Uploaded image for project: 'Beam'
  1. Beam
  2. BEAM-9428

CVEs in the dependencies of hive-exec for HiveIO

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: io-java-hcatalog
    • Labels:
      None
    • Flags:
      Important

      Description

      Hello, Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I suggest a library update. See details below:

      • Vulnerable Dependency: org.apache.hive : hive-exec : 2.1.0
      • Call Chain to Buggy Methods:
        • Some files in your project call the library method org.apache.hadoop.hive.ql.Driver.run(java.lang.String), which can reach the buggy method of CVE-2017-12625.
          • Files in your project: sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/test/EmbeddedMetastoreService.java
          • One of the possible call chain:
            org.apache.hadoop.hive.ql.Driver.run(java.lang.String)
            org.apache.hadoop.hive.ql.Driver.run(java.lang.String,boolean)
            org.apache.hadoop.hive.ql.Driver.runInternal(java.lang.String,boolean)
            org.apache.hadoop.hive.ql.Driver.compileInternal(java.lang.String)
            org.apache.hadoop.hive.ql.Driver.compile(java.lang.String)
            org.apache.hadoop.hive.ql.Driver.compile(java.lang.String,boolean)
            org.apache.hadoop.hive.ql.parse.ParseDriver.parse(java.lang.String,org.apache.hadoop.hive.ql.Context) [buggy method]
        • Update suggestion: version 3.1.2 3.1.2 is a safe version without CVEs. From 2.1.0 to 3.1.2, 2 of the APIs (called by 2 times in your project) were removed, 3 APIs (called by 3 times in your project) were modified.

        Attachments

        1. apache-beam_CVE-report.md
          2 kB
          XuCongying

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                XuCY XuCongying
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: