Could you help upgrade the vulnerble dependency in rasterframes? #583
Labels
enhancement
New feature or request
Comments
|
Hey @HelenParr thanks for your report 👋 . We're definitely planning to upgrade Spark dependency, however Spark 3.1.x and Spark 3.2.1 are not binary and API compatible (apparently 3.2.0 and 3.2.1 are not binary compatible as well, see typelevel/frameless#605), which may also be a problem for some of our / users downstream projects. We'd also appreciate any help with the Spark dependency upgrade (that will most likely require the upgrade of the downstream libraries as well to match Spark 3.2.x deps, which is partially addressed by #582). However, we definitely plan to bump it up in one of the RF future releases. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, @metasim , @vpipkt , I'd like to report a vulnerable dependency in org.locationtech.rasterframes:rasterframes_2.12:0.10.1.
Issue Description
I noticed that org.locationtech.rasterframes:rasterframes_2.12:0.10.1 directly depends on org.apache.spark:spark-core_2.12:3.1.2 in the pom. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.1.2 sufferes from the vulnerability which the C library zstd(version:1.4.8) exposed: CVE-2021-24032.
Dependency Graph between Java and Shared Libraries
Suggested Vulnerability Patch Versions
org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library
zstdto the patch version 1.5.0.Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
Thanks for your help~
Best regards,
Helen Parr
The text was updated successfully, but these errors were encountered: