Security scan issues - Githubissues

ohadpinch commented 2 years ago

Those security issues found while scanning 2.2.3.Final Vulnerability | Description | Recommendation -- | -- | -- rhel:8 zlib CVE-2018-25032 | https://nvd.nist.gov/vuln/detail/CVE-2018-25032 | 0:1.2.11-18.el8_5 github:java httpclient GHSA-7r82-7xv7-xcpj | https://nvd.nist.gov/vuln/detail/CVE-2020-13956 | 4.5.13 github:java jackson-databind GHSA-57j2-w4cx-62h2 | https://nvd.nist.gov/vuln/detail/CVE-2020-36518 | 2.12.6.1 github:java commons-io GHSA-gwrp-pvrq-jmwv | https://nvd.nist.gov/vuln/detail/CVE-2021-29425 | 2.7 github:java jsoup GHSA-m72m-mhq2-9p6c | https://nvd.nist.gov/vuln/detail/CVE-2021-37714 | 1.14.2 github:java netty-codec-http GHSA-wx5j-54mm-rqqq | https://nvd.nist.gov/vuln/detail/CVE-2021-43797 | 4.1.71.Final rhel:8 java-11-openjdk CVE-2022-21426 | https://nvd.nist.gov/vuln/detail/CVE-2022-21426 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-devel CVE-2022-21426 | https://nvd.nist.gov/vuln/detail/CVE-2022-21426 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-headless CVE-2022-21426 | https://nvd.nist.gov/vuln/detail/CVE-2022-21426 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-devel CVE-2022-21434 | https://nvd.nist.gov/vuln/detail/CVE-2022-21434 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk CVE-2022-21434 | https://nvd.nist.gov/vuln/detail/CVE-2022-21434 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-headless CVE-2022-21434 | https://nvd.nist.gov/vuln/detail/CVE-2022-21434 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk CVE-2022-21443 | https://nvd.nist.gov/vuln/detail/CVE-2022-21443 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-devel CVE-2022-21443 | https://nvd.nist.gov/vuln/detail/CVE-2022-21443 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-headless CVE-2022-21443 | https://nvd.nist.gov/vuln/detail/CVE-2022-21443 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk CVE-2022-21476 | https://nvd.nist.gov/vuln/detail/CVE-2022-21476 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-devel CVE-2022-21476 | https://nvd.nist.gov/vuln/detail/CVE-2022-21476 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-headless CVE-2022-21476 | https://nvd.nist.gov/vuln/detail/CVE-2022-21476 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk CVE-2022-21496 | https://nvd.nist.gov/vuln/detail/CVE-2022-21496 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-devel CVE-2022-21496 | https://nvd.nist.gov/vuln/detail/CVE-2022-21496 | 1:11.0.15.0.9-2.el8_5 rhel:8 java-11-openjdk-headless CVE-2022-21496 | https://nvd.nist.gov/vuln/detail/CVE-2022-21496 | 1:11.0.15.0.9-2.el8_5

EricWittmann commented 2 years ago

I suspect most of these will be fixed by upgrading Quarkus, which we should be doing shortly. CC @carlesarnal

tomasAlabes commented 2 years ago

What about this one? Found on: 2.2.3.Final. Couldn't find any reference in the release notes for the newer ones.

Issue Description: HIGH Vulnerability found in non-os package type (java) - /deployments/lib/com.ibm.async.asyncutil-0.1.0.jar:asyncutil (cvss_v3_base_score=7.8)(CVE-2021-43138 - https://nvd.nist.gov/vuln/detail/CVE-2021-43138)
Package path: /deployments/lib/com.ibm.async.asyncutil-0.1.0.jar:asyncutil
Severity: HIGH
CVSS_V3_Base_Score: 7.8
Advisory_Name: CVE-2021-43138
Advisory_Link: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Type: vulnerabilities(package)

tomasAlabes commented 2 years ago

@EricWittmann @carlesarnal any update on this findings?

