Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
3.0.0
-
None
-
None
Description
Please fix the following CVE related to Guava 14.0.1
cve | severity | cvss |
CVE-2018-10237 | medium | 5.9 |
Our security team is trying to block us from using spark because of this issue
One thing that's very weird is I see from this [pom file|https://github.com/apache/spark/blob/v3.0.0/common/network-common/pom.xml] you reference guava but it's not clear what version.
But if I look on [maven|https://mvnrepository.com/artifact/org.apache.spark/spark-network-common_2.12/3.0.0] the guava reference is not showing up
Is this reference somehow being shaded into the network common jar? It's not clear to me.
Also, I've noticed code like [this file|https://github.com/apache/spark/blob/v3.0.0/common/network-common/src/main/java/org/apache/spark/network/util/LimitedInputStream.java] which is a copy-paste of some guava source code.
The CVE scanner we use Twistlock/Palo Alto Networks - Prisma Cloud Compute Edition is very thorough and will find CVEs in copy-pasted code and shaded jars.
Please fix this CVE so we can use spark
Attachments
Issue Links
- duplicates
-
SPARK-23897 Guava version
- Open
- is related to
-
HIVE-23980 Shade guava from existing Hive versions
- Resolved
-
HIVE-23998 Upgrave Guava to 27 for Hive 2.3
- Patch Available
- links to