[ https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=761475&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-761475 ]
ASF GitHub Bot logged work on HADOOP-18069: ------------------------------------------- Author: ASF GitHub Bot Created on: 24/Apr/22 17:03 Start Date: 24/Apr/22 17:03 Worklog Time Spent: 10m Work Description: steveloughran commented on PR #4229: URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1107879441 the spotbugs failures are probably less a regression the lib as improved nullable declarations in the API letting spotbugs know the code is bad. that bit of okta api use needs to handle null responses better. probably it should check the return type is text/json, as some oauth endpoints (hello microsoft live) will return 200 and human-friendly html on auth problems. Issue Time Tracking ------------------- Worklog Id: (was: 761475) Time Spent: 0.5h (was: 20m) > CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client > ------------------------------------------------------- > > Key: HADOOP-18069 > URL: https://issues.apache.org/jira/browse/HADOOP-18069 > Project: Hadoop Common > Issue Type: Bug > Components: hdfs-client > Affects Versions: 3.3.1 > Reporter: Eugene Shinn (Truveta) > Priority: Major > Labels: pull-request-available > Time Spent: 0.5h > Remaining Estimate: 0h > > Our static vulnerability scanner (Fortify On Demand) detected [NVD - > CVE-2021-0341 > (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection] > in our application. We traced the vulnerability to a transitive dependency > coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 > ([hadoop/pom.xml at trunk · apache/hadoop > (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]). > To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: > [CVE-2021-0341 · Issue #6724 · square/okhttp > (github.com)|https://github.com/square/okhttp/issues/6724]). -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org