Uploaded image for project: 'Atlas'
  1. Atlas
  2. ATLAS-4497

Large number of CVE's (vulnerabilities) when building 2.2.0 and 3.0.0-SNAPSHOT from source

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 3.0.0, 2.2.0
    • None
    • atlas-core
    • Redhat UBI (Universal Base Image) 8.5
    • Important

    Description

      Atlas 2.2.0 and 3.0.0-SNAPSHOT when built from source both have a large number of jar packages that suffer from known exploits / vulnerabilities. I've performed an Anchore and a Twistlock scan of the compiled Atlas application from the released 2.2.0 codebase and 3.0.0-SNAPSHOT git master.

      Here are the lists of the High and Critical vulnerabilities discovered:
       

      ATLAS 2.2.0

      https://repo1.dso.mil/dsop/opensource/apache/atlas/-/jobs/8351429 

      ATLAS 3.0.0-SNAPSHOT (git-master 2021.1201)

      https://repo1.dso.mil/dsop/opensource/apache/atlas/-/jobs/8401537 

       
      This effort was attempting to put together a public docker image of Atlas compiled from source. The build process source codes is hosted here: https://github.com/589290/docker-apache-atlas-ubi8/blob/main/Dockerfile
       

      Thoughts:

      • an updated pom.xml that has newer (vulnerability free) versions of the package chain may remediate these findings in a future build

      Attachments

        Activity

          People

            Unassigned Unassigned
            589290 Greg
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: