Giter Site home page Giter Site logo

flume-trunk's Issues

Dependency org.apache.commons:commons-compress, leading to CVE problem

Hi, In flume-trunk/flume-ng-channels/flume-jdbc-channel,there is a dependency org.apache.commons:commons-compress:1.4.1 that calls the risk method.

CVE-2018-11771

The scope of this CVE affected version is [,1.18-RC1)

After further analysis, in this project, the main Api called is <org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int readStored(byte[],int,int)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

<org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int readStored(byte[],int,int)>
at <org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int read(byte[],int,int)> (org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.java:[321]) in /.m2/repository/org/apache/commons/commons-compress/1.4.1/commons-compress-1.4.1.jar
at <org.apache.commons.compress.archivers.ArchiveInputStream: int read()> (org.apache.commons.compress.archivers.ArchiveInputStream.java:[81]) in /.m2/repository/org/apache/commons/commons-compress/1.4.1/commons-compress-1.4.1.jar
at <org.apache.avro.io.DirectBinaryDecoder: long readLong()> (org.apache.avro.io.DirectBinaryDecoder.java:[123]) in 
at <org.apache.avro.file.DataFileReader12: java.lang.Object next(java.lang.Object)> (org.apache.avro.file.DataFileReader12.java:[162, 165]) in 
at <org.apache.avro.file.DataFileReader12: java.lang.Object next()> (org.apache.avro.file.DataFileReader12.java:[145]) in 
at <org.apache.flume.channel.jdbc.impl.PersistableEvent$Builder: org.apache.flume.channel.jdbc.impl.PersistableEvent build()> (org.apache.flume.channel.jdbc.impl.PersistableEvent$Builder.java:[323]) in /detect/unzip/flume-trunk/flume-ng-channels/flume-jdbc-channel/target/classes

Dependency tree--

[INFO] org.apache.flume.flume-ng-channels:flume-jdbc-channel:jar:1.10.0-SNAPSHOT
[INFO] +- org.apache.flume:flume-ng-sdk:jar:1.10.0-SNAPSHOT:compile
[INFO] |  +- org.apache.avro:avro:jar:1.7.7:compile
[INFO] |  |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] |  |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] |  |  +- com.thoughtworks.paranamer:paranamer:jar:2.3:compile
[INFO] |  |  +- org.xerial.snappy:snappy-java:jar:1.1.8.4:compile
[INFO] |  |  \- org.apache.commons:commons-compress:jar:1.4.1:compile
[INFO] |  |     \- org.tukaani:xz:jar:1.0:compile
[INFO] |  +- org.apache.avro:avro-ipc:jar:1.7.7:compile
[INFO] |  |  +- org.mortbay.jetty:jetty:jar:6.1.26:compile
[INFO] |  |  +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile
[INFO] |  |  \- org.apache.velocity:velocity:jar:1.7:compile
[INFO] |  |     \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  +- io.netty:netty:jar:3.10.6.Final:compile
[INFO] |  \- org.apache.thrift:libthrift:jar:0.14.1:compile
[INFO] |     +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] |     |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] |     +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |     +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.46:compile
[INFO] |     |  \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.46:compile
[INFO] |     \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] +- org.apache.flume:flume-ng-configuration:jar:1.10.0-SNAPSHOT:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] |  +- com.google.guava:guava:jar:11.0.2:compile
[INFO] |  |  \- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  \- org.apache.flume:flume-ng-config-filter-api:jar:1.10.0-SNAPSHOT:compile
[INFO] +- org.apache.flume:flume-ng-core:jar:1.10.0-SNAPSHOT:compile
[INFO] |  +- org.apache.flume:flume-ng-auth:jar:1.10.0-SNAPSHOT:compile
[INFO] |  +- commons-io:commons-io:jar:2.1:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.8:compile
[INFO] |  +- commons-cli:commons-cli:jar:1.2:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.5:compile
[INFO] |  +- joda-time:joda-time:jar:2.9.9:compile
[INFO] |  +- org.eclipse.jetty:jetty-servlet:jar:9.4.38.v20210224:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-security:jar:9.4.38.v20210224:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.38.v20210224:compile
[INFO] |  +- org.eclipse.jetty:jetty-util:jar:9.4.38.v20210224:compile
[INFO] |  +- org.eclipse.jetty:jetty-server:jar:9.4.38.v20210224:compile
[INFO] |  |  +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-http:jar:9.4.38.v20210224:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-io:jar:9.4.38.v20210224:compile
[INFO] |  +- org.eclipse.jetty:jetty-jmx:jar:9.4.38.v20210224:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.2.2:compile
[INFO] |  \- org.apache.mina:mina-core:jar:2.0.4:compile
[INFO] +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] |  \- commons-pool:commons-pool:jar:1.5.4:compile
[INFO] +- org.apache.derby:derby:jar:10.14.1.0:compile

Suggested solutions:

Update dependency version

Thank you very much.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.