[
https://issues.apache.org/jira/browse/SPARK-40681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Kyle Purtell updated SPARK-40681:
----------------------------------------
Description:
Spark 3.3 currently ships with GSON 2.8.6 and this should be managed up to
2.8.9 or later.
Versions of GSON prior to 2.8.9 are subject to
[gson#1991|https://github.com/google/gson/pull/1991] , detected and reported by
several flavors of static vulnerability assessment tools, at a fairly high
score because it is a deserialization of untrusted data problem.
This issue is not meant to imply any particular security problem in Spark
itself.
{noformat}
[INFO] org.apache.spark:spark-network-common_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- com.google.crypto.tink:tink:jar:1.6.1:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] | \- com.google.code.gson:gson:jar:2.8.6:compile
{noformat}
{noformat}
[INFO] org.apache.spark:spark-hive_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- org.apache.hive:hive-exec:jar:core:2.3.9:compile
[INFO] | +- org.apache.hive:hive-vector-code-gen:jar:2.3.9:compile
[INFO] | +- com.google.code.gson:gson:jar:2.2.4:compile
{noformat}
was:
Spark 3.3 currently ships with GSON 2.8.6 and this should be managed up to
2.8.9 or later.
Versions of GSON prior to 2.8.9 are subject to
[gson#1991|https://github.com/google/gson/pull/1991] , detected and reported by
several flavors of static vulnerability assessment tools, at a fairly high
score because it is a deserialization of untrusted data problem.
This issue is not meant to imply any particular security problem in Spark
itself.
[INFO] org.apache.spark:spark-network-common_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- com.google.crypto.tink:tink:jar:1.6.1:compile
[INFO] | +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] | \- com.google.code.gson:gson:jar:2.8.6:compile
[INFO] org.apache.spark:spark-hive_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- org.apache.hive:hive-exec:jar:core:2.3.9:compile
[INFO] | +- org.apache.hive:hive-vector-code-gen:jar:2.3.9:compile
[INFO] | +- com.google.code.gson:gson:jar:2.2.4:compile
> Update gson transitive dependency to 2.8.9 or later
> ---------------------------------------------------
>
> Key: SPARK-40681
> URL: https://issues.apache.org/jira/browse/SPARK-40681
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 3.3.0
> Reporter: Andrew Kyle Purtell
> Priority: Major
>
> Spark 3.3 currently ships with GSON 2.8.6 and this should be managed up to
> 2.8.9 or later.
> Versions of GSON prior to 2.8.9 are subject to
> [gson#1991|https://github.com/google/gson/pull/1991] , detected and reported
> by several flavors of static vulnerability assessment tools, at a fairly high
> score because it is a deserialization of untrusted data problem.
> This issue is not meant to imply any particular security problem in Spark
> itself.
> {noformat}
> [INFO] org.apache.spark:spark-network-common_2.12:jar:3.3.2-SNAPSHOT
> [INFO] +- com.google.crypto.tink:tink:jar:1.6.1:compile
> [INFO] | +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
> [INFO] | \- com.google.code.gson:gson:jar:2.8.6:compile
> {noformat}
> {noformat}
> [INFO] org.apache.spark:spark-hive_2.12:jar:3.3.2-SNAPSHOT
> [INFO] +- org.apache.hive:hive-exec:jar:core:2.3.9:compile
> [INFO] | +- org.apache.hive:hive-vector-code-gen:jar:2.3.9:compile
> [INFO] | +- com.google.code.gson:gson:jar:2.2.4:compile
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
