Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

security: add dependency overrides for vulnerable transitive deps 

- Add commons-beanutils 1.11.0 (fixes CVE in 1.9.4)
- Add protobuf-java 3.25.5 (compatible with Spark/Hadoop ecosystem)
- Add nimbus-jose-jwt 9.37.2 (minimum secure version)
- Add snappy-java 1.1.10.4 (fixes compression vulnerabilities)
- Add dnsjava 3.6.0 (fixes DNS security issues)

All dependencies are pulled transitively from Hadoop/Spark:
- commons-beanutils: hadoop-common
- protobuf-java: hadoop-common
- nimbus-jose-jwt: hadoop-auth
- snappy-java: spark-core
- dnsjava: hadoop-common

Verified with mvn dependency:tree that overrides are applied correctly.
pull/7526/head
chrislu 4 weeks ago
parent
2ca03582da
commit
e2e89b52b7
1 changed files with 33 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 33
      test/java/spark/pom.xml

33
test/java/spark/pom.xml
View File

@ -136,6 +136,11 @@
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.11.0</version>
</dependency>
<!-- Guava - Fix CVEs -->
<dependency>
@ -151,6 +156,34 @@
<version>2.2</version>
</dependency>
<!-- Protobuf - Fix CVEs -->
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
<version>3.25.5</version>
</dependency>
<!-- Nimbus JOSE JWT - Fix CVEs -->
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>9.37.2</version>
</dependency>
<!-- Snappy Java - Fix CVEs -->
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.4</version>
</dependency>
<!-- DNS Java - Fix CVEs -->
<dependency>
<groupId>dnsjava</groupId>
<artifactId>dnsjava</artifactId>
<version>3.6.0</version>
</dependency>
<!-- Jetty - Pin version for transitive dependencies from Spark/Hadoop -->
<dependency>
<groupId>org.eclipse.jetty</groupId>

Write Preview
Loading…
Cancel
Save