search

sfu-db / connector-x

Fastest library to load data from DB to DataFrames in Rust and Python
https://sfu-db.github.io/connector-x
MIT License
1.94k stars 154 forks source link

Several critical vulnerabilities in connector-x dependencies #548

Open jplauri opened 11 months ago

jplauri commented 11 months ago

Describe your feature request

It seems that connector-x has several critical and high severity vulnerabilities open, stemming from e.g., com.fasterxml.jackson.core:jackson-databind, org.yaml:snakeyaml, and others. See below for a full listing of critical vulnerabilities, but note that there are others too.

I think it would be great not only to have these patched but also update the CI process to scan for vulnerabilities. As it stands, these vulnerabilities completely prevent the use of connector-x in certain organizations.

SEVERITY IMPACTED PACKAGE IMPACTED PACKAGE VERSION TYPE FIXED VERSIONS COMPONENT COMPONENT VERSION CVE
Critical com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- org.yaml:snakeyaml 1.24 Maven [2.0] connectorx 0.3.2 CVE-2022-1471
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- org.yaml:snakeyaml 1.24 Maven [2.0] connectorx 0.3.2 CVE-2022-1471
---------- org.yaml:snakeyaml 1.24 Maven [2.0] connectorx 0.3.2 CVE-2022-1471
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0.pr1 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
[2.6.7.3]
[2.7.9.7]
[2.8.11.5]
[2.9.10.1]
---------- com.fasterxml.jackson.core:jackson-databind 2.10.0 Maven [2.10.1] connectorx 0.3.2 CVE-2019-16942
DeflateAwning commented 11 months ago

Is the solution just to bump the dependencies to later versions?

jplauri commented 11 months ago

I don't know. If it is, there should be automation to bump them in the future too.