Dependencies causes CVEs in your execution path

[CleWang]

Hello, Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. See below for more details:

• Vulnerable Dependency: org.apache.hbase : hbase-client : 0.96.1.1-hadoop2

• Call Chain to Buggy Methods:

  • File src/kundera-hbase/kundera-hbase/src/main/java/com/impetus/client/hbase/admin/HBaseDataHandler.java in your project call some library methods, which can reach the buggy method of CVE-2015-1836. The following is the called library methods and their call chains to buggy method.

  • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(java.lang.String):

  org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(java.lang.String)
  org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(org.apache.hadoop.hbase.TableName)
  ...
  (12 methods in call chain are hidden)
  ...
  org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]

  • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor):

  org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor)
  org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor,byte[][])
  ...
  (12 methods in call chain are hidden)
  ...  org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]

  • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(java.lang.String):

  org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(java.lang.String)
  org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(org.apache.hadoop.hbase.TableName)
  ...
  (12 methods in call chain are hidden)
  ...
  org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]

  • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(java.lang.String):

  org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(java.lang.String)
  org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(org.apache.hadoop.hbase.TableName)
  ...
  (12 methods in call chain are hidden)
  ...
  org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]

  • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(byte[]):

  org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(byte[])
  org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(org.apache.hadoop.hbase.TableName)
  ...
  (10 methods in call chain are hidden)
  ...
  org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]

  • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(java.lang.String):

  org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(java.lang.String)
  org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(org.apache.hadoop.hbase.TableName)
  ...
  (10 methods in call chain are hidden)
  ...
  org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]

• Update suggestion: version 0.99.0 0.99.0 is a safe version without CVEs. From 0.96.1.1-hadoop2 to 0.99.0, 14 of the APIs (called by 45 times in your project) were modified.