kwart
commented
3 years ago 1.4.2.min:
3.4.1.min:
Open olukas opened 3 years ago
kwart
commented
3 years ago 1.4.2.min:
3.4.1.min:
kwart
commented
3 years ago Please do the evaluation within the Jet team and check if there is a way to upgrade to a safer version(s).
gierlachg
commented
3 years ago We could update Avro libraries to 1.10.2 (see also #2950). However, from what I see, 1.10.2 contains jquery-1.4.2.min.js as well.
Regarding the second part, version 3.3.0 of Hadoop is the latest, as of today.
frant-hartm
commented
3 years ago I wonder if we should mark these vulnerabilities as false positives - the reason is that libraries like hadoop-yarn-common are used both in server distribution of hadoop, where they serve the javascript to the user and in applications connecting to hadoop, where they are not used.
Alternatively we could exclude the js files from our extension fat jars during shading.
olukas
commented
3 years ago NOTE: For Jet 4.5 for some reason OWASP evaluated this vulnerability as dependency:
hazelcast-jet-files-azure-4.5-jar-with-dependencies.jar: jquery-1.4.2.min.jshazelcast-jet-files-azure-4.5-jar-with-dependencies.jar: jquery-3.4.1.min.jsbut it seems to be the same dependency just reported in the different way.
Jet uses
org.apache.avro:avro-ipcin version1.9.2which includesjquery-1.4.2.min.jswhich has some vulnerabilities - https://ossindex.sonatype.org/component/pkg:npm/jquery@1.4.2.min (but cannot be display on that page). Maybe they are following - https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/version_id-235481/Jquery-Jquery-1.4.2.html.Jet use
org.apache.hadoop:hadoop-yarn-commonin version3.3.0which includesjquery-3.4.1.min.jswhich has some vulnerabilities - https://ossindex.sonatype.org/component/pkg:npm/jquery@3.4.1.min (but cannot be display on that page). Maybe they are following - https://snyk.io/vuln/npm:jquery@3.4.1.This issue should be probably discussed with @kwart as ou security expert.