Open HelenParr opened 2 years ago
Hi @HelenParr,
Thank you for reporting this issue.
Technically the spark dependencies of the spark-utils
library are "light", as they are marked as provided
. As such, the library's user is asked to provide binary compatibe Spark libraries' versions in the dependencies of the downstream project.
Actions needed for spark-utils
:
2.12:3.2.0
.zstd
dependency fix.Thank you for your help. Cheers, Oliver Tupran
Hi, @tupol , I'd like to report a vulnerable dependency in org.tupol:spark-utils-io_2.12:0.6.2.
Issue Description
I noticed that org.tupol:spark-utils-io_2.12:0.6.2 directly depends on org.apache.spark:spark-core_2.12:3.0.1 in the pom. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.0.1 sufferes from the vulnerability which the C library zstd(version:1.4.3) exposed: CVE-2021-24032.
Dependency Graph between Java and Shared Libraries
Suggested Vulnerability Patch Versions
org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library
zstd
to the patch version 1.5.0.Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
Thanks for your help~ Best regards, Helen Parr