Dependencies causes CVEs in your execution path

[CleWang]

Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. Details are listed below:

• Vulnerable Dependency: org.apache.hadoop : hadoop-common : 2.6.3

• Call Chain to Buggy Methods:

  • Some files in your project call the library method org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration), which can reach the buggy method of CVE-2017-15713.

    • Files in your project:
      src/main/java/org/dataalgorithms/chap29/combinesmallfilesbyhadoop/CustomRecordReader.java, src/main/java/org/dataalgorithms/chap24/mapreduce/FastaRecordReader.java, src/main/java/org/dataalgorithms/chap24/mapreduce/FastaInputFormat.java
    • One of the possible call chain:

    org.apache.hadoop.fs.Path.getFileSystem(org.apache.hadoop.conf.Configuration)
    org.apache.hadoop.fs.FileSystem.get(java.net.URI,org.apache.hadoop.conf.Configuration)
    org.apache.hadoop.fs.FileSystem.getDefaultUri(org.apache.hadoop.conf.Configuration)
    org.apache.hadoop.conf.Configuration.get(java.lang.String,java.lang.String)
    org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
    

  • Some files in your project call the library method org.apache.hadoop.conf.Configuration.getInt(java.lang.String,int), which can reach the buggy method of CVE-2017-15713.

    • Files in your project:
      src/main/java/org/dataalgorithms/chap05/mapreduce/RelativeFrequencyMapper.java(The rest of the 21 files is hidden)
    • One of the possible call chain:

    org.apache.hadoop.conf.Configuration.getInt(java.lang.String,int)
    org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
    org.apache.hadoop.conf.Configuration.get(java.lang.String)
    org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
    

  • Some files in your project call the library method org.apache.hadoop.io.IOUtils.copyBytes(java.io.InputStream,java.io.OutputStream,org.apache.hadoop.conf.Configuration,boolean), which can reach the buggy method of CVE-2017-15713.

    • Files in your project:
      src/main/java/org/dataalgorithms/chap29/combinesmallfilesbybuckets/BucketThread.java
    • One of the possible call chain:

    org.apache.hadoop.io.IOUtils.copyBytes(java.io.InputStream,java.io.OutputStream,org.apache.hadoop.conf.Configuration,boolean)
    org.apache.hadoop.conf.Configuration.getInt(java.lang.String,int)
    org.apache.hadoop.conf.Configuration.getTrimmed(java.lang.String)
    org.apache.hadoop.conf.Configuration.get(java.lang.String)
    org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
    

  • Some files in your project call the library method org.apache.hadoop.io.SequenceFile.createWriter(org.apache.hadoop.fs.FileSystem,org.apache.hadoop.conf.Configuration,org.apache.hadoop.fs.Path,java.lang.Class,java.lang.Class), which can reach the buggy method of CVE-2017-15713.

    • Files in your project:
      src/main/java/org/dataalgorithms/util/SequenceFileWriterDemo.java, src/main/java/org/dataalgorithms/chap03/mapreduce/SequenceFileWriterForTopN.java
    • One of the possible call chain:

    org.apache.hadoop.io.SequenceFile.createWriter(org.apache.hadoop.fs.FileSystem,org.apache.hadoop.conf.Configuration,org.apache.hadoop.fs.Path,java.lang.Class,java.lang.Class)
    org.apache.hadoop.io.SequenceFile.createWriter(org.apache.hadoop.conf.Configuration,org.apache.hadoop.io.SequenceFile$Writer$Option[])
    org.apache.hadoop.io.SequenceFile.getDefaultCompressionType(org.apache.hadoop.conf.Configuration)
    org.apache.hadoop.conf.Configuration.get(java.lang.String)
    org.apache.hadoop.conf.Configuration.substituteVars(java.lang.String) [buggy method]
    

• Update suggestion: version 3.2.1
  3.2.1 is a safe version without CVEs. From 2.6.3 to 3.2.1, 17 of the APIs (called by 84 times in your project) were modified.