Thanks again for replying. Can you please provide a bit more explanation about the flink-hadoop-fs? It is coming from flink-streaming. The relevant dependency tree looks like below. How can I use a different version of hadoop in this case?
+- org.apache.flink:flink-streaming-java_2.12:jar:1.13.1:provided [INFO] | +- org.apache.flink:flink-file-sink-common:jar:1.13.1:provided [INFO] | +- org.apache.flink:flink-runtime_2.12:jar:1.13.1:compile [INFO] | | +- org.apache.flink:flink-queryable-state-client-java:jar:1.13.1:compile [INFO] | | +- org.apache.flink:flink-hadoop-fs:jar:1.13.1:compile [INFO] | | +- commons-io:commons-io:jar:2.7:compile [INFO] On Sun, Jul 4, 2021 at 1:29 AM Chesnay Schepler <ches...@apache.org> wrote: > The Kafka one is incorrect because the 1.13.1 connector relies on Kafka > 2.4.1. > > Whether the hadoop-fs ones are relevant for you depends entirely on which > Hadoop version you are using, because we expect the user to provide Hadoop > (and you can use later and more secure versions if you wish). IOW, the > Hadoop 2.4 dependency in flink-hadoop-fs is just a hint to the user that > this version _can_ be used. > > On 7/3/2021 8:03 PM, Debraj Manna wrote: > > Thanks for replying. > > But I am also observing the following being flagged > > *flink-hadoop-fs-1.13.1* > > - *CVE-2016-5001 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5001>* > - *CVE-2017-3161 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3161>* > - *CVE-2017-3162 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3162>* > > *flink-connector-kafka_2.12-1.13.1* > > - *CVE-2018-17196 > <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17196>* > > > > > On Fri, Jul 2, 2021 at 7:19 PM Chesnay Schepler <ches...@apache.org> > wrote: > >> Its unlikely to be relevant for you since the vulnerability only affects >> the scaladocs, i.e., documentation. >> >> On 7/2/2021 2:10 PM, Debraj Manna wrote: >> >> Hi, >> >> I was running owasp-dependency-check >> <https://owasp.org/www-project-dependency-check/> in a java application >> based on flink-1.13.0 (scala 2.12). scala 2.12.7 was getting flagged for >> this >> <https://ossindex.sonatype.org/vulnerability/bd61dd10-4348-45cd-a09e-094e9d588715?component-type=maven&component-name=org.scala-lang.scala-library&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.6>. >> >> >> Relevant Dependency for this - >> >> FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided >> [INFO] | +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided >> [INFO] | +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile >> [INFO] | | +- >> org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile >> [INFO] | | +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile >> [INFO] | | +- commons-io:commons-io:jar:2.7:compile >> [INFO] | | +- >> org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile >> [INFO] | | +- >> org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile >> [INFO] | | +- >> org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile >> [INFO] | | +- org.javassist:javassist:jar:3.24.0-GA:compile >> [INFO] | | +- org.scala-lang:scala-library:jar:2.12.7:compile >> >> Can anyone suggest if flink app is vulnerable to this or can safely be >> ignored? >> >> Thanks >> >> >> >