Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Snyk] Fix for 37 vulnerabilities #16

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 37 vulnerabilities #16

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • data/input/raw/data/2018/TRECIS2018/Baselines/NotebookTest/ASP/target/classes/META-INF/maven/org.trecis/ASP/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
high severity 624/1000
Why? Has a fix available, CVSS 8.2		 XML External Entity (XXE) Injection
SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 811/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No Proof of Concept
high severity 811/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No Proof of Concept
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 876/1000
Why? Mature exploit, Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No Mature
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 811/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.8		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No Proof of Concept
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 630/1000
Why? Has a fix available, CVSS 8.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
medium severity 489/1000
Why? Has a fix available, CVSS 5.5		 Information Disclosure
SNYK-JAVA-COMGOOGLEGUAVA-1015415		 No No Known Exploit
medium severity 509/1000
Why? Has a fix available, CVSS 5.9		 Deserialization of Untrusted Data
SNYK-JAVA-COMGOOGLEGUAVA-32236		 No No Known Exploit
high severity 654/1000
Why? Has a fix available, CVSS 8.8		 Integer Overflow
SNYK-JAVA-COMGOOGLEPROTOBUF-173761		 Yes No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Information Exposure
SNYK-JAVA-IONETTY-30430		 No No Known Exploit
medium severity 550/1000
Why? Has a fix available, CVSS 6.5		 HTTP Request Smuggling
SNYK-JAVA-IONETTY-473214		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 600/1000
Why? Has a fix available, CVSS 7.5		 HTTP Request Smuggling
SNYK-JAVA-IONETTY-559515		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 600/1000
Why? Has a fix available, CVSS 7.5		 HTTP Request Smuggling
SNYK-JAVA-IONETTY-559516		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
medium severity 484/1000
Why? Has a fix available, CVSS 5.4		 Cross-site Scripting (XSS)
SNYK-JAVA-ORGAPACHESPARK-1298181		 org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
medium severity 449/1000
Why? Has a fix available, CVSS 4.7		 Privilege Escalation
SNYK-JAVA-ORGAPACHESPARK-31695		 org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 704/1000
Why? Has a fix available, CVSS 9.8		 Remote Code Execution (RCE)
SNYK-JAVA-ORGAPACHESPARK-573164		 org.apache.spark:spark-core_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
medium severity 434/1000
Why? Has a fix available, CVSS 4.4		 Information Exposure
SNYK-JAVA-ORGAPACHESPARK-574943		 org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Information Exposure
SNYK-JAVA-ORGAPACHESPARK-72494		 org.apache.spark:spark-mllib_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-sql_2.11:
2.2.0 -> 2.4.6
org.apache.spark:spark-streaming_2.11:
2.2.0 -> 2.4.6
No No Known Exploit
medium severity 536/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.3		 Access Control Bypass
SNYK-JAVA-ORGAPACHEZOOKEEPER-174781		 No Proof of Concept
medium severity 414/1000
Why? Has a fix available, CVSS 4		 Insufficiently Protected Credentials
SNYK-JAVA-ORGAPACHEZOOKEEPER-31035		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JAVA-ORGAPACHEZOOKEEPER-31428		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 Authentication Bypass
SNYK-JAVA-ORGAPACHEZOOKEEPER-32301		 No No Known Exploit
high severity 589/1000
Why? Has a fix available, CVSS 7.5		 XML Entity Expansion
SNYK-JAVA-ORGGLASSFISHJERSEYMEDIA-595972		 No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Vulnerabilities that could not be fixed

  • Upgrade:
    • Could not upgrade com.google.guava:guava@16.0.1 to com.google.guava:guava@30.0-android; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/apache/curator/apache-curator/2.6.0/apache-curator-2.6.0.pom
    • Could not upgrade com.google.protobuf:protobuf-java@2.5.0 to com.google.protobuf:protobuf-java@3.4.0; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/apache/hadoop/hadoop-project/2.6.5/hadoop-project-2.6.5.pom
    • Could not upgrade io.netty:netty@3.6.2.Final to io.netty:netty@3.9.8.Final; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/apache/hadoop/hadoop-project/2.6.5/hadoop-project-2.6.5.pom
    • Could not upgrade org.apache.zookeeper:zookeeper@3.4.6 to org.apache.zookeeper:zookeeper@3.4.14; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/apache/curator/apache-curator/2.6.0/apache-curator-2.6.0.pom
    • Could not upgrade org.glassfish.jersey.core:jersey-server@2.22.2 to org.glassfish.jersey.core:jersey-server@2.31; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/apache/spark/spark-core_2.11/2.2.0/spark-core_2.11-2.2.0.pom

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@snyk-bot
fix: data/input/raw/data/2018/TRECIS2018/Baselines/NotebookTest/ASP/t…
5ab9c55 
…arget/classes/META-INF/maven/org.trecis/ASP/pom.xml to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-173761
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-30430
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-473214
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-559515
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-559516
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESPARK-1298181
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESPARK-31695
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESPARK-573164
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESPARK-574943
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESPARK-72494
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEZOOKEEPER-174781
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEZOOKEEPER-31035
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEZOOKEEPER-31428
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEZOOKEEPER-32301
- https://snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYMEDIA-595972
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@snyk-bot