[jira] [Work logged] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=765062&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-765062
 ]

ASF GitHub Bot logged work on HADOOP-18069:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/May/22 17:51
            Start Date: 02/May/22 17:51
    Worklog Time Spent: 10m 
      Work Description: aajisaka commented on PR #4229:
URL: https://github.com/apache/hadoop/pull/4229#issuecomment-1115177416

   > spotbugs still thinks there is a problem. what is it that it is warning 
about?
   > I already used try-with-resources for OkHttpClient and added request 
checks as well. The warning is about NPE case.
   
   Reading the source code, `responseBody.body()` is always non-null. However, 
spotbugs thinks `responseBody.body()` may be null and it warns "need null 
check". I think it is because Spotbugs failed to analyze the okhttp classes 
from Kotlin.
   
   I think we can simply ignore the warnings. @ashutoshcipher would you add 
some entries to ignore the spotbugs warning in 
`hadoop-hdfs-project/hadoop-hdfs-client/dev-support/findbugsExcludeFile.xml`?




Issue Time Tracking
-------------------

    Worklog Id:     (was: 765062)
    Time Spent: 4h 10m  (was: 4h)

> CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client  
> -------------------------------------------------------
>
>                 Key: HADOOP-18069
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18069
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: hdfs-client
>    Affects Versions: 3.3.1
>            Reporter: Eugene Shinn (Truveta)
>            Assignee: Ashutosh Gupta
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 4h 10m
>  Remaining Estimate: 0h
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD - 
> CVE-2021-0341 
> (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection]
>  in our application. We traced the vulnerability to a transitive dependency 
> coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 
> ([hadoop/pom.xml at trunk · apache/hadoop 
> (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
>  To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: 
> [CVE-2021-0341 · Issue #6724 · square/okhttp 
> (github.com)|https://github.com/square/okhttp/issues/6724]).



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org