-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency vulnerabilities #1518
Comments
Hi @Maccce - would you be willing to make a PR to fix this? |
Hi @scottsand-db, Yeah sure I'll spend some time on this during the Christmas break With best regards Maccce |
Hi I have done some changes locally but can't push it to the repository. get fatal: unable to access 'https://github.com/delta-io/delta.git/': The requested URL returned error: 403. @scottsand-db Could I cat write permissions so I can create a PR? |
@Maccce You should clone with ssh not https. |
Hi! Are there any plans to address this vulnerabilities soon? I've seen this PR #1539 that addresses the problem but it's still in draft |
@mblanco-denodo, @scottsand-db, @allisonport-db, please look at #2828 for fix |
#### Which Delta project/connector is this regarding? - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) ## Description We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix #1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
) #### Which Delta project/connector is this regarding? - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) ## Description We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix delta-io#1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
) - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix delta-io#1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage CI No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
…ies (#3007) Delta 3.2 cherry-pick of master commit 8eb3bb3 authored by @felipepessoto #### Which Delta project/connector is this regarding? - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) ## Description We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [https://github.com/advisories/GHSA-8qv5-68g4-248j](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [https://github.com/advisories/GHSA-h9mw-grgx-2fhf](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix #1518 - [https://github.com/advisories/GHSA-269g-pwp5-87pp](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No Signed-off-by: Felipe Pessoto <fepessot@microsoft.com> Co-authored-by: Felipe Pessoto <fepessot@microsoft.com>
Maven Reports 2 vulnerabilities for this application Delta Core
Both have upgraded to newer versions without these vulnerabilities Scala Library » 2.13.10 and JUnit » 4.13.2
So I was wondering if there was a way to get these dependencies upgraded to remove the 2 vulnerabilities.
With best regards
Maccce
The text was updated successfully, but these errors were encountered: