subject:"owasp\-dependency\-check is flagging flink 1.13 for scala 2.12.7"

owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

2021-07-02 Thread Debraj Manna

Hi,

I was running owasp-dependency-check
 in a java application
based on flink-1.13.0 (scala 2.12). scala 2.12.7 was getting flagged for
this

.

Relevant Dependency for this -

FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
[INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
[INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
[INFO] |  |  +-
org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile
[INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
[INFO] |  |  +-
org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
[INFO] |  |  +-
org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
[INFO] |  |  +-
org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile
[INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
[INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile

Can anyone suggest if flink app is vulnerable to this or can safely be
ignored?

Thanks

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

2021-07-02 Thread Chesnay Schepler

Its unlikely to be relevant for you since the vulnerability only affects 
the scaladocs, i.e., documentation.


On 7/2/2021 2:10 PM, Debraj Manna wrote:

Hi,

I was running owasp-dependency-check 
 in a java 
application based on flink-1.13.0 (scala 2.12). scala 2.12.7 was 
getting flagged for this 
. 



Relevant Dependency for this -

FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
[INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
[INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
[INFO] |  |  +- 
org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile

[INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
[INFO] |  |  +- 
org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
[INFO] |  |  +- 
org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
[INFO] |  |  +- 
org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile

[INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
[INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile

Can anyone suggest if flink app is vulnerable to this or can safely be 
ignored?


Thanks

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

2021-07-03 Thread Debraj Manna

Thanks for replying.

But I am also observing the following being flagged

*flink-hadoop-fs-1.13.1*

   - *CVE-2016-5001
   *
   - *CVE-2017-3161
   *
   - *CVE-2017-3162
   *

*flink-connector-kafka_2.12-1.13.1*

   - *CVE-2018-17196
   *




On Fri, Jul 2, 2021 at 7:19 PM Chesnay Schepler  wrote:

> Its unlikely to be relevant for you since the vulnerability only affects
> the scaladocs, i.e., documentation.
>
> On 7/2/2021 2:10 PM, Debraj Manna wrote:
>
> Hi,
>
> I was running owasp-dependency-check
>  in a java application
> based on flink-1.13.0 (scala 2.12). scala 2.12.7 was getting flagged for
> this
> .
>
>
> Relevant Dependency for this -
>
> FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
> [INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
> [INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
> [INFO] |  |  +-
> org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile
> [INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
> [INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
> [INFO] |  |  +-
> org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
> [INFO] |  |  +-
> org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
> [INFO] |  |  +-
> org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile
> [INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
> [INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile
>
> Can anyone suggest if flink app is vulnerable to this or can safely be
> ignored?
>
> Thanks
>
>
>

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

2021-07-03 Thread Chesnay Schepler

The Kafka one is incorrect because the 1.13.1 connector relies on Kafka 
2.4.1.


Whether the hadoop-fs ones are relevant for you depends entirely on 
which Hadoop version you are using, because we expect the user to 
provide Hadoop (and you can use later and more secure versions if you 
wish). IOW, the Hadoop 2.4 dependency in flink-hadoop-fs is just a hint 
to the user that this version _can_ be used.


On 7/3/2021 8:03 PM, Debraj Manna wrote:

Thanks for replying.

But I am also observing the following being flagged

*_flink-hadoop-fs-1.13.1_*

  * *CVE-2016-5001
*
  * *CVE-2017-3161
*
  * *CVE-2017-3162
*

*_flink-connector-kafka_2.12-1.13.1_*

  * *CVE-2018-17196
*



On Fri, Jul 2, 2021 at 7:19 PM Chesnay Schepler > wrote:


Its unlikely to be relevant for you since the vulnerability only
affects the scaladocs, i.e., documentation.

On 7/2/2021 2:10 PM, Debraj Manna wrote:

Hi,

I was running owasp-dependency-check
 in a java
application based on flink-1.13.0 (scala 2.12). scala 2.12.7 was
getting flagged for this

.


Relevant Dependency for this -

FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
[INFO] |  +-
org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
[INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
[INFO] |  |  +-
org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile
[INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
[INFO] |  |  +-
org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
[INFO] |  |  +-
org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
[INFO] |  |  +-
org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile
[INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
[INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile

Can anyone suggest if flink app is vulnerable to this or can
safely be ignored?

Thanks

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

2021-07-03 Thread Debraj Manna

Thanks again for replying.

Can you please provide a bit more explanation about the flink-hadoop-fs? It
is coming from flink-streaming. The relevant dependency tree looks like
below. How can I use a different version of hadoop in this case?

+- org.apache.flink:flink-streaming-java_2.12:jar:1.13.1:provided
[INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.1:provided
[INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.1:compile
[INFO] |  |  +-
org.apache.flink:flink-queryable-state-client-java:jar:1.13.1:compile
[INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.1:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
[INFO]



On Sun, Jul 4, 2021 at 1:29 AM Chesnay Schepler  wrote:

> The Kafka one is incorrect because the 1.13.1 connector relies on Kafka
> 2.4.1.
>
> Whether the hadoop-fs ones are relevant for you depends entirely on which
> Hadoop version you are using, because we expect the user to provide Hadoop
> (and you can use later and more secure versions if you wish). IOW, the
> Hadoop 2.4 dependency in flink-hadoop-fs is just a hint to the user that
> this version _can_ be used.
>
> On 7/3/2021 8:03 PM, Debraj Manna wrote:
>
> Thanks for replying.
>
> But I am also observing the following being flagged
>
> *flink-hadoop-fs-1.13.1*
>
>- *CVE-2016-5001
>*
>- *CVE-2017-3161
>*
>- *CVE-2017-3162
>*
>
> *flink-connector-kafka_2.12-1.13.1*
>
>- *CVE-2018-17196
>*
>
>
>
>
> On Fri, Jul 2, 2021 at 7:19 PM Chesnay Schepler 
> wrote:
>
>> Its unlikely to be relevant for you since the vulnerability only affects
>> the scaladocs, i.e., documentation.
>>
>> On 7/2/2021 2:10 PM, Debraj Manna wrote:
>>
>> Hi,
>>
>> I was running owasp-dependency-check
>>  in a java application
>> based on flink-1.13.0 (scala 2.12). scala 2.12.7 was getting flagged for
>> this
>> .
>>
>>
>> Relevant Dependency for this -
>>
>> FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
>> [INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
>> [INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile
>> [INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
>> [INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile
>> [INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
>> [INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile
>>
>> Can anyone suggest if flink app is vulnerable to this or can safely be
>> ignored?
>>
>> Thanks
>>
>>
>>
>

owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

5 matches

Site Navigation

Mail list logo

Footer information