CVEs in the execution path imported by dependencies

[CleWang]

Your uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. See below for more details:

• Vulnerable Dependency: org.apache.zookeeper : zookeeper : 3.4.6

• Call Chain to Buggy Methods:

  • Some files in your project call the library method org.apache.zookeeper.server.quorum.QuorumPeer.start(), which can reach the buggy method of CVE-2018-8012.

    • Files in your project: d2-int-test/src/test/java/com/linkedin/d2/quorum/ZKPeer.java
    • One of the possible call chain:

    org.apache.zookeeper.server.quorum.QuorumPeer.start()
    org.apache.zookeeper.server.quorum.QuorumPeer.startLeaderElection()
    org.apache.zookeeper.server.quorum.QuorumPeer.createElectionAlgorithm(int)
    org.apache.zookeeper.server.quorum.AuthFastLeaderElection.<init>(org.apache.zookeeper.server.quorum.QuorumPeer)
    org.apache.zookeeper.server.quorum.AuthFastLeaderElection.starter(org.apache.zookeeper.server.quorum.QuorumPeer)
    org.apache.zookeeper.server.quorum.QuorumPeer.getVotingView() [buggy method]
    

• Update suggestion: version 3.4.14 3.4.14 is a safe version without CVEs. From 3.4.6 to 3.4.14, 11 of the APIs (called by 30 times in your project) were modified.