Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
3.0.0, 2.2.0
-
None
-
Redhat UBI (Universal Base Image) 8.5
-
Important
Description
Atlas 2.2.0 and 3.0.0-SNAPSHOT when built from source both have a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled Atlas application from the released 2.2.0 codebase and 3.0.0-SNAPSHOT git master.
Here are the lists of the High and Critical vulnerabilities discovered:
ATLAS 2.2.0
https://repo1.dso.mil/dsop/opensource/apache/atlas/-/jobs/8351429
ATLAS 3.0.0-SNAPSHOT (git-master 2021.1201)
https://repo1.dso.mil/dsop/opensource/apache/atlas/-/jobs/8401537
This effort was attempting to put together a public docker image of Atlas compiled from source. The build process source codes is hosted here: https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile
Thoughts:
- an updated pom.xml that has newer (vulnerability free) versions of the package chain may remediate these findings in a future build