Potential security vulnerability in the C library.

[HelenParr]

Hi, @ghislainfourny , @CanBerker , I'd like to report a vulnerable dependency in com.github.rumbledb:spark-rumble.

Issue Description

I noticed that com.github.rumbledb:spark-rumble directly depends on org.apache.spark:spark-core_2.12:3.1.2 in the master branch. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.1.2 sufferes from the vulnerability which the C library zstd(version:1.4.8) exposed: CVE-2021-24032

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library zstd to the patch version 1.5.0.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Helen Parr

[ghislainfourny]

Dear Helen,

Thank you for reporting this issue.

We support all Spark minor versions: 3.0, 3.1 and 3.2.

If Spark 3.1.2 had an issue, I assume the Spark team took care of it in an update for this same minor version, as Spark 3.1 is available for download and officially supported.

Do you know if the vulnerability is solved in Spark 3.1.3? if so we will simply do this minor increment.

Thank you and kind regards, Ghislain