Hi Prasanna, in the latest Flink version (1.13.0) I couldn't find these dependencies. Which version of Flink are you looking at? What you could check is whether one of these dependencies is contained in one of Flink's shaded dependencies [1].
[1] https://github.com/apache/flink-shaded Cheers, Till On Tue, May 4, 2021 at 3:00 PM Prasanna kumar <prasannakumarram...@gmail.com> wrote: > Hi Flinksters, > > Our repo which is a maven based java project(flink) went through SCA scan > using WhiteSource tool and following are the HIGH severity issues reported. > The target vulnerable jar is not found when we build the dependency tree of > the project. > > Could any one let us know if flink uses these anywhere. > > +----------------------+------------+ > | Library | Severity | > +======================+============+ > | xercesImpl-2.9.1.jar | HIGH | > +----------------------+------------+ > - Artifact ID: xercesImpl > - Group ID: xerces > - Library Version: 2.9.1 > - Library Path: > /var/lib/jenkins/workspace/branch/latest/?/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar > - Dependency: None > - Type: MAVEN_ARTIFACT > - Description: XMLscanner.java in Apache Xerces2 Java Parser before > 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before > 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as > well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE > 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, > Java SE Embedded 7u40 and earlier, and possibly other products allows remote > attackers to cause a denial of service via vectors related to XML attribute > names. > - Suggested Fix: Upgrade to version xerces:xercesImpl:Xerces-J_2_12_0 > > > +-----------------------+------------+ > | Library | Severity | > +=======================+============+ > | struts-core-1.3.8.jar | HIGH | > +-----------------------+------------+ > - Artifact ID: struts-core > - Group ID: org.apache.struts > - Library Version: 1.3.8 > - Library Path: > /var/lib/jenkins/workspace/branchlatest/?/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar > - Dependency: None > - Type: MAVEN_ARTIFACT > - Description: ActionServlet.java in Apache Struts 1 1.x through 1.3.10 > does not properly restrict the Validator configuration, which allows remote > attackers to conduct cross-site scripting (XSS) attacks or cause a denial of > service via crafted input, a related issue to CVE-2015-0899. > - Suggested Fix: Replace or update the following file: > ActionServlet.java > > +----------------------+------------+ > | Library | Severity | > +======================+============+ > | plexus-utils-3.0.jar | HIGH | > +----------------------+------------+ > - Artifact ID: plexus-utils > - Group ID: org.codehaus.plexus > - Library Version: 3.0 > - Library Path: > /var/lib/jenkins/workspace/branchlatest/?/.m2/repository/org/codehaus/plexus/plexus-utils/3.0/plexus-utils-3.0.jar > - Dependency: None > - Type: MAVEN_ARTIFACT > - Description: Security vulnerability found in plexus-utils before > 3.0.24. XML injection found in XmlWriterUtil.java. > - Suggested Fix: Upgrade to version 3.0.24 > > Thanks, > > Prasanna. > >