Uploaded image for project: 'Beam'
  1. Beam
  2. BEAM-14118

beam-vendor-grpc-1_43_2 shades vulnerable Netty version

    XMLWordPrintableJSON

Details

    Description

      The beam-vendor-grpc-1_43_2 dependency (that is pulled transitively by the beam-runners-flink-1.13) shades a vulnerable Netty version, i.e. 4.1.63.Final: https://mvnrepository.com/artifact/io.netty/netty-all/4.1.63.Final

      In turn, our Beam pipelines builds are marked as vulnerable and we're having issues promoting them to higher environments. 

      Because Netty is shaded, we can't simply override the version in the build tool.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #17206

          Activity

            People

              Unassigned Unassigned
              jigga Arkadiusz Gasinski
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 50m
                  1h 50m