Closed raboof closed 2 months ago
Many thanks for the PR. I took a look at the sources for zeppelin-interpreter
https://repo1.maven.org/maven2/org/apache/zeppelin/zeppelin-interpreter/0.11.1/zeppelin-interpreter-0.11.1-sources.jar
And the shell script that's updated in the PR on this advisory does not seem to be present. How would you feel about changing the artifact on this to org.apache.zeppelin:zeppelin
? The mailing list seems to be talking about the zeppelin project as a whole rather than a single component.
https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd
I took a look at the sources for
zeppelin-interpreter
https://repo1.maven.org/maven2/org/apache/zeppelin/zeppelin-interpreter/0.11.1/zeppelin-interpreter-0.11.1-sources.jarAnd the shell script that's updated in the PR on this advisory does not seem to be present.
Thanks for digging in! While indeed zeppelin-interpreter
does not contain interpreter.sh
, it does reference it (https://github.com/apache/zeppelin/blob/v0.11.1/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java#L1018).
This of course begs the question if there's other code paths that reference interpreter.sh
. While there are, I suspect they were not marked as affected because they're already sufficiently isolated.
How would you feel about changing the artifact on this to
org.apache.zeppelin:zeppelin
?
While I would be fine with marking 'zeppelin as a whole' affected by this advisory, since this section has "ecosystem": "Maven"
, I'm not sure if org.apache.zeppelin:zeppelin
makes sense: there is only pom metadata at these coordinates (https://repo1.maven.org/maven2/org/apache/zeppelin/zeppelin/0.11.1/), no actual artifact. I would be concerned scanners that map Maven
ecosystem groupId:artifactId
coordinates to jar files would produce a false negative because it didn't find a jar with coordinates org.apache.zeppelin:zeppelin
(but would pick up zeppelin-interpreter
as that does correspond to a jar artifact).
I don't see an ecosystem in https://ossf.github.io/osv-schema/#affectedpackage-field that could represent 'zeppelin as a whole', unfortunately.
Thanks for digging in! While indeed zeppelin-interpreter does not contain interpreter.sh, it does reference it (https://github.com/apache/zeppelin/blob/v0.11.1/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java#L1018).
Oh I see. Interesting. That resolves my concern about indexing this on org.apache.zeppelin:zeppelin-interpreter
and just to flesh out my thinking on org.apache.zeppelin:zeppelin
. I was thinking that if alerts were generated on a root artifact (even if it's just a pom) then scanning engines would get this advisory to the correct users even though it would cause some noise for users who might not use the interpreter artifact. That said, thank you for digging further and lets get this live 👍
Hi @raboof! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
…in-interpreter 0.8.2 < 0.11.1
This information was in the CVE metadata at https://www.cve.org/CVERecord?id=CVE-2024-31866