Details
-
Bug
-
Status: Open
-
P3
-
Resolution: Unresolved
-
None
-
None
-
None
-
Important
Description
Hello, Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I suggest a library update. See details below:
- Vulnerable Dependency: org.apache.hive : hive-exec : 2.1.0
- Call Chain to Buggy Methods:
-
- Some files in your project call the library method org.apache.hadoop.hive.ql.Driver.run(java.lang.String), which can reach the buggy method of CVE-2017-12625.
-
-
- Files in your project: sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/test/EmbeddedMetastoreService.java
-
-
-
- One of the possible call chain:
org.apache.hadoop.hive.ql.Driver.run(java.lang.String)
org.apache.hadoop.hive.ql.Driver.run(java.lang.String,boolean)
org.apache.hadoop.hive.ql.Driver.runInternal(java.lang.String,boolean)
org.apache.hadoop.hive.ql.Driver.compileInternal(java.lang.String)
org.apache.hadoop.hive.ql.Driver.compile(java.lang.String)
org.apache.hadoop.hive.ql.Driver.compile(java.lang.String,boolean)
org.apache.hadoop.hive.ql.parse.ParseDriver.parse(java.lang.String,org.apache.hadoop.hive.ql.Context) [buggy method]
- One of the possible call chain:
- Update suggestion: version 3.1.2 3.1.2 is a safe version without CVEs. From 2.1.0 to 3.1.2, 2 of the APIs (called by 2 times in your project) were removed, 3 APIs (called by 3 times in your project) were modified.
-
Attachments
Attachments
Issue Links
- relates to
-
BEAM-9351 Upgrade Hive/HCatalog to version 2.3.8
- Open