nrg4878 commented on PR #3744: URL: https://github.com/apache/hive/pull/3744#issuecomment-1309068399
so pac4j saml has a dependency on bouncycastle. Hive uses [email protected] which has multiple CVEs. the reason Hive added an explicit dependency on bouncycastle is because the initial version of pac4j we used (4.0.3) seems to have pulled in old bouncycastle with multiple CVEs. overtime we upgraded to 4.5.5 but that seems to also have CVEs Vulnerabilities from dependencies: [CVE-2022-22971](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22971) [CVE-2022-22970](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22970) [CVE-2022-22968](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22968) [CVE-2022-22965](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965) [CVE-2021-40690](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690) [CVE-2021-22096](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22096) [CVE-2020-8908](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908) So maybe we can upgrade the latest pac4j-saml (5.x) that seems to be using bouncycastle 1.70. We should be able to delete the direct dependency in the hive poms on BC. Does this make sense? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
