[ https://issues.apache.org/jira/browse/SPARK-25762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16693075#comment-16693075 ]
James Grinter commented on SPARK-25762: --------------------------------------- We also just bumped into CVE-2018-10237, as it's now started triggering the OWASP dependency checker in our Spark application builds because of the included Guava dependency. But I'm going to note that the Guava code itself does not use `AtomicDoubleArray` (one of the problematic classes) internally, and instantiates a `CompoundOrdering` object only via its `Ordering` collection class and `compound` method. Spark does not use `AtomicDoubleArray` but it *does* use `Ordering`. It doesn't invoke the `compound` method that would create a `CompoundOrdering` object. > Upgrade guava version in spark dependency lists due to CVE issue > ----------------------------------------------------------------- > > Key: SPARK-25762 > URL: https://issues.apache.org/jira/browse/SPARK-25762 > Project: Spark > Issue Type: Dependency upgrade > Components: Spark Core > Affects Versions: 2.2.1, 2.2.2, 2.3.1, 2.3.2 > Reporter: Debojyoti > Priority: Major > > In spark2.x dependency list we have guava-14.0.1.jar. However there are lot > vulnerabilities exists in this version.eg. CVE-2018-10237 > [https://www.cvedetails.com/cve/CVE-2018-10237/] > Do we have any solution to resolve it or is there any plan to upgrade guava > version any of the spark's future release? -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org