Skip to content

Add CVEs for Hadoop3#12336

Merged
abhishekagarwal87 merged 2 commits intoapache:masterfrom
AmatyaAvadhanula:feature-add_CVEs_hadoop3
Jun 22, 2022
Merged

Add CVEs for Hadoop3#12336
abhishekagarwal87 merged 2 commits intoapache:masterfrom
AmatyaAvadhanula:feature-add_CVEs_hadoop3

Conversation

@AmatyaAvadhanula
Copy link
Contributor

@AmatyaAvadhanula AmatyaAvadhanula commented Mar 16, 2022
edited
Loading

Description

Add necessary CVEs for hadoop3

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

cryptoe
cryptoe reviewed Mar 16, 2022
View reviewed changes
owasp-dependency-check-suppressions.xml Outdated
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl>
<cve>CVE-2018-11765</cve>
<cve>CVE-2020-9492</cve>
<cve>CVE-2021-31684</cve>
Copy link
Contributor

@cryptoe cryptoe Mar 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldnt this go in hadoop 3.3.1 section ?

Copy link
Contributor Author

@AmatyaAvadhanula AmatyaAvadhanula Mar 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, just noticed this as well

Copy link
Contributor Author

@AmatyaAvadhanula AmatyaAvadhanula Mar 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

cryptoe
cryptoe approved these changes Mar 16, 2022
View reviewed changes
Copy link
Contributor

@cryptoe cryptoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

abhishekagarwal87
abhishekagarwal87 reviewed Mar 16, 2022
View reviewed changes
owasp-dependency-check-suppressions.xml
<notes><![CDATA[
file name: hadoop-*-3.3.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.hadoop/hadoop\-.*@.*$</packageUrl>
Copy link
Contributor

@abhishekagarwal87 abhishekagarwal87 Mar 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this line removed?

Copy link
Contributor Author

@AmatyaAvadhanula AmatyaAvadhanula Mar 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the CVE was in a different package

@abhishekagarwal87 abhishekagarwal87 merged commit 6bcb778 into apache:master Jun 22, 2022
@abhishekagarwal87 abhishekagarwal87 added this to the 24.0.0 milestone Aug 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhishekagarwal87 abhishekagarwal87 abhishekagarwal87 approved these changes

@cryptoe cryptoe cryptoe approved these changes

Assignees

No one assigned

Labels

Area - Dependencies Security

Projects

None yet

Milestone

24.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@AmatyaAvadhanula @abhishekagarwal87 @cryptoe @clintropolis