Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix vulnerabilities CVE-2024-29131 & CVE-2024-29133 in org.apache.commons:commons-configuration2:jar:2.8.0:provided #222

Closed
kaklakariada opened this issue Mar 26, 2024 · 2 comments · Fixed by #224
Assignees
Labels
security Security related change

Comments

@kaklakariada
Copy link
Collaborator

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project spark-connector-jdbc_2.13: Detected 1 vulnerable components:
Error:    org.apache.commons:commons-configuration2:jar:2.8.0:provided; https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-configuration2@2.8.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-29131] CWE-787: Out-of-bounds Write (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-29131?component-type=maven&component-name=org.apache.commons%2Fcommons-configuration2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-29133] CWE-787: Out-of-bounds Write (6.3); https://ossindex.sonatype.org/vulnerability/CVE-2024-29133?component-type=maven&component-name=org.apache.commons%2Fcommons-configuration2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:  
@kaklakariada kaklakariada added the security Security related change label Mar 26, 2024
@Shmuma Shmuma self-assigned this Apr 8, 2024
@Shmuma Shmuma mentioned this issue May 10, 2024
@Shmuma
Copy link
Collaborator

Shmuma commented May 13, 2024

spark-catalyst of spark 3.3 depends on codehaus.janino 3.0.16
but spark-connector-common-java brings janino 3.1.12 which breaks compatibility
Need to investigate how it happened

@Shmuma
Copy link
Collaborator

Shmuma commented May 13, 2024

now we have duplicate classes: mvn org.basepom.maven:duplicate-finder-maven-plugin:2.0.1:check -Pspark3.3

[WARNING] Found duplicate and different classes in [ch.qos.logback:logback-classic:1.2.13, org.apache.logging.log4j:log4j-slf4j-impl:2.17.2]:
[WARNING]   org.slf4j.impl.StaticLoggerBinder
[WARNING]   org.slf4j.impl.StaticMDCBinder
[WARNING]   org.slf4j.impl.StaticMarkerBinder
[WARNING] Found duplicate classes/resources in compile classpath.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Security related change
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants