pomadchin
commented
2 years ago Hey @HelenParr thanks for your report 👋 .
We're definitely planning to upgrade Spark dependency, however Spark 3.1.x and Spark 3.2.1 are not binary and API compatible (apparently 3.2.0 and 3.2.1 are not binary compatible as well, see https://github.com/typelevel/frameless/issues/605), which may also be a problem for some of our / users downstream projects.
We'd also appreciate any help with the Spark dependency upgrade (that will most likely require the upgrade of the downstream libraries as well to match Spark 3.2.x deps, which is partially addressed by https://github.com/locationtech/rasterframes/pull/582).
However, we definitely plan to bump it up in one of the RF future releases.
Hi, @metasim , @vpipkt , I'd like to report a vulnerable dependency in org.locationtech.rasterframes:rasterframes_2.12:0.10.1.
Issue Description
I noticed that org.locationtech.rasterframes:rasterframes_2.12:0.10.1 directly depends on org.apache.spark:spark-core_2.12:3.1.2 in the pom. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.1.2 sufferes from the vulnerability which the C library zstd(version:1.4.8) exposed: CVE-2021-24032.
Dependency Graph between Java and Shared Libraries
Suggested Vulnerability Patch Versions
org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library
zstdto the patch version 1.5.0.Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
Thanks for your help~ Best regards, Helen Parr