[X] I searched in the issues and found nothing similar.
Version
The second candidate for v3.0.2 and release 3.1.1.
Minimal reproduce step
Used a container security scanner included with Red Hat Advanced Cluster Security for Kubernetes, Stackrox Scanner.
What did you expect to see?
Vulnerabilities that should have been fixed in 3.0.2 are showing up with the included version of Trino version 368.
What did you see instead?
2 Vulnerabilities that can be fixed
CVE-2021-42550 - Logback-core - currently using version 1.2.3
CVE-2023-3635 - Okio - currently using version 3.14.9
1 of them maybe a false positive:
CVE-2023-4586 - Netty - currently using 4.1.100.final
CVE-2023-0833 - Okhttp - currently using version 1.17.2 (Talks about RH AMQ-Streams; may not be relevant to Pulsar)?
Anything else?
Some of this has been mentioned in #18348 previously. Issue should not be tagged as type/bug but component/security.
Should upgrade Trino from 368 to 430, if possible.
Search before asking
Version
The second candidate for v3.0.2 and release 3.1.1.
Minimal reproduce step
Used a container security scanner included with Red Hat Advanced Cluster Security for Kubernetes, Stackrox Scanner.
What did you expect to see?
Vulnerabilities that should have been fixed in 3.0.2 are showing up with the included version of Trino version 368.
What did you see instead?
2 Vulnerabilities that can be fixed CVE-2021-42550 - Logback-core - currently using version 1.2.3 CVE-2023-3635 - Okio - currently using version 3.14.9
1 of them maybe a false positive:
CVE-2023-4586 - Netty - currently using 4.1.100.finalCVE-2023-0833 - Okhttp - currently using version 1.17.2 (Talks about RH AMQ-Streams; may not be relevant to Pulsar)?Anything else?
Some of this has been mentioned in #18348 previously. Issue should not be tagged as
type/bug
butcomponent/security
.Should upgrade Trino from 368 to 430, if possible.
Are you willing to submit a PR?