Dependency org.yaml:snakeyaml, leading to CVE problem
CVEDetect opened this issue · 0 comments
CVEDetect commented
Hi, In /,there is a dependency org.yaml:snakeyaml:1.27 that calls the risk method.
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path :
org.rumbledb.types.BuiltinTypesCatalogue: typeExists(org.rumbledb.context.Name)Z /download/apache-maven-3.6.3/repository_mount/org/apache/spark/spark-catalyst_2.12/3.2.2/spark-catalyst_2.12-3.2.2.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
INFO] com.github.rumbledb:rumbledb:jar:1.20.0
[INFO] +- org.apache.spark:spark-core_2.12:jar:3.2.2:provided
[INFO] | +- org.apache.avro:avro:jar:1.10.2:provided
[INFO] | | \- org.apache.commons:commons-compress:jar:1.20:provided
[INFO] | +- org.apache.avro:avro-mapred:jar:1.10.2:provided
[INFO] | | \- org.apache.avro:avro-ipc:jar:1.10.2:provided
[INFO] | +- com.twitter:chill_2.12:jar:0.10.0:provided
[INFO] | | \- com.esotericsoftware:kryo-shaded:jar:4.0.2:provided
[INFO] | +- com.twitter:chill-java:jar:0.10.0:provided
[INFO] | +- org.apache.xbean:xbean-asm9-shaded:jar:4.20:provided
[INFO] | +- org.apache.hadoop:hadoop-client-api:jar:3.3.1:provided
[INFO] | +- org.apache.hadoop:hadoop-client-runtime:jar:3.3.1:provided
[INFO] | | \- org.apache.htrace:htrace-core4:jar:4.1.0-incubating:provided
[INFO] | +- org.apache.spark:spark-launcher_2.12:jar:3.2.2:provided
[INFO] | +- org.apache.spark:spark-kvstore_2.12:jar:3.2.2:provided
[INFO] | | +- org.fusesource.leveldbjni:leveldbjni-all:jar:1.8:provided
[INFO] | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.3:compile
[INFO] | +- org.apache.spark:spark-network-common_2.12:jar:3.2.2:provided
[INFO] | | \- com.google.crypto.tink:tink:jar:1.6.0:provided
[INFO] | | \- com.google.code.gson:gson:jar:2.8.6:provided
[INFO] | +- org.apache.spark:spark-network-shuffle_2.12:jar:3.2.2:provided
[INFO] | +- org.apache.spark:spark-unsafe_2.12:jar:3.2.2:provided
[INFO] | +- javax.activation:activation:jar:1.1.1:provided
[INFO] | +- org.apache.curator:curator-recipes:jar:2.13.0:provided
[INFO] | | \- org.apache.curator:curator-framework:jar:2.13.0:provided
[INFO] | | \- org.apache.curator:curator-client:jar:2.13.0:provided
[INFO] | | \- com.google.guava:guava:jar:16.0.1:provided
[INFO] | +- org.apache.zookeeper:zookeeper:jar:3.6.2:provided
[INFO] | | +- commons-lang:commons-lang:jar:2.6:provided
[INFO] | | +- org.apache.zookeeper:zookeeper-jute:jar:3.6.2:provided
[INFO] | | \- org.apache.yetus:audience-annotations:jar:0.5.0:provided
[INFO] | +- jakarta.servlet:jakarta.servlet-api:jar:4.0.3:provided
[INFO] | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- org.apache.commons:commons-math3:jar:3.4.1:provided
[INFO] | +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.0:provided
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.30:provided
[INFO] | +- org.slf4j:jul-to-slf4j:jar:1.7.30:provided
[INFO] | +- org.slf4j:jcl-over-slf4j:jar:1.7.30:provided
[INFO] | +- log4j:log4j:jar:1.2.17:provided
[INFO] | +- org.slf4j:slf4j-log4j12:jar:1.7.30:provided
[INFO] | +- com.ning:compress-lzf:jar:1.0.3:provided
[INFO] | +- org.xerial.snappy:snappy-java:jar:1.1.8.4:provided
[INFO] | +- org.lz4:lz4-java:jar:1.7.1:provided
[INFO] | +- com.github.luben:zstd-jni:jar:1.5.0-4:provided
[INFO] | +- org.roaringbitmap:RoaringBitmap:jar:0.9.0:provided
[INFO] | | \- org.roaringbitmap:shims:jar:0.9.0:provided
[INFO] | +- commons-net:commons-net:jar:3.1:provided
[INFO] | +- org.scala-lang.modules:scala-xml_2.12:jar:1.2.0:provided
[INFO] | +- org.scala-lang:scala-library:jar:2.12.15:compile
[INFO] | +- org.scala-lang:scala-reflect:jar:2.12.15:provided
