Closed bhaghyaxmedia closed 2 years ago
post-svejk
commented
3 years ago I got this error too, when I was experimenting with upgrading versions of Oxalis's transitive dependencies (due to vulnerabilities in old libraries). The workaround was to stick to Oxalis's versions.
aaron-kumar
commented
3 years ago @post-svejk : can you provide list of libraries with vulnerabilities? We would like to upgrade them.
post-svejk
commented
3 years ago Sure: You can start with running maven-enforcer-plugin with Sonatype's BanVulnerable:
[WARNING] Rule 1: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies failed with message:
Detected 3 vulnerable components:
com.google.guava:guava:jar:29.0-jre:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/guava@29.0-jre?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
* [CVE-2020-8908] A temp directory creation vulnerability exists in all versions of Guava, allowin... (3.3); https://ossindex.sonatype.org/vulnerability/8e973be2-4220-410d-a4cb-2de7a755bdbe?component-type=maven&component-name=com.google.guava.guava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
org.hibernate.validator:hibernate-validator:jar:6.2.0.Final:compile; https://ossindex.sonatype.org/component/pkg:maven/org.hibernate.validator/hibernate-validator@6.2.0.Final?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
* [CVE-2020-10693] A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the messag... (5.3); https://ossindex.sonatype.org/vulnerability/6360908f-637a-4214-a2e9-fd57263d84c9?component-type=maven&component-name=org.hibernate.validator.hibernate-validator&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
org.apache.cxf:cxf-core:jar:3.3.6:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.cxf/cxf-core@3.3.6?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
* [CVE-2021-22696] CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT tok... (7.5); https://ossindex.sonatype.org/vulnerability/58181fef-c312-4ff6-ad7e-57d34563e086?component-type=maven&component-name=org.apache.cxf.cxf-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
* [CVE-2021-30468] A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacke... (7.5); https://ossindex.sonatype.org/vulnerability/ac300245-a8d6-4627-a952-1b8a759020f9?component-type=maven&component-name=org.apache.cxf.cxf-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
* [CVE-2020-13954] By default, Apache CXF creates a /services page containing a listing of the avai... (6.1); https://ossindex.sonatype.org/vulnerability/4f0443dd-abe9-4e0f-a760-a56b0d86da1c?component-type=maven&component-name=org.apache.cxf.cxf-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[WARNING] Rule 6: org.apache.maven.plugins.enforcer.BannedDependencies failed with message:
Found Banned Dependency: javax.xml.stream:stax-api:jar:1.0-2
Use 'mvn dependency:tree' to locate the source of the banned dependencies.But there is way more. azure/container-scan (in our Github Actions pipeline) on the Docker image of a server process launching oxalis-inbound (almost identical to the official image on DockerHub) gave more than 20 errors, most of them related to Java libraries. We haven't enabled Dependabot yet on this repo, so that will probably also find some.
Problems discovered by azure/container-scan:
aaron-kumar
commented
3 years ago Thanks, we will start fixing them in upcoming version. We also have some list available from static code scanner and there are some vulnerability already reported by GitHub dependabot. Whatever you shared is matching that...
aaron-kumar
commented
2 years ago We already started working on security vulnerability fix as reported by GitHub dependabot, GitHub CodeQL code scanning and other SAST reported vulnerabilities. Some of vulnerability fix require Java upgrade. This will run as separate project soon. This is in response of @post-svejk your comment. Regarding @bhaghyaxmedia issue, can you let us know whether you are still facing this issue? For now, we are converting this topic to discussion. But if you can provide additional information to reproduce this problem then we can change this discussion back to issue (based on findings)
Unable to detect mode. when i try to deploy the app in apache tomcat
12:57:29.436 [http-nio-8080-exec-53] INFO n.d.o.c.security.CertificateModule - Certificate subject: C=SG, O=My Organization Name, OU=PEPPOL TEST AP, CN=PSG000*** 12:57:29.436 [http-nio-8080-exec-53] INFO n.d.o.c.security.CertificateModule - Certificate issuer: CN=PEPPOL ACCESS POINT TEST CA - G2, OU=FOR TEST ONLY, O=OpenPEPPOL AISBL, C=BE 12:57:29.888 [http-nio-8080-exec-53] ERROR n.d.o.c.guice.GuiceModuleLoader - Unable to detect mode. no.difi.oxalis.api.lang.OxalisLoadingException: Unable to detect mode. at no.difi.oxalis.commons.mode.ModeProvider.get(ModeProvider.java:74) at no.difi.oxalis.commons.mode.ModeProvider.get(ModeProvider.java:46) at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:85) at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.java:77) at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:59) at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211) at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109) at com.google.inject.Guice.createInjector(Guice.java:87) at com.google.inject.Guice.createInjector(Guice.java:69) at no.difi.oxalis.commons.guice.GuiceModuleLoader.initiate(GuiceModuleLoader.java:66) at no.difi.oxalis.inbound.OxalisGuiceContextListener.(OxalisGuiceContextListener.java:45)
at no.difi.oxalis.dist.war.WarServletContextListener.(WarServletContextListener.java:11)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:151)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4640)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5177)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.manager.ManagerServlet.start(ManagerServlet.java:1421)
at org.apache.catalina.manager.HTMLManagerServlet.start(HTMLManagerServlet.java:704)
at org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:223)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:211)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:667)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
root@ubuntu-s-1vcpu-1gb-blr1-01:/# javac -version javac 1.8.0_272 root@ubuntu-s-1vcpu-1gb-blr1-01:/# mvn -version Apache Maven 3.6.0 Maven home: /usr/share/maven Java version: 1.8.0_272, vendor: Private Build, runtime: /usr/lib/jvm/java-8-openjdk-amd64/jre Default locale: en, platform encoding: UTF-8 OS name: "linux", version: "4.15.0-122-generic", arch: "amd64", family: "unix" root@ubuntu-s-1vcpu-1gb-blr1-01:/#
My oxalis.conf oxalis.keystore {
Relative to OXALIS_HOME
} oxalis.path.plugin = home/oxalis/oxalis
Signals to Oxalis that we should look for plugin
oxalis.persister.receipt = plugin
Where to store inbound files
oxalis.path.inbound = /var/peppol/IN