Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-32502

Please fix CVE related to Guava 14.0.1

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 3.0.0
    • None
    • Spark Core
    • None

    Description

      Please fix the following CVE related to Guava 14.0.1

      cve severity cvss
      CVE-2018-10237 medium 5.9

       

      Our security team is trying to block us from using spark because of this issue

       

      One thing that's very weird is I see from this [pom file|https://github.com/apache/spark/blob/v3.0.0/common/network-common/pom.xml] you reference guava but it's not clear what version.

       

      But if I look on [maven|https://mvnrepository.com/artifact/org.apache.spark/spark-network-common_2.12/3.0.0] the guava reference is not showing up

       

      Is this reference somehow being shaded into the network common jar?  It's not clear to me.

       

      Also, I've noticed code like [this file|https://github.com/apache/spark/blob/v3.0.0/common/network-common/src/main/java/org/apache/spark/network/util/LimitedInputStream.java] which is a copy-paste of some guava source code.

       

      The CVE scanner we use Twistlock/Palo Alto Networks - Prisma Cloud Compute Edition is very thorough and will find CVEs in copy-pasted code and shaded jars.

       

      Please fix this CVE so we can use spark

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              AceHack Rodney Aaron Stainback
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: