Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MLH-96 : (fix) solve all the vulnerability reported for metastore #4118

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

MLH-96 : (fix) solve all the vulnerability reported for metastore #4118

wants to merge 17 commits into from
+7 −188,822

Conversation

sumandas0
Copy link

@sumandas0 sumandas0 commented Feb 5, 2025
edited
Loading

https://atlanhq.atlassian.net/wiki/x/OYARJw

Type of change

  • Vulnerability fix (fixes vulnerabilities)
  • New feature (adds functionality)

Related issues

Fix vulnerabilities identified in the metastore packages to be remediated

Dependency upgrades

  • org.keycloak:keycloak-core 15.1.0 -> 26.1.0 [solves 60% vulnerabilities]
  • org.yaml:snakeyaml 1.33 -> 2.0
  • com.google.guava:guava 29.0-jre -> 32.0.1-jre
  • org.eclipse.jetty:jetty-webapp 9.4.31.v20200723 -> 9.4.33.v20201020 [All jetty component got upgraded to this version]
  • com.nimbusds:nimbus-jose-jwt 9.8.1 -> 9.37.2

Dependency removal

Removed these from module and deleted all the file content of,

  • Docs module [Contributed to 3 critical vulnerabilities]
  • AtlasDashboardV3 - this is Atlas ui new version which anyway no one uses but has npm vulnerabilties

Removed these unnecessary addons along with it

  • addons/hive-bridge-shim
  • addons/hive-bridge
  • addons/falcon-bridge-shim
  • addons/falcon-bridge
  • addons/sqoop-bridge-shim
  • addons/sqoop-bridge
  • addons/hbase-bridge-shim
  • addons/hbase-bridge
  • addons/hbase-testing-util
  • addons/kafka-bridge
  • addons/hdfs-model
  • addons/impala-hook-api
  • addons/impala-bridge-shim
  • addons/impala-bridge

Unable to upgrade

  • org.apache.hadoop:hadoop-common 3.3.6 -> 3.4.0 [Low severity and we don't use most of its functionality]

@sumandas0 sumandas0 self-assigned this Feb 5, 2025
nikhilbonte21
nikhilbonte21 requested changes Feb 6, 2025
View reviewed changes
build.sh Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikhilbonte21 nikhilbonte21 nikhilbonte21 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@sumandas0 sumandas0

Labels
DO NOT MERGE READY FOR REVIEW
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sumandas0 @nikhilbonte21