Could you help upgrade the vulnerble dependency in rasterframes?

[HelenParr]

Hi, @metasim , @vpipkt , I'd like to report a vulnerable dependency in org.locationtech.rasterframes:rasterframes_2.12:0.10.1.

Issue Description

I noticed that org.locationtech.rasterframes:rasterframes_2.12:0.10.1 directly depends on org.apache.spark:spark-core_2.12:3.1.2 in the pom. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.1.2 sufferes from the vulnerability which the C library zstd(version:1.4.8) exposed: CVE-2021-24032.

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library zstd to the patch version 1.5.0.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Helen Parr

[pomadchin]

Hey @HelenParr thanks for your report 👋 .

We're definitely planning to upgrade Spark dependency, however Spark 3.1.x and Spark 3.2.1 are not binary and API compatible (apparently 3.2.0 and 3.2.1 are not binary compatible as well, see https://github.com/typelevel/frameless/issues/605), which may also be a problem for some of our / users downstream projects.

We'd also appreciate any help with the Spark dependency upgrade (that will most likely require the upgrade of the downstream libraries as well to match Spark 3.2.x deps, which is partially addressed by https://github.com/locationtech/rasterframes/pull/582).

However, we definitely plan to bump it up in one of the RF future releases.