Closed tomasAlabes closed 2 years ago
Update after 2.1.0.Final
: resteasy
vulnerabilities are still there, coming with org.keycloak:keycloak-admin-client:jar:14.0.0:compile
. See dependency tree generated using
./mvnw -Pprod dependency:tree -DskipTests -pl serdes/avro-serde -Pkafkasql -Dscope=runtime
[INFO] ----------< io.apicurio:apicurio-registry-serdes-avro-serde >-----------
[INFO] Building apicurio-registry-serdes-avro-serde 2.1.0.Final
[INFO] --------------------------------[ jar ]---------------------------------
[WARNING] The POM for com.github.java-json-tools:jackson-coreutils:jar:2.0-SNAPSHOT is missing, no dependency information available
[INFO]
[INFO] --- maven-dependency-plugin:3.2.0:tree (default-cli) @ apicurio-registry-serdes-avro-serde ---
[INFO] io.apicurio:apicurio-registry-serdes-avro-serde:jar:2.1.0.Final
[INFO] +- io.apicurio:apicurio-registry-serde-common:jar:2.1.0.Final:compile
[INFO] | +- io.apicurio:apicurio-registry-client:jar:2.1.0.Final:compile
[INFO] | | \- io.apicurio:apicurio-registry-common:jar:2.1.0.Final:compile
[INFO] | | +- org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.1_spec:jar:2.0.1.Final:compile
[INFO] | | \- io.apicurio:apicurio-common-rest-client-auth:jar:0.0.5.Final:compile
[INFO] | | +- io.apicurio:apicurio-common-rest-client-util:jar:0.0.5.Final:compile
[INFO] | | +- io.apicurio:apicurio-common-rest-client-jdk:jar:0.0.5.Final:compile
[INFO] | | \- org.keycloak:keycloak-admin-client:jar:14.0.0:compile
[INFO] | | +- org.keycloak:keycloak-core:jar:12.0.4:compile
[INFO] | | +- org.keycloak:keycloak-common:jar:14.0.0:compile
[INFO] | | +- org.jboss.resteasy:resteasy-client:jar:4.5.9.Final:compile
[INFO] | | | +- org.jboss.resteasy:resteasy-client-api:jar:4.5.9.Final:compile
[INFO] | | | +- org.jboss.resteasy:resteasy-core-spi:jar:4.5.9.Final:compile
[INFO] | | | | +- org.reactivestreams:reactive-streams:jar:1.0.3:compile
[INFO] | | | | +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] | | | | \- com.sun.activation:jakarta.activation:jar:1.2.1:compile
[INFO] | | | +- org.jboss.resteasy:resteasy-core:jar:4.5.9.Final:compile
[INFO] | | | | +- com.ibm.async:asyncutil:jar:0.1.0:compile
[INFO] | | | | \- io.smallrye.config:smallrye-config:jar:1.11.1:compile
[INFO] | | | | +- io.smallrye.common:smallrye-common-annotation:jar:1.5.0:compile
[INFO] | | | | +- io.smallrye.common:smallrye-common-expression:jar:1.5.0:compile
[INFO] | | | | | \- io.smallrye.common:smallrye-common-function:jar:1.5.0:compile
[INFO] | | | | +- io.smallrye.common:smallrye-common-constraint:jar:1.5.0:compile
[INFO] | | | | +- io.smallrye.common:smallrye-common-classloader:jar:1.5.0:compile
[INFO] | | | | \- io.smallrye.config:smallrye-config-common:jar:1.11.1:compile
[INFO] | | | +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] | | | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | | | +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile
[INFO] | | | | \- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | | +- commons-codec:commons-codec:jar:1.15:compile
[INFO] | | | \- commons-io:commons-io:jar:2.8.0:compile
[INFO] | | +- org.jboss.resteasy:resteasy-multipart-provider:jar:4.5.9.Final:compile
[INFO] | | | +- com.sun.mail:jakarta.mail:jar:1.6.4:compile
[INFO] | | | +- org.apache.james:apache-mime4j-dom:jar:0.8.3:compile
[INFO] | | | | \- org.apache.james:apache-mime4j-core:jar:0.8.3:compile
[INFO] | | | +- org.apache.james:apache-mime4j-storage:jar:0.8.3:compile
[INFO] | | | \- org.eclipse.microprofile.config:microprofile-config-api:jar:1.4:compile
[INFO] | | +- org.jboss.resteasy:resteasy-jackson2-provider:jar:4.5.9.Final:compile
[INFO] | | | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.12.1:compile
[INFO] | | | | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.12.1:compile
[INFO] | | | | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.1:compile
[INFO] | | | | \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] | | | \- com.github.java-json-tools:json-patch:jar:1.13:compile
[INFO] | | | +- com.github.java-json-tools:msg-simple:jar:1.2:compile
[INFO] | | | | \- com.github.java-json-tools:btf:jar:1.3:compile
[INFO] | | | \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile
[INFO] | | | +- com.github.java-json-tools.jackson-coreutils:jackson-coreutils:jar:2.0:compile
[INFO] | | | \- com.github.java-json-tools.jackson-coreutils:jackson-coreutils-equivalence:jar:2.0:compile
[INFO] | | | \- com.google.guava:guava:jar:30.1-jre:runtime
[INFO] | | | +- com.google.guava:failureaccess:jar:1.0.1:runtime
[INFO] | | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:runtime
[INFO] | | | +- org.checkerframework:checker-qual:jar:2.5.2:runtime
[INFO] | | | +- com.google.errorprone:error_prone_annotations:jar:2.2.0:runtime
[INFO] | | | \- com.google.j2objc:j2objc-annotations:jar:1.3:runtime
[INFO] | | \- org.jboss.resteasy:resteasy-jaxb-provider:jar:4.5.9.Final:compile
[INFO] | | +- org.jboss.spec.javax.xml.bind:jboss-jaxb-api_2.3_spec:jar:2.0.0.Final:compile
[INFO] | | \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.3-b02:compile
[INFO] | | +- org.glassfish.jaxb:txw2:jar:2.3.3-b02:compile
[INFO] | | \- com.sun.istack:istack-commons-runtime:jar:3.0.10:compile
[INFO] | \- org.apache.kafka:kafka-clients:jar:2.7.0:compile
[INFO] | +- com.github.luben:zstd-jni:jar:1.4.5-6:compile
[INFO] | +- org.lz4:lz4-java:jar:1.7.1:compile
[INFO] | \- org.xerial.snappy:snappy-java:jar:1.1.7.7:compile
[INFO] \- org.apache.avro:avro:jar:1.10.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.12.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.1:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.1:compile
[INFO] +- org.apache.commons:commons-compress:jar:1.20:compile
[INFO] \- org.slf4j:slf4j-api:jar:1.7.30:compile
@tomasAlabes we should be able to close this with 2.2.1.Final
Closing after verifying in 2.1.1.Final. Thanks!
Apicurio
v2.1.0.RC1
(and before) is using resteasy libraries with version4.5.9.Final
, which have some vulnerabilities reported: https://www.cvedetails.com/vulnerability-list/vendor_id-25/product_id-23627/Redhat-Resteasy.htmlhttps://www.cvedetails.com/cve/CVE-2021-20293/ https://www.cvedetails.com/cve/CVE-2021-20289/
The dependency has to be upgraded to
4.6.0.Final
.If
quarkus
gets updated to2.x.x
both #1807 and this will get updated to the non-vulnerable versions. Tried with quarkus2.0.3.Final
(2.2.1.Final
is the latest).Dependencies taken from apicurio-registry-storage 2.1.0.RC1 with
mvn -Pprod dependency:list -DskipTests