Closed engrdean closed 2 years ago
Providing some discussion on the items listed above.
Apache HttpComponents Client
org.apache.hadoop:hadoop-hdfs:jar:2.7.7:compile
Apache Thrift
org.apache.cassandra:cassandra-all:jar:2.2.13:compile
Apache Xerces2J
org.apache.hadoop:hadoop-hdfs:jar:2.7.7:compile
Apache ZooKeeper
org.apache.spark:spark-core_2.11:jar:2.4.0:compile
, org.apache.hbase:hbase-server:jar:2.1.5:compile
, org.apache.hadoop:hadoop-common:jar:2.7.7:compile
, org.apache.solr:solr-solrj:jar:7.0.0:compile
Bootstrap (Twitter)
org.apache.spark:spark-core_2.11:jar:2.4.0:compile
DataTables (plugin for jQuery)
org.apache.spark:spark-core_2.11:jar:2.4.0:compile
dom4j
org.reflections:reflections:jar:0.9.9-RC1:compile
Guava
org.apache.tinkerpop:hadoop-gremlin:jar:3.4.6:compile
, org.apache.cassandra:cassandra-all:jar:2.2.13:compile
, com.datastax.cassandra:cassandra-driver-core:jar:3.8.0:compile
, org.apache.hadoop:hadoop-common:jar:2.7.7:compile
, org.apache.hadoop:hadoop-hdfs:jar:2.7.7:compile
, org.apache.solr:solr-test-framework:jar:7.7.2:test
, io.airlift:airline:jar:0.9:compile
Hibernate Validator
com.addthis.metrics:reporter-config3:jar:3.0.0:compile
via org.apache.cassandra:cassandra-all:jar:2.2.13:compile
Jackson Databind
org.apache.tinkerpop:spark-gremlin:jar:3.4.6:compile
, org.apache.hbase:hbase-server:jar:2.1.5:compile
, com.datastax.cassandra:cassandra-driver-core:jar:3.8.0:compile
, and software.amazon.awssdk:core:jar:2.0.0-preview-1:compile
jbcrypt
org.apache.tinkerpop:gremlin-groovy:jar:3.4.6:compile
Jetty
jetty-server
org.eclipse.jetty:jetty-server:jar:9.3.25.v20180904:compile
via org.apache.hbase:hbase-server:jar:2.1.5:compile
org.eclipse.jetty:jetty-server:jar:9.3.14.v20161028:test
via org.apache.solr:solr-test-framework:jar:7.0.0:test
jetty-server.jar
jQuery
org.apache.hadoop:hadoop-common:jar:2.7.7:compile
and org.apache.spark:spark-core_2.11:jar:2.4.0:compile
Scala
org.scala-lang:scala-compiler
additional potential concerns were discussed on a janusgraph-users thread
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2018-17190
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-9518
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-16869
https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-10202
https://github.com/apache/hadoop/commit/5d1889a66d91608d34ca9411fb6e9161e637e9d3
We have tools inplace to update dependency. We are getting an automatic security checks by dependabot and GitHub.
Black Duck, a product by Synopsys that scans for open source security threats, uncovered a few issues with the dependencies for JanusGraph. Just posting the results here to make the community aware for future releases, I know this stuff is like a moving target.
Apache HttpComponents Client CVE-2012-5783 CVE-2012-6153 CVE-2014-3577 CVE-2015-5262
Apache Thrift CVE-2015-3254 CVE-2016-5397 CVE-2018-11798 CVE-2018-1320
Apache Xerces2J CVE-2009-2625 CVE-2012-0881
Apache ZooKeeper CVE-2016-5017 CVE-2017-5637 CVE-2018-8012 CVE-2019-0201
Bootstrap (Twitter) CVE-2018-14040 CVE-2018-14042 CVE-2018-20676 CVE-2018-20677 CVE-2019-8331
DataTables CVE-2015-6584
dom4j: flexible XML framework for Java CVE-2018-1000632
Guava: Google Core Libraries for Java CVE-2018-10237
Hibernate Validator CVE-2014-3558
jackson-databind CVE-2017-7525 CVE-2018-1000873 CVE-2018-11307 CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-5968 CVE-2018-7489
jbcrypt CVE-2015-0886
Jetty: Java based HTTP, Servlet, SPDY, WebSocket Server CVE-2011-4461 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735 CVE-2011-4461 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735 CVE-2011-4461 CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 CVE-2017-9735
jQuery CVE-2015-9251 CVE-2019-11358 CVE-2015-9251 CVE-2019-11358
Scala CVE-2017-15288 CVE-2017-15288 #