coheigea opened a new pull request, #31464: URL: https://github.com/apache/beam/pull/31464
If I scan beam-sdks-java-core-2.56.0.jar it contains a Commons Compress version with CVEs: ``` trivy rootfs beam-sdks-java-core-2.56.0.jar .... Java (jar) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0) ┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ org.apache.commons:commons-compress │ CVE-2024-25710 │ HIGH │ fixed │ 1.21 │ 1.26.0 │ commons-compress: Denial of service caused by an infinite │ │ (beam-sdks-java-core-2.56.0.jar) │ │ │ │ │ │ loop for a corrupted... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-25710 │ │ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2024-26308 │ │ │ │ │ commons-compress: OutOfMemoryError unpacking broken Pack200 │ │ │ │ │ │ │ │ file │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-26308 │ └─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@beam.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org