[ https://issues.apache.org/jira/browse/ATLAS-4497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Greg updated ATLAS-4497: ------------------------ Description: Atlas 2.2.0 when built from source has a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled application and here's the list of the High and Critical vulnerabilities found: [https://pastebin.com/raw/tQNYMZd9] I am attempting to put together a public docker image of Atlas compiled from source. You can see my build process here to see how I arrived at the compiled build that I performed the scans on: [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile] I'm not a Java developer, but I would think that an updated pom.xml that has newer / more current (vulnerability free) versions of these packages may remediate these findings. was: Atlas 2.2.0 when built from source has a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled application and here's the list of the High and Critical vulnerabilities found: [https://pastebin.com/raw/tQNYMZd9] I am attempting to put together a public docker image of Atlas compiled from source. You can see my build process here to see how I arrived at the compiled build that I performed the scans on: [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile] I'm not a Java developer, but I would think that an updated pom.xml that has more current (vulnerability free) versions of packages may help remedy these findings. How to update this maven package tree is above my current skill level. > Large number of CVE's (vulnerabilities) when building 2.2.0 from source > ----------------------------------------------------------------------- > > Key: ATLAS-4497 > URL: https://issues.apache.org/jira/browse/ATLAS-4497 > Project: Atlas > Issue Type: Bug > Components: atlas-core > Affects Versions: 2.2.0 > Environment: Redhat UBI (Universal Base Image) 8.5 > Reporter: Greg > Priority: Critical > Labels: security > > Atlas 2.2.0 when built from source has a large number of jar packages that > suffer from known exploits / vulnerabilities. I've performed an Anchore and a > Twistlock scan of the compiled application and here's the list of the High > and Critical vulnerabilities found: > > [https://pastebin.com/raw/tQNYMZd9] > > I am attempting to put together a public docker image of Atlas compiled from > source. You can see my build process here to see how I arrived at the > compiled build that I performed the scans on: > > [https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile] > > I'm not a Java developer, but I would think that an updated pom.xml that has > newer / more current (vulnerability free) versions of these packages may > remediate these findings. -- This message was sent by Atlassian Jira (v8.20.1#820001)