coheigea opened a new pull request, #31464:
URL: https://github.com/apache/beam/pull/31464
If I scan beam-sdks-java-core-2.56.0.jar it contains a Commons Compress
version with CVEs:
```
trivy rootfs beam-sdks-java-core-2.56.0.jar
....
Java (jar)
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │
Installed Version │ Fixed Version │ Title
│
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress │ CVE-2024-25710 │ HIGH │ fixed │
1.21 │ 1.26.0 │ commons-compress: Denial of service caused
by an infinite │
│ (beam-sdks-java-core-2.56.0.jar) │ │ │ │
│ │ loop for a corrupted...
│
│ │ │ │ │
│ │ https://avd.aquasec.com/nvd/cve-2024-25710
│
│ ├────────────────┤ │ │
│
├─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-26308 │ │ │
│ │ commons-compress: OutOfMemoryError
unpacking broken Pack200 │
│ │ │ │ │
│ │ file
│
│ │ │ │ │
│ │ https://avd.aquasec.com/nvd/cve-2024-26308
│
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscr...@beam.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
