[
https://issues.apache.org/jira/browse/IGNITE-12738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
XuCongying updated IGNITE-12738:
--------------------------------
Attachment: apache-ignite_CVE-report.md
> CVEs in the dependencies are in the execution path of your project
> ------------------------------------------------------------------
>
> Key: IGNITE-12738
> URL: https://issues.apache.org/jira/browse/IGNITE-12738
> Project: Ignite
> Issue Type: Bug
> Reporter: XuCongying
> Priority: Major
> Attachments: apache-ignite_CVE-report.md
>
>
> Your project uses some depenidencies with CVEs. I found that the buggy
> methods of the CVEs are in the program execution path of your project, which
> makes your project at risk. I have suggested some version updates. The
> details are as follows.
> * *Vulnerable Dependency:* org.apache.hadoop : hadoop-common : 2.9.1
> * *Call Chain to Buggy Methods:*
> ** *Some files in your project call the library method
> org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File), which can
> reach the buggy method of
> [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*
> *** Files in your project:
> modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java
> *** One of the possible call chain:
> org.apache.hadoop.fs.FileUtil.unZip(java.io.File,java.io.File) [buggy method]
> ** Files in your project:
> modules/hadoop/src/main/java/org/apache/ignite/internal/processors/hadoop/impl/v2/HadoopV2JobResourceManager.java
> *** One of the possible call chain:
> org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File)
> org.apache.hadoop.fs.FileUtil.unTarUsingJava(java.io.File,java.io.File,boolean)
> org.apache.hadoop.fs.FileUtil.unpackEntries(org.apache.commons.compress.archivers.tar.TarArchiveInputStream,org.apache.commons.compress.archivers.tar.TarArchiveEntry,java.io.File)
> [buggy method]
> ** *Update suggestion:* version 3.2.0 3.2.0 is a safe version without CVEs.
> From 2.9.1 to 3.2.0, 4 of the APIs (called by 5 times in your project) were
> removed, 14 APIs (called by 44 times in your project) were modified.
> ** *Some files in your project call the library method
> org.apache.hadoop.fs.FileUtil.unTar(java.io.File,java.io.File), which can
> reach the buggy method of
> [CVE-2018-8009|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009].*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)