sadikovi
commented
2 years ago Interesting, thanks for reporting. Would you like to open a PR to update the dependency? Otherwise, I will open soon-ish to fix.
Open HelenParr opened 2 years ago
sadikovi
commented
2 years ago Interesting, thanks for reporting. Would you like to open a PR to update the dependency? Otherwise, I will open soon-ish to fix.
Hi, @sadikovi , I'd like to report a vulnerable dependency in com.github.sadikovi:spark-netflow_2.12:2.1.0.
Issue Description
I noticed that com.github.sadikovi:spark-netflow_2.12:2.1.0 directly depends on org.apache.spark:spark-core_2.12:3.0.1 in the pom. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.0.1 sufferes from the vulnerability which the C library zstd(version:1.4.4) exposed: CVE-2021-24032.
Dependency Graph between Java and Shared Libraries
Suggested Vulnerability Patch Versions
org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library
zstdto the patch version 1.5.0.Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
Thanks for your help~ Best regards, Helen Parr