Uploaded image for project: 'Calcite'
  1. Calcite
  2. CALCITE-3314

CVSS dependency-check-maven fails for calcite-pig, calcite-piglet, calcite-spark

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • None
    • 1.21.0
    • None

    Description

      Calcite build fails if the CVSS dependency check is active since there are serious vulnerabilties in calcite-pig, calcite-piglet, calcite-spark.

      Running mvn install -Ppedantic -fn gives the following errors:

      ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-pig: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-piglet: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] jackson-core-asl-1.8.8.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
[ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
[ERROR] jackson-xc-1.8.3.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
[ERROR] hadoop-auth-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
[ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
[ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
[ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-spark: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] spark-core_2.10-2.2.0.jar: CVE-2018-17190
[ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
[ERROR] hadoop-mapreduce-client-core-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
[ERROR] bcprov-jdk15on-1.51.jar: CVE-2018-1000613
[ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
[ERROR] unused-1.0.0.jar: CVE-2018-17190
[ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720
[ERROR] spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml: CVE-2017-7658, CVE-2017-7657

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #1427

          Activity

            People

              zabetak Stamatis Zampetakis
              zabetak Stamatis Zampetakis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m