Dependency vulnerabilities #1518
Comments
|
Hi @Maccce - would you be willing to make a PR to fix this? |
|
Hi @scottsand-db, Yeah sure I'll spend some time on this during the Christmas break With best regards Maccce |
|
Hi I have done some changes locally but can't push it to the repository. get fatal: unable to access 'https://github.com/delta-io/delta.git/': The requested URL returned error: 403. @scottsand-db Could I cat write permissions so I can create a PR? |
|
@Maccce You should clone with ssh not https. |
|
Hi! Are there any plans to address this vulnerabilities soon? I've seen this PR #1539 that addresses the problem but it's still in draft |
5 tasks
|
@mblanco-denodo, @scottsand-db, @allisonport-db, please look at #2828 for fix |
scottsand-db
pushed a commit
that referenced
this issue
May 1, 2024
#### Which Delta project/connector is this regarding? - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) ## Description We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix #1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
scottsand-db
pushed a commit
to scottsand-db/delta
that referenced
this issue
May 1, 2024
) #### Which Delta project/connector is this regarding? - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) ## Description We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix delta-io#1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
5 tasks
scottsand-db
pushed a commit
to scottsand-db/delta
that referenced
this issue
May 1, 2024
) - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [CVE-2022-36944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [CVE-2023-46122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix delta-io#1518 - [CVE-2020-15250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage CI No --------- Signed-off-by: Felipe Pessoto <fepessot@microsoft.com>
scottsand-db
added a commit
that referenced
this issue
May 1, 2024
…ies (#3007) Delta 3.2 cherry-pick of master commit 8eb3bb3 authored by @felipepessoto #### Which Delta project/connector is this regarding? - [X] Spark - [X] Standalone - [X] Flink - [X] Kernel - [ ] Other (fill in here) ## Description We haven't updated some dependencies for a while, exposing us to security risks. This PR updates: - Scala 2.12 to 2.12.18 (the same used by Spark 3.5 branch) - Scala 2.13 to 2.13.13 (the same in Spark master branch). [https://github.com/advisories/GHSA-8qv5-68g4-248j](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36944) - Update SBT to 1.9.9. [https://github.com/advisories/GHSA-h9mw-grgx-2fhf](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46122) - Update JUnit. Fix #1518 - [https://github.com/advisories/GHSA-269g-pwp5-87pp](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) - Update plugins: sbt-mima-plugin and sbt-scoverage ## How was this patch tested? CI ## Does this PR introduce _any_ user-facing changes? No Signed-off-by: Felipe Pessoto <fepessot@microsoft.com> Co-authored-by: Felipe Pessoto <fepessot@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Maven Reports 2 vulnerabilities for this application Delta Core
Both have upgraded to newer versions without these vulnerabilities Scala Library » 2.13.10 and JUnit » 4.13.2
So I was wondering if there was a way to get these dependencies upgraded to remove the 2 vulnerabilities.
With best regards
Maccce
The text was updated successfully, but these errors were encountered: