Closed justinmclean closed 12 months ago
justinmclean
commented
1 year ago Updating Hapdoop 2 to 2.10.2 changes critical CVEs from 21 to 16. Mock server 5.15.0 to 15 CVEs. Removing annotations removes some CVEs we don't care about.
tasks.cyclonedxBom { setIncludeConfigs(listOf("runtimeClasspath")) }
justinmclean
commented
1 year ago The main issue is Hadoop, which even when upgraded to the last 2.X still has 20+ CVEs see https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/2.10.2 Also Hive 2.X has around 20 CVes https://mvnrepository.com/artifact/org.apache.hive/hive-metastore/2.3.9
Currently, we have the following critical CVE's as reported by Depdancy Track
jackson-databind | 2.6.5 | com.fasterxml.jackson.core | NVD CVE-2017-7525 snakeyaml | 1.31 | org.yaml | NVD CVE-2022-1471 hadoop-common | 2.7.3 | org.apache.hadoop | NVD CVE-2022-25168 java-xmlbuilder | 0.4 | com.jamesmurty.utils | NVD CVE-2014-125087 ivy | 2.4.0 | org.apache.ivy | NVD CVE-2022-37865 netty | 3.6.2.Final | io.netty | NVD CVE-2019-20444 netty | 3.6.2.Final | io.netty | NVD CVE-2019-20445 derby | 10.10.2.0 | org.apache.derby | NVD CVE-2015-1832 netty-all | 4.0.23.Final | io.netty | NVD CVE-2019-20444 netty-all | 4.0.23.Final | io.netty | NVD CVE-2019-20445 jackson-mapper-asl | 1.9.13 | org.codehaus.jackson | NVD CVE-2017-7525 icu4j | 61.1 | com.ibm.icu | NVD CVE-2018-18928 jasper-runtime | 5.5.23 | tomcat | NVD CVE-2016-5018 log4j | 1.2.17 | log4j | NVD CVE-2019-17571 log4j | 1.2.17 | log4j | NVD CVE-2022-23305 groovy-all | 2.4.4 | org.codehaus.groovy | NVD CVE-2016-6814 netty | 3.7.0.Final | io.netty | NVD CVE-2019-20444 netty | 3.7.0.Final | io.netty | NVD CVE-2019-20445 zookeeper | 3.6.3 | org.apache.zookeeper | NVD CVE-2023-44981 commons-text | 1.9 | org.apache.commons | NVD CVE-2022-42889