Uploaded image for project: 'Pig'
  1. Pig
  2. PIG-5345

Use of numerous known vulnerable libraries

Add voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None

    Description

      I ran a commercial known vulnerable library analysis tool on PIG and it flagged numerous direct and transitive dependencies as having known vulnerabilities.

      I'd be happy to share the list offline if anyone is interested in the list/willing to work on upgrading them. If interested, contact me at: dave.wichers@owasp.org.

      If it is not doing so already, the project might also want to start using OWASP Dependency Check or https://ossindex.net/ to automate this type of analysis so its easier for the project to try to keep up to date as new CVEs in libraries are uncovered.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            Wichers Dave Wichers

            Dates

              Created:
              Updated:

              Slack

                Issue deployment