search

Azure / azure-event-hubs-java

☁️ Java client library for Azure Event Hubs
https://azure.microsoft.com/services/event-hubs
MIT License
51 stars 61 forks source link

Vulnerability in dependency adapter-rxjava-2.4.0 #460

Closed chestert1 closed 5 years ago

chestert1 commented 5 years ago

Actual Behavior

  1. When running maven dependency check using command - mvn org.owasp:dependency-check-maven:check - I am getting a vulnerability because of adapter-rxjava-2.4.0 which contains a vulnerable dependency Square Retrofit- CVE-2018-1000850

Expected Behavior

  1. Adapter-rxjava should be version 2.5 and above and no vulnerabilities should be present.

Versions

Is this a known issue at all and is there a fix for it on the way?

JamesBirdsall commented 5 years ago

1) Does maven give any indication of the dependency chain? That doesn't look like anything we should be depending on. 2) This repo is deprecated and the code is here for historical purposes only. Check https://github.com/Azure/azure-event-hubs-java/releases/tag/3.0.2 for links to our current code. Do you get the same issue there?

chestert1 commented 5 years ago

[INFO] | +- com.microsoft.azure:azure-eventhubs:jar:3.0.1:compile [INFO] | | +- org.apache.qpid:proton-j:jar:0.31.0:compile [INFO] | | +- com.microsoft.azure:qpid-proton-j-extensions:jar:1.2.0:compile [INFO] | | - com.microsoft.azure:azure-client-authentication:jar:1.6.12:compile [INFO] | | +- com.microsoft.azure:azure-client-runtime:jar:1.6.12:compile [INFO] | | | - com.microsoft.rest:client-runtime:jar:1.6.12:compile [INFO] | | | +- com.squareup.retrofit2:retrofit:jar:2.5.0:compile [INFO] | | | +- com.squareup.okhttp3:okhttp:jar:3.12.2:compile [INFO] | | | | - com.squareup.okio:okio:jar:1.15.0:compile [INFO] | | | +- com.squareup.okhttp3:logging-interceptor:jar:3.12.2:compile [INFO] | | | +- com.squareup.okhttp3:okhttp-urlconnection:jar:3.12.2:compile [INFO] | | | +- com.squareup.retrofit2:converter-jackson:jar:2.5.0:compile [INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.9.10:compile [INFO] | | | | - joda-time:joda-time:jar:2.10.4:compile [INFO] | | | - com.squareup.retrofit2:adapter-rxjava:jar:2.4.0:compile

We will update to 3.0.2

chestert1 commented 5 years ago

@JamesBirdsall - this still shows up as a vulnerability even after updating to v3.0.2. See below dependency tree:

[INFO] | +- com.microsoft.azure:azure-eventhubs:jar:3.0.2:compile [INFO] | | +- org.apache.qpid:proton-j:jar:0.31.0:compile [INFO] | | +- com.microsoft.azure:qpid-proton-j-extensions:jar:1.2.0:compile [INFO] | | - com.microsoft.azure:azure-client-authentication:jar:1.6.12:compile [INFO] | | +- com.microsoft.azure:azure-client-runtime:jar:1.6.12:compile [INFO] | | | - com.microsoft.rest:client-runtime:jar:1.6.12:compile [INFO] | | | +- com.squareup.retrofit2:retrofit:jar:2.5.0:compile [INFO] | | | +- com.squareup.okhttp3:okhttp:jar:3.12.2:compile [INFO] | | | | - com.squareup.okio:okio:jar:1.15.0:compile [INFO] | | | +- com.squareup.okhttp3:logging-interceptor:jar:3.12.2:compile [INFO] | | | +- com.squareup.okhttp3:okhttp-urlconnection:jar:3.12.2:compile [INFO] | | | +- com.squareup.retrofit2:converter-jackson:jar:2.5.0:compile [INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.9.10:compile [INFO] | | | | - joda-time:joda-time:jar:2.10.4:compile [INFO] | | | - com.squareup.retrofit2:adapter-rxjava:jar:2.4.0:compile

JamesBirdsall commented 5 years ago

Thanks for the additional information! I have finally tracked this down, and jumping to a newer version of azure-client-authentication should fix the problem. I will get that in for the next release.

chestert1 commented 5 years ago

Thanks. Will look out for next release. Will close this issue so long.