[
https://issues.apache.org/jira/browse/ATLAS-4497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg updated ATLAS-4497:
------------------------
Description:
Atlas 2.2.0 when built from source has a large number of jar packages that
suffer from known exploits / vulnerabilities. I've performed an Anchore and a
Twistlock scan of the compiled application and here's the list of the High and
Critical vulnerabilities found:
[https://pastebin.com/raw/tQNYMZd9]
I am attempting to put together a public docker image of Atlas compiled from
source. You can see my build process here to see how I arrived at the compiled
build that I performed the scans on:
[https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
I'm not a Java developer, but I would think that an updated pom.xml that has
newer / more current (vulnerability free) versions of these packages may
remediate these findings.
was:
Atlas 2.2.0 when built from source has a large number of jar packages that
suffer from known exploits / vulnerabilities. I've performed an Anchore and a
Twistlock scan of the compiled application and here's the list of the High and
Critical vulnerabilities found:
[https://pastebin.com/raw/tQNYMZd9]
I am attempting to put together a public docker image of Atlas compiled from
source. You can see my build process here to see how I arrived at the compiled
build that I performed the scans on:
[https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
I'm not a Java developer, but I would think that an updated pom.xml that has
more current (vulnerability free) versions of packages may help remedy these
findings. How to update this maven package tree is above my current skill level.
> Large number of CVE's (vulnerabilities) when building 2.2.0 from source
> -----------------------------------------------------------------------
>
> Key: ATLAS-4497
> URL: https://issues.apache.org/jira/browse/ATLAS-4497
> Project: Atlas
> Issue Type: Bug
> Components: atlas-core
> Affects Versions: 2.2.0
> Environment: Redhat UBI (Universal Base Image) 8.5
> Reporter: Greg
> Priority: Critical
> Labels: security
>
> Atlas 2.2.0 when built from source has a large number of jar packages that
> suffer from known exploits / vulnerabilities. I've performed an Anchore and a
> Twistlock scan of the compiled application and here's the list of the High
> and Critical vulnerabilities found:
>
> [https://pastebin.com/raw/tQNYMZd9]
>
> I am attempting to put together a public docker image of Atlas compiled from
> source. You can see my build process here to see how I arrived at the
> compiled build that I performed the scans on:
>
> [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile]
>
> I'm not a Java developer, but I would think that an updated pom.xml that has
> newer / more current (vulnerability free) versions of these packages may
> remediate these findings.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
