Aggarwal-Raghav commented on PR #5593: URL: https://github.com/apache/hive/pull/5593#issuecomment-2564765420
@tanishq-chugh, i don't think in hive avro-1.7.7.jar is shipped anywhere, i checked both: 1. `standalone-metastore/metastore-server/target/apache-hive-metastore-4.1.0-SNAPSHOT-bin/lib` 2. `packaging/target/apache-hive-4.1.0-SNAPSHOT-bin/apache-hive-4.1.0-SNAPSHOT-bin/lib` and in _standalone-metastore_ module/submodules, we are not using any avro api's which means that metastore don't have to depend on avro. Also, in terms of CVE's mentioned in JIRA, SonaType scan only picks the jars that are getting shipped (based on my understanding) so we are good from that front as well. Thoughts on this? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
