[jira] [Updated] (BEAM-9428) CVEs in the dependencies of hive-exec for HiveIO

Tue, 03 Mar 2020 06:12:08 -0800 


     [ 
https://issues.apache.org/jira/browse/BEAM-9428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ismaël Mejía updated BEAM-9428:
-------------------------------
    Summary: CVEs in the dependencies of hive-exec for HiveIO  (was: CVEs in 
the dependencies are in the execution path of your project)

> CVEs in the dependencies of hive-exec for HiveIO
> ------------------------------------------------
>
>                 Key: BEAM-9428
>                 URL: https://issues.apache.org/jira/browse/BEAM-9428
>             Project: Beam
>          Issue Type: Bug
>          Components: io-java-hcatalog
>            Reporter: XuCongying
>            Assignee: Ismaël Mejía
>            Priority: Major
>         Attachments: apache-beam_CVE-report.md
>
>
> Hello, Your project uses some dependencies with CVEs. I found that the buggy 
> methods of the CVEs are in the program execution path of your project, which 
> makes your project at risk. I suggest a library update. See details below:
>  * *Vulnerable Dependency:* org.apache.hive : hive-exec : 2.1.0
>  * *Call Chain to Buggy Methods:*
>  ** *Some files in your project call the library method 
> org.apache.hadoop.hive.ql.Driver.run(java.lang.String), which can reach the 
> buggy method of 
> [CVE-2017-12625|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12625].*
>  *** Files in your project:  
> sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/test/EmbeddedMetastoreService.java
>  *** One of the possible call chain:
> org.apache.hadoop.hive.ql.Driver.run(java.lang.String)
> org.apache.hadoop.hive.ql.Driver.run(java.lang.String,boolean)
> org.apache.hadoop.hive.ql.Driver.runInternal(java.lang.String,boolean)
> org.apache.hadoop.hive.ql.Driver.compileInternal(java.lang.String)
> org.apache.hadoop.hive.ql.Driver.compile(java.lang.String)
> org.apache.hadoop.hive.ql.Driver.compile(java.lang.String,boolean)
> org.apache.hadoop.hive.ql.parse.ParseDriver.parse(java.lang.String,org.apache.hadoop.hive.ql.Context)
>  [buggy method]
>  ** *Update suggestion:* version 3.1.2 3.1.2 is a safe version without CVEs. 
> From 2.1.0 to 3.1.2, 2 of the APIs (called by 2 times in your project) were 
> removed, 3 APIs (called by 3 times in your project) were modified.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to