Uploaded image for project: 'Calcite'
  1. Calcite
  2. CALCITE-3314

CVSS dependency-check-maven fails for calcite-pig, calcite-piglet, calcite-spark

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.21.0
    • Component/s: None

      Description

      Calcite build fails if the CVSS dependency check is active since there are serious vulnerabilties in calcite-pig, calcite-piglet, calcite-spark.

      Running mvn install -Ppedantic -fn gives the following errors:

      ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-pig: 
      [ERROR] 
      [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
      [ERROR] 
      [ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
      [ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
      
      [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-piglet: 
      [ERROR] 
      [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
      [ERROR] 
      [ERROR] jetty-6.1.26.jar: CVE-2017-7658, CVE-2017-7657
      [ERROR] jackson-core-asl-1.8.8.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
      [ERROR] groovy-all-1.8.6.jar: CVE-2015-3253, CVE-2016-6814
      [ERROR] jackson-xc-1.8.3.jar: CVE-2017-17485, CVE-2017-7525, CVE-2017-15095
      [ERROR] hadoop-auth-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
      [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
      [ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
      [ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720
      
      [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.1:check (default) on project calcite-spark: 
      [ERROR] 
      [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
      [ERROR] 
      [ERROR] spark-core_2.10-2.2.0.jar: CVE-2018-17190
      [ERROR] api-util-1.0.0-M20.jar: CVE-2018-1337
      [ERROR] hadoop-mapreduce-client-core-2.7.5.jar: CVE-2018-8029, CVE-2018-11766, CVE-2018-8009
      [ERROR] bcprov-jdk15on-1.51.jar: CVE-2018-1000613
      [ERROR] zookeeper-3.4.6.jar: CVE-2016-5017
      [ERROR] unused-1.0.0.jar: CVE-2018-17190
      [ERROR] htrace-core-3.1.0-incubating.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml: CVE-2017-17485, CVE-2018-5968, CVE-2017-15095, CVE-2019-14379, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2017-7525, CVE-2018-11307, CVE-2018-14718, CVE-2018-7489, CVE-2018-14719, CVE-2018-14721, CVE-2018-14720
      [ERROR] spark-core_2.10-2.2.0.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml: CVE-2017-7658, CVE-2017-7657
      
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                zabetak Stamatis Zampetakis
                Reporter:
                zabetak Stamatis Zampetakis
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m