Fix vulnerabilities in transitive dependencies
Closed this issue · 0 comments
morazow commented
Situation
There are several ZIP, TAR reading vulnerabilities in commons-compress
dependency.
Error: Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.1.0:audit (default-cli) on project parquet-io-java: Detected 1 vulnerable components:
Error: org.apache.commons:commons-compress:jar:1.19:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-compress@1.19?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * [CVE-2021-36090] When reading a specially crafted ZIP archive, Compress can be made to allocate l... (7.5); https://ossindex.sonatype.org/vulnerability/68232267-bb25-4b04-8dec-caf7c11c7293?component-type=maven&component-name=org.apache.commons.commons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * [CVE-2021-35517] When reading a specially crafted TAR archive, Compress can be made to allocate l... (7.5); https://ossindex.sonatype.org/vulnerability/69b8043a-3002-48fa-9762-8f6040d83de1?component-type=maven&component-name=org.apache.commons.commons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * [CVE-2021-35515] When reading a specially crafted 7Z archive, the construction of the list of cod... (7.5); https://ossindex.sonatype.org/vulnerability/7a6a9dd2-67de-4e2a-b406-7aa4a4ce29cc?component-type=maven&component-name=org.apache.commons.commons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error: * [CVE-2021-35516] When reading a specially crafted 7Z archive, Compress can be made to allocate la... (7.5); https://ossindex.sonatype.org/vulnerability/8ea14e38-e6cc-48d9-bfe4-ec89f93596e7?component-type=maven&component-name=org.apache.commons.commons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Error:
Acceptance Criteria
- Excluded older version of dependency
- Added updated version