[INFO] | +- org.json4s:json4s-jackson_2.12:jar:3.7.0-M11:provided
[INFO] | | \- org.json4s:json4s-core_2.12:jar:3.7.0-M11:provided
[INFO] | | +- org.json4s:json4s-ast_2.12:jar:3.7.0-M11:provided
[INFO] | | \- org.json4s:json4s-scalap_2.12:jar:3.7.0-M11:provided
[INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.34:provided
[INFO] | | +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:provided
[INFO] | | \- org.glassfish.hk2.external:jakarta.inject:jar:2.6.1:provided
[INFO] | +- org.glassfish.jersey.core:jersey-common:jar:2.34:provided
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:provided
[INFO] | | \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:provided
[INFO] | +- org.glassfish.jersey.core:jersey-server:jar:2.34:provided
[INFO] | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:provided
[INFO] | +- org.glassfish.jersey.containers:jersey-container-servlet:jar:2.34:provided
[INFO] | +- org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.34:provided
[INFO] | +- org.glassfish.jersey.inject:jersey-hk2:jar:2.34:provided
[INFO] | | +- org.glassfish.hk2:hk2-locator:jar:2.6.1:provided
[INFO] | | | +- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.6.1:provided
[INFO] | | | +- org.glassfish.hk2:hk2-api:jar:2.6.1:provided
[INFO] | | | \- org.glassfish.hk2:hk2-utils:jar:2.6.1:provided
[INFO] | | \- org.javassist:javassist:jar:3.25.0-GA:provided
[INFO] | +- io.netty:netty-all:jar:4.1.68.Final:provided
[INFO] | +- com.clearspring.analytics:stream:jar:2.9.6:provided
[INFO] | +- io.dropwizard.metrics:metrics-core:jar:4.2.0:provided
[INFO] | +- io.dropwizard.metrics:metrics-jvm:jar:4.2.0:provided
[INFO] | +- io.dropwizard.metrics:metrics-json:jar:4.2.0:provided
[INFO] | +- io.dropwizard.metrics:metrics-graphite:jar:4.2.0:provided
[INFO] | +- io.dropwizard.metrics:metrics-jmx:jar:4.2.0:provided
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.3:compile
[INFO] | +- com.fasterxml.jackson.module:jackson-module-scala_2.12:jar:2.12.3:provided
[INFO] | | \- com.thoughtworks.paranamer:paranamer:jar:2.8:provided
[INFO] | +- org.apache.ivy:ivy:jar:2.5.0:provided
[INFO] | +- oro:oro:jar:2.0.8:provided
[INFO] | +- net.razorvine:pyrolite:jar:4.30:provided
[INFO] | +- net.sf.py4j:py4j:jar:0.10.9.5:provided
[INFO] | +- org.apache.spark:spark-tags_2.12:jar:3.2.2:compile
[INFO] | +- org.apache.commons:commons-crypto:jar:1.1.0:provided
[INFO] | \- org.spark-project.spark:unused:jar:1.0.0:compile
[INFO] +- org.apache.spark:spark-sql_2.12:jar:3.2.2:provided
[INFO] | +- org.rocksdb:rocksdbjni:jar:6.20.3:provided
[INFO] | +- com.univocity:univocity-parsers:jar:2.9.1:provided
[INFO] | +- org.apache.spark:spark-sketch_2.12:jar:3.2.2:provided
[INFO] | +- org.apache.spark:spark-catalyst_2.12:jar:3.2.2:provided
[INFO] | | +- org.codehaus.janino:janino:jar:3.0.16:provided
[INFO] | | +- org.codehaus.janino:commons-compiler:jar:3.0.16:provided
[INFO] | | +- javax.xml.bind:jaxb-api:jar:2.2.11:provided
[INFO] | | +- org.apache.arrow:arrow-vector:jar:2.0.0:provided
[INFO] | | | +- org.apache.arrow:arrow-format:jar:2.0.0:provided
[INFO] | | | +- org.apache.arrow:arrow-memory-core:jar:2.0.0:provided
[INFO] | | | \- com.google.flatbuffers:flatbuffers-java:jar:1.9.0:provided
[INFO] | | \- org.apache.arrow:arrow-memory-netty:jar:2.0.0:provided
[INFO] | +- org.apache.orc:orc-core:jar:1.6.14:provided
[INFO] | | +- org.apache.orc:orc-shims:jar:1.6.14:provided
[INFO] | | +- com.google.protobuf:protobuf-java:jar:2.5.0:provided
[INFO] | | +- io.airlift:aircompressor:jar:0.21:provided
[INFO] | | +- org.jetbrains:annotations:jar:17.0.0:provided
[INFO] | | \- org.threeten:threeten-extra:jar:1.5.0:provided
[INFO] | +- org.apache.orc:orc-mapreduce:jar:1.6.14:provided