EricWittmann commented 2 years ago

We are in the process of integrating security scanning into our normal process. @andreaTP thoughts?

andreaTP commented 2 years ago

I see two kind of issues reported here:

base image vulnerabilities -> will be solved by using latest ubi base image
quarkus/libraries -> we should bump to the latest LTS of Quarkus and eventually check for the remaining issues with jar packages (e.g. bumping direct dependencies of the project in case)

Before the next release we can:

build the docker image
run one or more automatic scanners
check the result and eventually update dependencies versions

EricWittmann commented 2 years ago

I agree with one caveat - when we productize registry we'll need to align to a RHBoQ (Red Hat Build of Quarkus). So we need to make sure we align upstream to the right version.

tomasAlabes commented 2 years ago

For 2.2.5.Final our systems pick up this vulnerability:

Issue Description: HIGH Vulnerability found in non-os package type (java) - /deployments/lib/io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.21.0.jar (cvss_v3_base_score=8.8)(CVE-2018-15529 - https://nvd.nist.gov/vuln/detail/CVE-2018-15529)
Package path: /deployments/lib/io.smallrye.reactive.smallrye-mutiny-vertx-web-2.21.0.jar
Severity: HIGH
CVSS_V3_Base_Score: 8.8
Advisory_Name: CVE-2018-15529
Advisory_Link: https://nvd.nist.gov/vuln/detail/CVE-2018-15529

andreaTP commented 2 years ago

@tomasAlabes can you share which code-scanning tool are you using?

tomasAlabes commented 2 years ago

Sorry, I was completely sure I answered this. This vulnerability in particular was found by Anchore. But we use several scanning tools.

tomasAlabes commented 2 years ago

It was found by Anchore (I don't have more info than that).

------- Original Message ------- On Wednesday, August 17th, 2022 at 15:01, Andrea Peruffo @.***> wrote:

@.***(https://github.com/tomasAlabes) can you share which code-scanning tool are you using?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

tomasAlabes commented 1 year ago

Found security issues in 2.3.1.Final:

ANCHORE:CVE-2022-42004+com.fasterxml.jackson.core.jackson-databind-2.13.3.jar

ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-runtime-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.mutiny-1.4.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-core-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-web-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-web-client-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-web-common-2.21.0.jar
ANCHORE:CVE-2018-15529+io.smallrye.reactive.smallrye-mutiny-vertx-bridge-common-2.21.0.jar

ANCHORE:GHSA-h4h5-3hr4-j3g2+com.google.protobuf.protobuf-java-3.21.6.jar
ANCHORE:GHSA-rgv9-q543-rqg4+com.fasterxml.jackson.core.jackson-databind-2.13.3.jar

@andreaTP, is there a plan to tackle these?

EricWittmann commented 1 year ago

We released 2.4.0.Final recently (the container images failed to build but we are correcting that soon). These security issues should be addressed in that version. Most of them are inherited from Quarkus, which we have upgraded in the latest version.

tomasAlabes commented 1 year ago

Still seeing vulnerabilities in 2.4.1.Final:

ANCHORE: GHSA-9895-g6x5-xwcp - io.quarkus.quarkus-vertx-http-2.14.0.Final.jar:quarkus-vertx-http
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-core-2.27.0.jar
ANCHORE: GHSA-mjmj-j48q-9wg2 - org.yaml.snakeyaml-1.33.jar:snakeyaml
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-bridge-common-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-web-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-uri-template-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-web-client-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-auth-common-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.mutiny-1.7.0.jar:mutiny
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-runtime-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.mutiny-1.7.0.jar:mutiny
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-uri-template-2.27.0.jar
ANCHORE: GHSA-fx2c-96vj-985v - io.netty.netty-codec-haproxy-4.1.82.Final.jar:netty-codec-haproxy
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-runtime-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-core-2.27.0.jar
ANCHORE: CVE-2022-37832 - io.smallrye.reactive.smallrye-mutiny-vertx-web-common-2.27.0.jar
ANCHORE: CVE-2022-3734 - io.smallrye.reactive.smallrye-mutiny-vertx-uri-template-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-web-client-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-web-common-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-web-2.27.0.jar
ANCHORE: CVE-2018-15529 - io.smallrye.reactive.smallrye-mutiny-vertx-bridge-common-2.27.0.jar

tomasAlabes commented 1 year ago

Hi @EricWittmann, this is the number 1 reason why we're planning to drop Apicurio. Security should be a priority. I hope at least these vulnerabilities will be fixed soon. Thank you

EricWittmann commented 1 year ago

I was working on this today actually. We struggle with this because we inherit a lot of our CVEs from Quarkus and our Docker base image. I've upgraded Quarkus to a newer patch version, which has resolved some of the CVEs. We can't always easily upgrade to the latest Quarkus minor release due to productization processes at Red Hat.

We'll keep working on getting better at this. Your criticism is fair.

carlesarnal commented 9 months ago

We're doing a much better job on this now as can be seen in our security scanning both on GH and on Quay. Also, thanks to the introduction of LTS versions in Quarku we're in a much better position for the future as well. Closing this as the result.

Apicurio / apicurio-registry

Security scan issues #2477