Skip to content

add apache tez package#29167

Merged
mritunjaysharma394 merged 10 commits into
wolfi-dev:mainfrom
kranurag7:kr/add-tez
Sep 27, 2024
Merged

add apache tez package#29167
mritunjaysharma394 merged 10 commits into
wolfi-dev:mainfrom
kranurag7:kr/add-tez

Conversation

@kranurag7

@kranurag7 kranurag7 commented Sep 23, 2024

Copy link
Copy Markdown
Member

Fixes:

Related:

Pre-review Checklist

For new package PRs only

  • This PR is marked as fixing a pre-existing package request bug
    • Alternatively, the PR is marked as related to a pre-existing package request bug, such as a dependency
  • REQUIRED - The package is available under an OSI-approved or FSF-approved license
  • REQUIRED - The version of the package is still receiving security updates
  • This PR links to the upstream project's support policy (e.g. endoflife.date)

@kranurag7 kranurag7 assigned kranurag7 and unassigned kranurag7 Sep 24, 2024
@maxgio92 maxgio92 self-assigned this Sep 25, 2024
Comment thread tez.yaml Outdated
Comment thread tez/patches.yaml
@maxgio92 maxgio92 force-pushed the kr/add-tez branch 3 times, most recently from 27926c7 to 8cffbd1 Compare September 25, 2024 18:13
Comment thread tez.yaml
kranurag7 and others added 8 commits September 26, 2024 13:30
Signed-off-by: kranurag7 <81210977+kranurag7@users.noreply.github.com>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
@maxgio92 maxgio92 marked this pull request as ready for review September 26, 2024 11:31
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>
Signed-off-by: Massimiliano Giovagnoli <massimiliano.giovagnoli@chainguard.dev>

@mritunjaysharma394 mritunjaysharma394 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maxgio92 to later update advisories as the CVEs come from shaded jars

@mritunjaysharma394 mritunjaysharma394 merged commit b1111a9 into wolfi-dev:main Sep 27, 2024
@maxgio92

Copy link
Copy Markdown
Member

Note: the remaining filed vulnerabilities are from transitive and shaded dependencies. Details below.

Findings with related match in the dependency tree
├── 📄 /usr/share/java/tez-0.10.4/lib/bcprov-jdk15on-1.70.jar
│       📦 bcprov-jdk15on 1.70 (java-archive)
│           Medium CVE-2024-29857 GHSA-8xfc-gm6g-vgpv fixed in 1.78
│           Medium CVE-2023-33201 GHSA-hr8g-6v94-x4m9
│           Medium CVE-2024-30172 GHSA-m44j-cfrm-g8qc fixed in 1.78
│           Medium CVE-2024-30171 GHSA-v435-xc8x-wvr9 fixed in 1.78

[INFO] +- org.apache.hadoop:hadoop-yarn-server-web-proxy:jar:3.3.6:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.68:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/avro-1.9.2.jar
│       📦 avro 1.9.2 (java-archive)
│           High CVE-2023-39410 GHSA-rhrv-645h-fjfh fixed in 1.11.3

[INFO] \- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- org.apache.avro:avro:jar:1.7.7:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/commons-compress-1.24.0.jar
│       📦 commons-compress 1.24.0 (java-archive)
│           Medium CVE-2024-26308 GHSA-4265-ccf5-phj5 fixed in 1.26.0
│           High CVE-2024-25710 GHSA-4g9r-vxhx-9pgx fixed in 1.26.0

[INFO] +- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- org.apache.commons:commons-compress:jar:1.21:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/commons-configuration2-2.8.0.jar
│       📦 commons-configuration2 2.8.0 (java-archive)
│           Medium CVE-2024-29133 GHSA-9w38-p64v-xpmv fixed in 2.10.1
│           Medium CVE-2024-29131 GHSA-xjp4-hw94-mvp5 fixed in 2.10.1

[INFO] \- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- org.apache.commons:commons-configuration2:jar:2.8.0:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/dnsjava-3.4.0.jar
│       📦 dnsjava 3.4.0 (java-archive)
│           High CVE-2024-25638 GHSA-cfxw-4h78-h7fw fixed in 3.6.0

[INFO] \- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO]    +- dnsjava:dnsjava:jar:2.1.7:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/hadoop-shaded-protobuf_3_21-1.2.0.jar
│       📦 protobuf-java 3.21.12 (java-archive)
│           High CVE-2024-7254 GHSA-735f-pc8j-v9w8 fixed in 3.25.5

This is an Hadoop-shaded dependency.

