[
https://issues.apache.org/jira/browse/SPARK-32502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17169464#comment-17169464
]
Apache Spark commented on SPARK-32502:
--------------------------------------
User 'viirya' has created a pull request for this issue:
https://github.com/apache/spark/pull/29326
> Please fix CVE related to Guava 14.0.1
> --------------------------------------
>
> Key: SPARK-32502
> URL: https://issues.apache.org/jira/browse/SPARK-32502
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 3.0.0
> Reporter: Rodney Aaron Stainback
> Priority: Major
>
> Please fix the following CVE related to Guava 14.0.1
> |cve|severity|cvss|
> |CVE-2018-10237|medium|5.9|
>
> Our security team is trying to block us from using spark because of this issue
>
> One thing that's very weird is I see from this [pom
> file|[https://github.com/apache/spark/blob/v3.0.0/common/network-common/pom.xml]]
> you reference guava but it's not clear what version.
>
> But if I look on
> [maven|[https://mvnrepository.com/artifact/org.apache.spark/spark-network-common_2.12/3.0.0]]
> the guava reference is not showing up
>
> Is this reference somehow being shaded into the network common jar? It's not
> clear to me.
>
> Also, I've noticed code like [this
> file|[https://github.com/apache/spark/blob/v3.0.0/common/network-common/src/main/java/org/apache/spark/network/util/LimitedInputStream.java]]
> which is a copy-paste of some guava source code.
>
> The CVE scanner we use Twistlock/Palo Alto Networks - Prisma Cloud Compute
> Edition is very thorough and will find CVEs in copy-pasted code and shaded
> jars.
>
> Please fix this CVE so we can use spark
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
