Dependencies causes CVEs in your execution path

[CleWang]

Hello,
Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. See below for more details:

• Vulnerable Dependency: org.apache.hbase : hbase-client : 0.96.1.1-hadoop2

• Call Chain to Buggy Methods:

  • File src/kundera-hbase/kundera-hbase/src/main/java/com/impetus/client/hbase/admin/HBaseDataHandler.java in your project call some library methods, which can reach the buggy method of CVE-2015-1836. The following is the called library methods and their call chains to buggy method.

    • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(java.lang.String):

    org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(java.lang.String)
    org.apache.hadoop.hbase.client.HBaseAdmin.enableTable(org.apache.hadoop.hbase.TableName)
    ...
    (12 methods in call chain are hidden)
    ...
    org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
    

    • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor):

    org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor)
    org.apache.hadoop.hbase.client.HBaseAdmin.createTable(org.apache.hadoop.hbase.HTableDescriptor,byte[][])
    ...
    (12 methods in call chain are hidden)
    ...  org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
    

    • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(java.lang.String):

    org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(java.lang.String)
    org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(org.apache.hadoop.hbase.TableName)
    ...
    (12 methods in call chain are hidden)
    ...
    org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
    

    • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(java.lang.String):

    org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(java.lang.String)
    org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(org.apache.hadoop.hbase.TableName)
    ...
    (12 methods in call chain are hidden)
    ...
    org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
    

    • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(byte[]):

    org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(byte[])
    org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(org.apache.hadoop.hbase.TableName)
    ...
    (10 methods in call chain are hidden)
    ...
    org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
    

    • One of the possible call chain of library method org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(java.lang.String):

    org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(java.lang.String)
    org.apache.hadoop.hbase.client.HBaseAdmin.tableExists(org.apache.hadoop.hbase.TableName)
    ...
    (10 methods in call chain are hidden)
    ...
    org.apache.hadoop.hbase.zookeeper.ZKUtil.isSecureZooKeeper(org.apache.hadoop.conf.Configuration) [buggy method]
    

• Update suggestion: version 0.99.0
  0.99.0 is a safe version without CVEs. From 0.96.1.1-hadoop2 to 0.99.0, 14 of the APIs (called by 45 times in your project) were modified.