iancao / caoyx-rpc Goto Github PK
View Code? Open in Web Editor NEW基于Java语言开发的开源RPC服务框架,提供高性能,高可用的远程调用能力。
License: Apache License 2.0
基于Java语言开发的开源RPC服务框架,提供高性能,高可用的远程调用能力。
License: Apache License 2.0
增加如下四种rpc benchmark的对比
caoyxRpc / dubbo / grpc / thrift
Hi, @IanCao , I'd like to report a vulnerability issue in com.github.iancao:caoyx-rpc-core:1.0.0.
I noticed that com.github.iancao:caoyx-rpc-core:1.0.0 directly depends on org.lz4:lz4-java:1.6.0. As shown in the following dependency graph. However, org.lz4:lz4-java:1.6.0 sufferes from the vulnerability which the C library lz4(version:1.9.1) exposed, containing the following CVE: CVE-2019-17543.
Furthermore, the vulnerable methods in the vulnerable shared libraries can be actually invoked by Java code. For instance, the following LZ4-JNI interfaces(Java code): LZ4JNIFastDecompressor::decompress()
, LZ4JNISafeDecompressor::decompress()
, LZ4JNICompressor::compress()
can reach the vulnerable method(C code) LZ4_write32()
reported by CVE-2019-17543.
call chain----
LZ4JNISafeDecompressor::decompress() -> LZ4_decompress_safe() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNIFastDecompressor::decompress() -> LZ4_decompress_fast() -> LZ4_decompress_generic() -> LZ4_write32()
LZ4JNICompressor::compress() -> LZ4_compress_limitedOutput() -> LZ4_compress_default -> LZ4_compress_fast -> LZ4_compress_fast_extState() -> LZ4_compress_generic() -> LZ4_write32()
org.lz4:lz4-java:1.7.0 (>=1.7.0) has upgraded this vulnerable C library to the patch version.
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade this vulnerable dependency?
Thanks for your help~
Best regards,
Helen Parr
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.