There is a vulnerability in Apache Commons Compress 1.15,upgrade recommended

[QiAnXinCodeSafe]

bookkeeper/pom.xml

Line 122 in 00622bc

<commons-compress.version>1.15</commons-compress.version>

CVE-2019-12402 CVE-2018-11771 CVE-2018-1324
Recommended upgrade version：
1.19

[fpj]

Thanks for reporting this issue. I would encourage reading the security guidelines of Apache before reporting such issues:

http://apache.org/security/

In particular, the discussion of vulnerabilities is encouraged to be private.

[Ghatage]

@fpj FWIW I think this is a bot account which reports vulnerabilities for Pulsar. I've seen and fixed a few of those in Pulsar.
However now I guess it's also looking at Bookkeeper.

I've opened a PR with the suggested changes but I think it'll take a few passes to get everything ready.

@sijie perhaps its worthwhile to look at the way this tool reports problems especially for Pulsar given its larger user base.

[sijie]

@Ghatage yeah. noted. we are thinking about integrating security scanning tools into release processes.