[INFO] | +- org.apache.hive:hive-storage-api:jar:2.7.2:provided
[INFO] | +- org.apache.parquet:parquet-column:jar:1.12.2:provided
[INFO] | | +- org.apache.parquet:parquet-common:jar:1.12.2:provided
[INFO] | | \- org.apache.parquet:parquet-encoding:jar:1.12.2:provided
[INFO] | \- org.apache.parquet:parquet-hadoop:jar:1.12.2:provided
[INFO] | +- org.apache.parquet:parquet-format-structures:jar:1.12.2:provided
[INFO] | \- org.apache.parquet:parquet-jackson:jar:1.12.2:provided
[INFO] +- org.apache.spark:spark-mllib_2.12:jar:3.2.2:provided
[INFO] | +- org.scala-lang.modules:scala-parser-combinators_2.12:jar:1.1.2:provided
[INFO] | +- org.apache.spark:spark-streaming_2.12:jar:3.2.2:provided
[INFO] | +- org.apache.spark:spark-graphx_2.12:jar:3.2.2:provided
[INFO] | | \- net.sourceforge.f2j:arpack_combined_all:jar:0.1:provided
[INFO] | +- org.apache.spark:spark-mllib-local_2.12:jar:3.2.2:provided
[INFO] | +- org.scalanlp:breeze_2.12:jar:1.2:provided
[INFO] | | +- org.scalanlp:breeze-macros_2.12:jar:1.2:provided
[INFO] | | +- com.github.fommil.netlib:core:jar:1.1.2:provided
[INFO] | | +- net.sf.opencsv:opencsv:jar:2.3:provided
[INFO] | | +- com.github.wendykierp:JTransforms:jar:3.1:provided
[INFO] | | | \- pl.edu.icm:JLargeArrays:jar:1.5:provided
[INFO] | | +- com.chuusai:shapeless_2.12:jar:2.3.3:provided
[INFO] | | | \- org.typelevel:macro-compat_2.12:jar:1.1.1:provided
[INFO] | | +- org.typelevel:spire_2.12:jar:0.17.0:provided
[INFO] | | | +- org.typelevel:spire-macros_2.12:jar:0.17.0:provided
[INFO] | | | +- org.typelevel:spire-platform_2.12:jar:0.17.0:provided
[INFO] | | | +- org.typelevel:spire-util_2.12:jar:0.17.0:provided
[INFO] | | | \- org.typelevel:algebra_2.12:jar:2.0.1:provided
[INFO] | | | \- org.typelevel:cats-kernel_2.12:jar:2.1.1:provided
[INFO] | | \- org.scala-lang.modules:scala-collection-compat_2.12:jar:2.1.1:provided
[INFO] | +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.2:provided
[INFO] | | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:provided
[INFO] | | \- com.sun.istack:istack-commons-runtime:jar:3.0.8:provided
[INFO] | +- dev.ludovic.netlib:blas:jar:2.2.1:provided
[INFO] | +- dev.ludovic.netlib:lapack:jar:2.2.1:provided
[INFO] | \- dev.ludovic.netlib:arpack:jar:2.2.1:provided
[INFO] +- org.apache.hadoop:hadoop-aws:jar:3.3.1:provided
[INFO] | +- com.amazonaws:aws-java-sdk-bundle:jar:1.11.901:provided
[INFO] | \- org.wildfly.openssl:wildfly-openssl:jar:1.0.7.Final:provided
[INFO] +- org.apache.spark:spark-avro_2.12:jar:3.2.2:compile
[INFO] | \- org.tukaani:xz:jar:1.8:compile
[INFO] +- org.antlr:antlr4-runtime:jar:4.8:compile
[INFO] +- org.jline:jline:jar:3.11.0:compile
[INFO] +- com.esotericsoftware:kryo:jar:4.0.2:compile
[INFO] | +- com.esotericsoftware:reflectasm:jar:1.11.3:compile
[INFO] | | \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] | +- com.esotericsoftware:minlog:jar:1.3.0:compile
[INFO] | \- org.objenesis:objenesis:jar:2.5.1:compile
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.apache.commons:commons-text:jar:1.6:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.9:compile
[INFO] +- commons-io:commons-io:jar:2.11.0:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] | \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.jgrapht:jgrapht-core:jar:1.4.0:compile
[INFO] | \- org.jheaps:jheaps:jar:0.11:compile
[INFO] +- joda-time:joda-time:jar:2.10.6:compile
[INFO] \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.3:compile
[INFO] +- org.yaml:snakeyaml:jar:1.27:compile
[INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.12.3:compile
Suggested solutions:
Update dependency version
Thank you very much.