Hello devs, When doing a security audit on the software we're using we've found a few CVEs in HBase. We've been looking into the mailing list and Jira in order to see if these are known and/or accepted CVEs and have found some related issues.
One of the detected CVEs is mentioned in an issue as low priority in this issues: https://issues.apache.org/jira/browse/HBASE-27436 (Remove protobuf 2 dependencies). Which looking at the priority and description seems to be an accepted CVE. There are also two issues mentioning integrating CVE checking to the build process: - https://issues.apache.org/jira/browse/HBASE-20553 (Add dependency CVE checking to nightly tests) - https://issues.apache.org/jira/browse/HBASE-20971 (Please add OWASP Dependency Check to the core build (pom.xml) and all sub-component builds.) Both have a high priority, but are also several years old. Is this something that is still interesting for the project and worth looking into? We were able to find some messages on the mailing list mentioning updating dependencies because of CVEs in release notes. But we've not found any documentation mentioning a process of detecting and addressing CVEs. We want to work on addressing these CVEs in our own installation. We want to find out which CVEs are relevant, and fix any relevant CVEs. It would be nice if we could get these changes merged somehow so we don't have to maintain our own HBase fork. Updating dependencies can also come with some subtle problems that may be difficult to solve without some advise from the community, is this worthwhile enough to to invest time into? Regards, Wes -- - Winner of Dutch Innovation award within Law Enforcement - Active in 26 countries Wes Schuitema Software Engineer phone: skype: site: pgp: +31 (0)50 21 11 622 w...@web-iq.com web-iq.com 67ED A1AB 34EF CA75 1F88 F2E2 ADC0 E1DD 6905 D5EA The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
