Dependencies causes CVEs in your execution path
CleWang opened this issue · comments
Hello,
Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. See below for more details:
-
Vulnerable Dependency: org.apache.hbase : hbase-client : 0.96.1.1-hadoop2
-
Call Chain to Buggy Methods:
-
File src/kundera-hbase/kundera-hbase/src/main/java/com/impetus/client/hbase/admin/HBaseDataHandler.java in your project call some library methods, which can reach the buggy method of CVE-2015-1836. The following is the called library methods and their call chains to buggy method.
- One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(java.lang.String):
org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(java.lang.String) org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(org.apache.hadoop.hbase.TableName) ... (12 methods in call chain are hidden) ... org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
- One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor):
org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor) org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor,byte[][]) ... (12 methods in call chain are hidden) ... org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
- One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(java.lang.String):
org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(java.lang.String) org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(org.apache.hadoop.hbase.TableName) ... (12 methods in call chain are hidden) ... org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
- One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(java.lang.String):
org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(java.lang.String) org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(org.apache.hadoop.hbase.TableName) ... (12 methods in call chain are hidden) ... org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
- One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(byte[]):
org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(byte[]) org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(org.apache.hadoop.hbase.TableName) ... (10 methods in call chain are hidden) ... org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
- One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(java.lang.String):
org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(java.lang.String) org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(org.apache.hadoop.hbase.TableName) ... (10 methods in call chain are hidden) ... org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
-
-
Update suggestion: version 0.99.0
0.99.0 is a safe version without CVEs. From 0.96.1.1-hadoop2 to 0.99.0, 14 of the APIs (called by 45 times in your project) were modified.