[INFO] org.apache.tez:hadoop-shim:jar:0.10.4
[INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.apache.hadoop:hadoop-yarn-api:jar:3.3.6:compile
[INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:1.1.1:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.2.11:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:3.25.5:compile
[INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7:jar:1.1.1:compile

[INFO] +- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7:jar:1.1.1:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/jackson-mapper-asl-1.9.2.jar
│       📦 jackson-mapper-asl 1.9.2 (java-archive)
│           Critical CVE-2019-10202 GHSA-c27h-mcmw-48hv
│           High CVE-2019-10172 GHSA-r6j9-8759-g62w

[INFO] +- com.sun.jersey:jersey-json:jar:1.19:compile
[INFO] |  +- com.sun.xml.bind:jaxb-impl:jar:2.2.3-1:compile
[INFO] |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.2:compile
[INFO] |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.2:compile

[INFO]    +- org.apache.avro:avro:jar:1.7.7:compile
[INFO]    |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO]    |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/logback-classic-1.2.10.jar
│       📦 logback-classic 1.2.10 (java-archive)
│           High CVE-2023-6378 GHSA-vmq6-5m68-f53m fixed in 1.2.13

Not found in the dependency tree.

├── 📄 /usr/share/java/tez-0.10.4/lib/logback-core-1.2.10.jar
│       📦 logback-core 1.2.10 (java-archive)
│           High CVE-2023-6378 GHSA-vmq6-5m68-f53m fixed in 1.2.13

Not found in the dependency tree.

├── 📄 /usr/share/java/tez-0.10.4/lib/netty-codec-http-4.1.100.Final.jar
│       📦 netty-codec-http 4.1.100.Final (java-archive)
│           Medium CVE-2024-29025 GHSA-5jpm-x58v-624v fixed in 4.1.108.Final

[INFO] +- org.apache.hadoop:hadoop-hdfs:test-jar:tests:3.3.6:test
[INFO] |  +- io.netty:netty-all:jar:4.1.100.Final:compile
[INFO] |  |  +- io.netty:netty-codec-http:jar:4.1.100.Final:compile

[INFO] org.apache.tez:tez-runtime-library:jar:0.10.4
[INFO] +- io.netty:netty-all:jar:4.1.100.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.100.Final:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/nimbus-jose-jwt-9.31.jar
│       📦 nimbus-jose-jwt 9.31 (java-archive)
│           Medium CVE-2023-52428 GHSA-gvpg-vgmx-xg6w fixed in 9.37.2

[INFO]    +- org.apache.hadoop:hadoop-auth:jar:3.3.6:compile
[INFO]    |  +- com.nimbusds:nimbus-jose-jwt:jar:9.8.1:compile

├── 📄 /usr/share/java/tez-0.10.4/lib/protobuf-java-3.24.4.jar
│       📦 protobuf-java 3.24.4 (java-archive)
│           High CVE-2024-7254 GHSA-735f-pc8j-v9w8 fixed in 3.25.5

Fixed in this PR.

└── 📄 /usr/share/java/tez-0.10.4/lib/zookeeper-3.8.3.jar
        📦 zookeeper 3.8.3 (java-archive)
            Medium CVE-2024-23944 GHSA-r978-9m6m-6gm6 fixed in 3.8.4

[INFO] +- org.apache.hadoop:hadoop-auth:jar:3.3.6:compile
[INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.6.3:compile

[INFO] +- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
[INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.6.3:compile

@kranurag7 kranurag7 deleted the kr/add-tez branch January 14, 2025 05:44
C0DE-X pushed a commit to C0DE-X/os that referenced this pull request Mar 2, 2026
Co-authored-by: staging-update-bot <staging-update-bot@chainguard.dev>

Export:  8b15923
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants