search

exasol / spark-connector

A connector for Apache Spark to access Exasol
Apache License 2.0
12 stars 7 forks source link

Fix vulnerabilities CVE-2024-29131 & CVE-2024-29133 in `org.apache.commons:commons-configuration2:jar:2.8.0:provided` #222

Closed kaklakariada closed 5 months ago

kaklakariada commented 7 months ago 
Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project spark-connector-jdbc_2.13: Detected 1 vulnerable components:
Error:    org.apache.commons:commons-configuration2:jar:2.8.0:provided; https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-configuration2@2.8.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-29131] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-29131?component-type=maven&component-name=org.apache.commons%2Fcommons-configuration2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-29133] CWE-787: Out-of-bounds Write (6.3); https://ossindex.sonatype.org/vulnerability/CVE-2024-29133?component-type=maven&component-name=org.apache.commons%2Fcommons-configuration2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:
Shmuma commented 5 months ago

spark-catalyst of spark 3.3 depends on codehaus.janino 3.0.16 but spark-connector-common-java brings janino 3.1.12 which breaks compatibility Need to investigate how it happened

Shmuma commented 5 months ago

now we have duplicate classes: mvn org.basepom.maven:duplicate-finder-maven-plugin:2.0.1:check -Pspark3.3

[WARNING] Found duplicate and different classes in [ch.qos.logback:logback-classic:1.2.13, org.apache.logging.log4j:log4j-slf4j-impl:2.17.2]:
[WARNING]   org.slf4j.impl.StaticLoggerBinder
[WARNING]   org.slf4j.impl.StaticMDCBinder
[WARNING]   org.slf4j.impl.StaticMarkerBinder
[WARNING] Found duplicate classes/resources in compile classpath.