The known vulnerability in the shared library zstd which spark-state-tools depends on. #38
Description
Hi, @HeartSaVioR , @redsk , I'd like to report a vulnerable dependency in net.heartsavior.spark:spark-state-tools_2.12:0.5.0-spark-3.0.
Issue Description
I noticed that net.heartsavior.spark:spark-state-tools_2.12:0.5.0-spark-3.0 directly depends on org.apache.spark:spark-core_2.12:3.0.0 in the pom. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.0.0 sufferes from the vulnerability which the C library zstd(version:1.4.4) exposed: CVE-2021-24032.
Dependency Graph between Java and Shared Libraries
Suggested Vulnerability Patch Versions
org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library zstd to the patch version 1.5.0.
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
Thanks for your help~
Best regards,
Helen Parr