search

molgenis / molgenis-service-armadillo

Armadillo; a DataSHIELD implementation, part of the MOLGENIS suite
https://molgenis.github.io/molgenis-service-armadillo/
GNU Lesser General Public License v3.0
7 stars 10 forks source link

docker build: datashield/molgenis-armadillo:test has critical CVE #722

Open erikzwart opened 5 months ago

erikzwart commented 5 months ago

The Docker image build here: datashield/molgenis-armadillo:test has a critical cve identified by docker scout: image

(Stuart) Traced back the serious complaint to org.apache.hadoop packages hadoop-client via jar

In molgenis-service-armadillo/armadillo/build.gradle it appears

     implementation 'org.apache.parquet:parquet-hadoop:1.13.1'
     implementation 'org.apache.hadoop:hadoop-client:3.3.6'

https://github.com/molgenis/molgenis-service-armadillo/blob/2fb6825a73d5c1d59024d3a5f71503f7919e8032/armadillo/build.gradle#L56

marikaris commented 5 months ago

@StuartWheater Do you have a description of the CVE anywhere? I can't find it by just googling it. I would like to read into it to see if it actually affects the way we use it and if so see if they're planning on fixing it soon, as we are using the last version of this library. And whether previous versions of the library have the same issue.

erikzwart commented 5 months ago

CVE-2023-25613

afbeelding