Could you help upgrade the vulnerble dependency in spark-netflow?

[HelenParr]

Hi, @sadikovi , I'd like to report a vulnerable dependency in com.github.sadikovi:spark-netflow_2.12:2.1.0.

Issue Description

I noticed that com.github.sadikovi:spark-netflow_2.12:2.1.0 directly depends on org.apache.spark:spark-core_2.12:3.0.1 in the pom. However, as shown in the following dependency graph, org.apache.spark:spark-core_2.12:3.0.1 sufferes from the vulnerability which the C library zstd(version:1.4.4) exposed: CVE-2021-24032.

Dependency Graph between Java and Shared Libraries

Suggested Vulnerability Patch Versions

org.apache.spark:spark-core_2.12:3.2.0 (>=3.2.0) has upgraded this vulnerable C library zstd to the patch version 1.5.0.

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Helen Parr

[sadikovi]

Interesting, thanks for reporting. Would you like to open a PR to update the dependency? Otherwise, I will open soon-ish to fix.