Re: owasp-dependency-check is flagging flink 1.13 for scala 2.12.7

Sat, 03 Jul 2021 22:19:54 -0700 

Thanks again for replying.

Can you please provide a bit more explanation about the flink-hadoop-fs? It
is coming from flink-streaming. The relevant dependency tree looks like
below. How can I use a different version of hadoop in this case?

+- org.apache.flink:flink-streaming-java_2.12:jar:1.13.1:provided
[INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.1:provided
[INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.1:compile
[INFO] |  |  +-
org.apache.flink:flink-queryable-state-client-java:jar:1.13.1:compile
[INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.1:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
[INFO]



On Sun, Jul 4, 2021 at 1:29 AM Chesnay Schepler <ches...@apache.org> wrote:

> The Kafka one is incorrect because the 1.13.1 connector relies on Kafka
> 2.4.1.
>
> Whether the hadoop-fs ones are relevant for you depends entirely on which
> Hadoop version you are using, because we expect the user to provide Hadoop
> (and you can use later and more secure versions if you wish). IOW, the
> Hadoop 2.4 dependency in flink-hadoop-fs is just a hint to the user that
> this version _can_ be used.
>
> On 7/3/2021 8:03 PM, Debraj Manna wrote:
>
> Thanks for replying.
>
> But I am also observing the following being flagged
>
> *flink-hadoop-fs-1.13.1*
>
>    - *CVE-2016-5001
>    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5001>*
>    - *CVE-2017-3161
>    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3161>*
>    - *CVE-2017-3162
>    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3162>*
>
> *flink-connector-kafka_2.12-1.13.1*
>
>    - *CVE-2018-17196
>    <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17196>*
>
>
>
>
> On Fri, Jul 2, 2021 at 7:19 PM Chesnay Schepler <ches...@apache.org>
> wrote:
>
>> Its unlikely to be relevant for you since the vulnerability only affects
>> the scaladocs, i.e., documentation.
>>
>> On 7/2/2021 2:10 PM, Debraj Manna wrote:
>>
>> Hi,
>>
>> I was running owasp-dependency-check
>> <https://owasp.org/www-project-dependency-check/> in a java application
>> based on flink-1.13.0 (scala 2.12). scala 2.12.7 was getting flagged for
>> this
>> <https://ossindex.sonatype.org/vulnerability/bd61dd10-4348-45cd-a09e-094e9d588715?component-type=maven&component-name=org.scala-lang.scala-library&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.6>.
>>
>>
>> Relevant Dependency for this -
>>
>> FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided
>> [INFO] |  +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided
>> [INFO] |  +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile
>> [INFO] |  |  +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile
>> [INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile
>> [INFO] |  |  +-
>> org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile
>> [INFO] |  |  +- org.javassist:javassist:jar:3.24.0-GA:compile
>> [INFO] |  |  +- org.scala-lang:scala-library:jar:2.12.7:compile
>>
>> Can anyone suggest if flink app is vulnerable to this or can safely be
>> ignored?
>>
>> Thanks
>>
>>
>>
>

Reply via email to