[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486803#comment-17486803 ] Hyukjin Kwon commented on SPARK-38061: -- Please reopen this JIRA after editing this JIRA to be dedicated for htrace-core4-4.1.0-incubating. > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: image-2022-02-03-08-02-29-071.png, > scan-security-report-spark-3.2.0-jre-11.csv, > scan-security-report-spark-3.2.1-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486802#comment-17486802 ] Hyukjin Kwon commented on SPARK-38061: -- In addition, we do use Jackson with safe versions. If htrace-core4-4.1.0-incubating.jar shades unsafe Jackson, it won't affect Spark. So, it's not urgent. I would expect this issue will go away when HDFS fixes, and when we upgrade Hadoop. > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: image-2022-02-03-08-02-29-071.png, > scan-security-report-spark-3.2.0-jre-11.csv, > scan-security-report-spark-3.2.1-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486801#comment-17486801 ] Hyukjin Kwon commented on SPARK-38061: -- [~sujitbiswas] please file a separate JIRA or edit this JIRA dedicated for htrace-core4-4.1.0-incubating.jar. > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: image-2022-02-03-08-02-29-071.png, > scan-security-report-spark-3.2.0-jre-11.csv, > scan-security-report-spark-3.2.1-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486791#comment-17486791 ] Sujit Biswas commented on SPARK-38061: -- *htrace-core4-4.1.0-incubating.jar* is about jackson-databind, not sure you are able to understand the issue, see the results, example below *CRITICAL,* "Vulnerability found in non-os package type (java) *- /opt/spark/jars/htrace-core4-4.1.0-incubating.jar:jackson-databind* (fixed in: 2.9.10)(GHSA-f3j5-rmmp-3fc5 - [https://github.com/advisories/GHSA-f3j5-rmmp-3fc5] )","GHSA-f3j5-rmmp-3fc5+htrace-core4-4.1.0-incubating.jar:jackson-databind",package,vulnerabilities, > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: image-2022-02-03-08-02-29-071.png, > scan-security-report-spark-3.2.0-jre-11.csv, > scan-security-report-spark-3.2.1-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486777#comment-17486777 ] Hyukjin Kwon commented on SPARK-38061: -- [~sujitbiswas] Again, please file a separate JIRA for each dependency because some of them cannot simply backported, and we should track them separately. Some dependencies like Log4J needs a lot of changes as an example. We can't just upgrade them in batch. Or you can use this JIRA as an umbrella JIRA. Spark 3.3.0 is scheduled in the middle of this year. > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: image-2022-02-03-08-02-29-071.png, > scan-security-report-spark-3.2.0-jre-11.csv, > scan-security-report-spark-3.2.1-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486741#comment-17486741 ] Sujit Biswas commented on SPARK-38061: -- Okay let’s take one issue at a time. For the jar jackson-databind, though the specific jar is updated in 3.2.x, the real issue is with htrace-core4-4.1.0-incubating.jar, which is a shaded SPARK-35550 , *is NOT a duplicate* of this bug Please note the issue in not resolved in 3.2.1 , attaching the scan report for the same, it will continue to exist in subsequent release *if the jar htrace-core4-4.1.0-incubating.jar is not fixed* Please re-open the bug for tracking purpose > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: image-2022-02-03-08-02-29-071.png, > scan-security-report-spark-3.2.0-jre-11.csv, > scan-security-report-spark-3.2.1-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486559#comment-17486559 ] Sujit Biswas commented on SPARK-38061: -- [~hyukjin.kwon] how to download Spark 3.3.0? not seeing it here [https://archive.apache.org/dist/spark/] !image-2022-02-03-08-02-29-071.png|width=463,height=129! > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: image-2022-02-03-08-02-29-071.png, > scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486344#comment-17486344 ] Hyukjin Kwon commented on SPARK-38061: -- [~sujitbiswas] some changes are not backported because it is too breaking changes. To avoid CVEs, users should use Spark 3.3.0. Again, we should triage instead of just listing the dependencies by the report, and need to resolve one by one as each has a side effect of dependency resolution. > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486268#comment-17486268 ] Sujit Biswas commented on SPARK-38061: -- also if some of the issues are resolved, how to get the build that has the fixes > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486264#comment-17486264 ] Sujit Biswas commented on SPARK-38061: -- not at all helpful, please refer to valid reason why something like this will not affect any spark stop,CRITICAL,false,"Vulnerability found in non-os package type (java) - /opt/spark/jars/log4j-1.2.17.jar (GHSA-2qrg-x229-3v8q - [https://github.com/advisories/GHSA-2qrg-x229-3v8q] )","GHSA-2qrg-x229-3v8q+log4j-1.2.17.jar",package,vulnerabilities > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486254#comment-17486254 ] Hyukjin Kwon commented on SPARK-38061: -- No, the security report here simply mentions the issues in their own libraries themselves. We don't know if they actually affect Spark or not, and we should proceed the upgrade separately for each ticket. > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486246#comment-17486246 ] Sujit Biswas commented on SPARK-38061: -- info is there in the attachment, you can do that > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486236#comment-17486236 ] Hyukjin Kwon commented on SPARK-38061: -- [~sujitbiswas] Let's separate a ticket for each. We should identify which affect Spark, and upgrade dep one by one instead of doing it in batch with pulling unrelated dependency upgrade together. > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486231#comment-17486231 ] Sujit Biswas commented on SPARK-38061: -- [~hyukjin.kwon] note jackson-databind solves only part of the problem, example log4j-1.2.17.jar causing critical CVE, there are several other HIGH CVEs, please see the attached csv in the bug attachment section > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486202#comment-17486202 ] Hyukjin Kwon commented on SPARK-38061: -- That's already upgraded at SPARK-35550 > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17484525#comment-17484525 ] Sujit Biswas commented on SPARK-38061: -- do not know what is the best resolution, htrace-core4-4.1.0-incubating.jar and log4j-1.2.17.jar, are causing critical CVE, there are few HIGH, see the attached csv one option may be build htrace-core4-4.1.0-incubating with *jackson-databind-2.12.3.jar* > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38061) security scan issue jackson-databinding HDFS dependency library
[ https://issues.apache.org/jira/browse/SPARK-38061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17484280#comment-17484280 ] Hyukjin Kwon commented on SPARK-38061: -- [~sujitbiswas], so do you propose to upgrade Jackson version? > security scan issue jackson-databinding HDFS dependency library > --- > > Key: SPARK-38061 > URL: https://issues.apache.org/jira/browse/SPARK-38061 > Project: Spark > Issue Type: Bug > Components: Kubernetes, Security >Affects Versions: 3.2.0 >Reporter: Sujit Biswas >Priority: Major > Attachments: scan-security-report-spark-3.2.0-jre-11.csv > > > Hi, > running into security scan issue with docker image built on > spark-3.2.0-bin-hadoop3.2, is there a way to resolve > > most issues related to https://issues.apache.org/jira/browse/HDFS-15333 > attaching the CVE report > -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
