Skip to content

Fix parquet-avro vulnerability in io expansion service #34860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
derrickaw wants to merge 1 commit into from
Closed

Fix parquet-avro vulnerability in io expansion service #34860

derrickaw wants to merge 1 commit into from

Conversation

@derrickaw
Copy link
Collaborator

@derrickaw derrickaw commented May 6, 2025
edited
Loading

Fixes CVE-2025-30065

./gradlew :sdks:java:io:expansion-service:dependencies --configuration runtimeClasspath | grep parquet-avro
image

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

  • Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
  • Update CHANGES.md with noteworthy changes.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

Build python source distribution and wheels
Python tests
Java tests
Go tests

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

@derrickaw derrickaw marked this pull request as ready for review May 6, 2025 17:40
@github-actions
Copy link
Contributor

github-actions bot commented May 7, 2025

Assigning reviewers. If you would like to opt out of this review, comment assign to next reviewer:

R: @ahmedabu98 for label java.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

@github-actions
Copy link
Contributor

github-actions bot commented May 14, 2025

Reminder, please take a look at this pr: @ahmedabu98

@github-actions
Copy link
Contributor

github-actions bot commented May 16, 2025

Assigning new set of reviewers because Pr has gone too long without review. If you would like to opt out of this review, comment assign to next reviewer:

R: @robertwb for label java.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

damccorm
damccorm reviewed May 23, 2025
View reviewed changes
sdks/java/io/expansion-service/build.gradle
resolutionStrategy.force 'org.apache.kafka:kafka-clients:3.9.0'

// Pin org.apache.parquet:parquet-avro to a non-vulnerable version compatible.
resolutionStrategy.force 'org.apache.parquet:parquet-avro:1.15.1'
Copy link
Contributor

@damccorm damccorm May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know which dependenc(y|ies) currently cause parquet-avro to be installed? I'm in favor of the change, but it would be good for us to know this so that we can respond once the dependency is fixed. Once we figure out that dependency FOO is causing the lower version of parquet-avro to be installed, we should add a couple comments:

  1. A comment here mentioning that this can be removed once that dependency is upgraded and ./gradlew :sdks:java:io:expansion-service:dependencies --configuration runtimeClasspath | grep parquet-avro shows no entries
  2. A comment next to dependency FOO mentioning that this should be removed once that is upgraded to a version with a higher parquet-avro dependency.

Both should link to a tracking issue with context (e.g. like b287985 does)

Copy link
Collaborator Author

@derrickaw derrickaw May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Its covered now by another PR - #35037

@derrickaw derrickaw closed this May 23, 2025
@derrickaw derrickaw deleted the fixAvroVulnerability branch May 23, 2025 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@damccorm damccorm damccorm left review comments

Assignees

No one assigned

Labels

io java Next Action: Reviewers reassigned-reviewers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@derrickaw @damccorm