Open olukas opened 3 years ago
1.4.2.min:
3.4.1.min:
Please do the evaluation within the Jet team and check if there is a way to upgrade to a safer version(s).
We could update Avro
libraries to 1.10.2 (see also #2950). However, from what I see, 1.10.2 contains jquery-1.4.2.min.js
as well.
Regarding the second part, version 3.3.0 of Hadoop is the latest, as of today.
I wonder if we should mark these vulnerabilities as false positives - the reason is that libraries like hadoop-yarn-common
are used both in server distribution of hadoop, where they serve the javascript to the user and in applications connecting to hadoop, where they are not used.
Alternatively we could exclude the js files from our extension fat jars during shading.
NOTE: For Jet 4.5 for some reason OWASP evaluated this vulnerability as dependency:
hazelcast-jet-files-azure-4.5-jar-with-dependencies.jar: jquery-1.4.2.min.js
hazelcast-jet-files-azure-4.5-jar-with-dependencies.jar: jquery-3.4.1.min.js
but it seems to be the same dependency just reported in the different way.
Jet uses
org.apache.avro:avro-ipc
in version1.9.2
which includesjquery-1.4.2.min.js
which has some vulnerabilities - https://ossindex.sonatype.org/component/pkg:npm/jquery@1.4.2.min (but cannot be display on that page). Maybe they are following - https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/version_id-235481/Jquery-Jquery-1.4.2.html.Jet use
org.apache.hadoop:hadoop-yarn-common
in version3.3.0
which includesjquery-3.4.1.min.js
which has some vulnerabilities - https://ossindex.sonatype.org/component/pkg:npm/jquery@3.4.1.min (but cannot be display on that page). Maybe they are following - https://snyk.io/vuln/npm:jquery@3.4.1.This issue should be probably discussed with @kwart as ou security expert.