also have to deal with the challenge of compatibility, especially a few applications away. for example. this pair of commits reflects how an upgrade broke hive/tez downstream. HADOOP-18178. Upgrade jackson to 2.13.2 and jackson-databind to 2.13.2.2 HADOOP-18332. Remove rs-api dependency by downgrading jackson to 2.12.7 There's also the problem where libraries which generate classes (avro, parquet) are brittle to library updates...if we update them then applications which generated classes using the same lib just won't link any more. There we are resorting to the hadoop shaded jar and trying to cut the originals. though that adds more homework: keeping the shaded stuff current given its extra homework with more release overhead hadoop 3.3.5 isn't doing this, I'd be happy for someone to take up and complete two PRs HADOOP-18487. protobuf 2.5.0 marked as provided. https://github.com/apache/hadoop/pull/4996 HADOOP-18197. Upgrade protobuf to 3.21.7 https://github.com/apache/hadoop-thirdparty/pull/19 This and any other CVE work can target the next release. I am not going to hold back the 3.3.5 release for any more CVEs...we do that and the following week's CVEs become blockers instead. HDFS critical issues are the last bits of trouble. steve
