Potential security vulnerability in the zstd C library.

[HelenParr]

Hi, @kevinwallimann , @felipemmelo , I'd like to report a vulnerable dependency in za.co.absa.hyperdrive:hyperdrive-release_spark-3_2.12:4.6.0.

Issue Description

I noticed that za.co.absa.hyperdrive:hyperdrive-release_spark-3_2.12:4.6.0 directly depends on org.apache.spark:spark-core_2.12:3.1.2. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.1.2 sufferes from the vulnerability which the C library zstd(version:1.4.8) exposed: CVE-2021-24032.

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library zstd to the patch version 1.5.0.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Helen Parr

[Zejnilovic]

Hello @HelenParr, allow me to answer on behalf of my teammates who are already on the Easter holidays.

There is a plan to upgrade to spark 3.2.1 across our tools. For progress in HyperDrive please check the PR #259.