search

GoogleCloudDataproc / hadoop-connectors

Libraries and tools for interoperability between Hadoop-related open-source software and Google Cloud Platform.
Apache License 2.0
278 stars 237 forks source link

updating jackson-core version #1237

Open ShyamalaGowri opened 2 months ago

ShyamalaGowri commented 2 months ago

shaded jar https://repo1.maven.org/maven2/com/google/cloud/bigdataoss/gcs-connector/hadoop3-2.2.25/gcs-connector-hadoop3-2.2.25-shaded.jar contains CVE PRISMA-2023-0067. (https://nvd.nist.gov/vuln/detail/CVE-2023-0067) This is because it includes jackson-core (This is required by google-api-client-jackson2)

<groupId>com.fasterxml.jackson.core</groupId>
  <artifactId>jackson-core</artifactId>
  <name>Jackson-core</name>
  <version>2.13.4</version>

I have fixed the CVE by excluding the version that had the vulnerability and added the fix by adding 

<groupId>com.fasterxml.jackson.core</groupId>
 <artifactId>jackson-core</artifactId>
 <version>2.15.0</version>

This PR contains the fix for the issue https://github.com/GoogleCloudDataproc/hadoop-connectors/issues/1221

google-cla[bot] commented 2 months ago

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

ShyamalaGowri commented 2 months ago

/gcbrun

ShyamalaGowri commented 2 months ago

@arunkumarchacko i am trying to fix the vulnerability issue caused by the jackson-core package. Requesting you to trigger dataproc-hadoop-connectors-presubmit-pr (cloud-dataproc-ci)

ShyamalaGowri commented 2 months ago

@arunkumarchacko @singhravidutt Please take a look at this PR where i have tried to address a vulnerability issue PRISMA-2023-0067