[jira] [Commented] (ATLAS-3930) Atlas server distribution contains 180+ CVEs
[ https://issues.apache.org/jira/browse/ATLAS-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17405115#comment-17405115 ] Syed Atif Akhtar commented on ATLAS-3930: - Any updates on this - i think it would be good to have a CI job that checks for vulnerabilities if we don't already have one and have some sort of tolerance threshold, this is a major issue that stops Atlas from larger enterprise adoption. > Atlas server distribution contains 180+ CVEs > > > Key: ATLAS-3930 > URL: https://issues.apache.org/jira/browse/ATLAS-3930 > Project: Atlas > Issue Type: Bug > Components: atlas-core, atlas-intg, atlas-webui >Affects Versions: 2.1.0 >Reporter: Gaurav Saini >Priority: Blocker > Attachments: dependency-check-report.csv, dependency-check-report.html > > > we are working on apache atlas code and started deploying over > *[https://github.com/apache/atlas/tree/release-2.1.0-rc3]* > Upon scanning using twistlock, we found *180+* vulnerability. > > Out of these, Jackson-databind and netty_netty-all are the most occurring > ones. > So, we tried upgrading the versions, but integration tests in atlas-webapp > started failing saying *"org.eclise.jetty, utils: Multi exception".* > The same thing is happening while upgrading versions of any other > dependencies in the atlas module. The application breaks for any other > dependency which we are trying to upgrade. for example, Hadoop_hdfs uses > Jackson-databind as a transitive dependency, hence I am unable to update > version. > _PFA of dependency check for the project._ > *I do not see any open issue on the Github channel too.* > *Have you experienced any such scenario while upgrading earlier?* > *Is there a way for me to move ahead to remove vulnerabilities in the > current version?* > > *The atlas server distribution should be using the latest version of the > dependencies having no or fewer CVEs.* -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ATLAS-3930) Atlas server distribution contains 180+ CVEs
[ https://issues.apache.org/jira/browse/ATLAS-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17237570#comment-17237570 ] Kevin Risden commented on ATLAS-3930: - A lot of this should have been addressed with ATLAS-4000 and there might be a few stragglers fixed by ATLAS-4046 for jetty specifically. > Atlas server distribution contains 180+ CVEs > > > Key: ATLAS-3930 > URL: https://issues.apache.org/jira/browse/ATLAS-3930 > Project: Atlas > Issue Type: Bug > Components: atlas-core, atlas-intg, atlas-webui >Affects Versions: 2.1.0 >Reporter: Gaurav Saini >Priority: Blocker > Attachments: dependency-check-report.csv, dependency-check-report.html > > > we are working on apache atlas code and started deploying over > *[https://github.com/apache/atlas/tree/release-2.1.0-rc3]* > Upon scanning using twistlock, we found *180+* vulnerability. > > Out of these, Jackson-databind and netty_netty-all are the most occurring > ones. > So, we tried upgrading the versions, but integration tests in atlas-webapp > started failing saying *"org.eclise.jetty, utils: Multi exception".* > The same thing is happening while upgrading versions of any other > dependencies in the atlas module. The application breaks for any other > dependency which we are trying to upgrade. for example, Hadoop_hdfs uses > Jackson-databind as a transitive dependency, hence I am unable to update > version. > _PFA of dependency check for the project._ > *I do not see any open issue on the Github channel too.* > *Have you experienced any such scenario while upgrading earlier?* > *Is there a way for me to move ahead to remove vulnerabilities in the > current version?* > > *The atlas server distribution should be using the latest version of the > dependencies having no or fewer CVEs.* -- This message was sent by Atlassian Jira (v8.3.4#803005)