search

SAP-samples / cloud-espm-cloud-native

Enterprise Sales and Procurement Model (ESPM) Cloud Native is a project that showcases how an application can be made resilient by implementing resilience design patterns. This application is developed using Spring Boot framework and can be deployed locally as well as on SAP BTP, Cloud Foundry environment.
Apache License 2.0
39 stars 41 forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #46

Open CVEDetect opened 1 year ago

CVEDetect commented 1 year ago

Hi, In /worker,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

CVE Bug Invocation Path : 
com.sap.refapps.espm.exception.EmsResponseErrorHandler: handleError(org.springframework.http.client.ClientHttpResponse)V /download/apache-maven-3.6.3/repository_mount/org/springframework/data/spring-data-jpa/2.7.6/spring-data-jpa-2.7.6.jar
org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport$AccessTokenErrorHandler: handleError(org.springframework.http.client.ClientHttpResponse)V /download/apache-maven-3.6.3/repository_mount/org/springframework/spring-web/5.3.24/spring-web-5.3.24.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/apache/qpid/qpid-jms-client/0.54.0/qpid-jms-client-0.54.0.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/apache/qpid/qpid-jms-client/0.54.0/qpid-jms-client-0.54.0.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/apache/qpid/qpid-jms-client/0.54.0/qpid-jms-client-0.54.0.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.sap.refapps.espm:worker:jar:1.3.2
[INFO] +- com.sap.refapps.espm:commons:jar:1.3.2:compile
[INFO] |  +- com.sap.cloud.db.jdbc:ngdbc:jar:2.12.7:compile
[INFO] |  +- io.pivotal.cfenv:java-cfenv-boot:jar:2.2.4.RELEASE:compile
[INFO] |  |  \- io.pivotal.cfenv:java-cfenv-jdbc:jar:2.2.4.RELEASE:compile
[INFO] |  |     \- io.pivotal.cfenv:java-cfenv:jar:2.2.4.RELEASE:compile
[INFO] |  +- org.eclipse.persistence:org.eclipse.persistence.jpa:jar:2.7.11:compile
[INFO] |  |  +- org.eclipse.persistence:jakarta.persistence:jar:2.2.3:compile
[INFO] |  |  +- org.eclipse.persistence:org.eclipse.persistence.asm:jar:9.3.0:compile
[INFO] |  |  +- org.eclipse.persistence:org.eclipse.persistence.antlr:jar:2.7.11:compile
[INFO] |  |  +- org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:jar:2.7.11:compile
[INFO] |  |  \- org.eclipse.persistence:org.eclipse.persistence.core:jar:2.7.11:compile
[INFO] |  \- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.7.7:compile
[INFO] |     +- org.springframework.boot:spring-boot-starter-aop:jar:2.7.7:compile
[INFO] |     |  \- org.aspectj:aspectjweaver:jar:1.9.7:compile
[INFO] |     +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.7.7:compile
[INFO] |     |  +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] |     |  \- org.springframework:spring-jdbc:jar:5.3.24:compile
[INFO] |     +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile
[INFO] |     +- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile
[INFO] |     +- org.springframework.data:spring-data-jpa:jar:2.7.6:compile
[INFO] |     |  +- org.springframework.data:spring-data-commons:jar:2.7.6:compile
[INFO] |     |  \- org.springframework:spring-orm:jar:5.3.24:compile
[INFO] |     \- org.springframework:spring-aspects:jar:5.3.24:compile
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.7.7:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.7.7:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.7:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.7:compile
[INFO] |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.1:compile
[INFO] |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.springframework:spring-core:jar:5.3.24:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.24:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.7.7:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.7.7:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.7:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.4.8:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] |  |        \- org.ow2.asm:asm:jar:9.1:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] |  +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  +- org.mockito:mockito-core:jar:4.5.1:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.20:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.20:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.1:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-test:jar:5.3.24:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.9.0:test
[INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.13.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4.2:compile
[INFO] |  +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] |  \- com.fasterxml.woodstox:woodstox-core:jar:6.3.1:compile
[INFO] +- com.sap.cloud.servicesdk.xbem:emjapi-connector-sap-cp:jar:2.0.7:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-cloudfoundry-connector:jar:2.0.7.RELEASE:compile
[INFO] |  |  \- org.springframework.cloud:spring-cloud-connectors-core:jar:2.0.7.RELEASE:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- com.sap.cloud.servicesdk.xbem:emjapi-core:jar:2.0.7:compile
[INFO] |  \- javax.jms:javax.jms-api:jar:2.0.1:compile
[INFO] +- com.sap.cloud.servicesdk.xbem:emjapi-extension-sap-cp-jms:jar:2.0.7:compile
[INFO] |  \- org.apache.qpid:qpid-jms-client:jar:0.54.0:compile
[INFO] |     +- org.apache.geronimo.specs:geronimo-jms_2.0_spec:jar:1.0-alpha-2:compile
[INFO] |     +- org.apache.qpid:proton-j:jar:0.33.6:compile
[INFO] |     +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.86.Final:compile
[INFO] |     |  +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] |     |  \- io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:compile
[INFO] |     +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.86.Final:compile
[INFO] |     |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:compile
[INFO] |     \- io.netty:netty-codec-http:jar:4.1.86.Final:compile
[INFO] +- org.springframework.amqp:spring-amqp:jar:2.4.8:compile
[INFO] |  \- org.springframework.retry:spring-retry:jar:1.3.1:compile
[INFO] |     \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] +- org.springframework.amqp:spring-rabbit:jar:2.4.8:compile
[INFO] |  +- com.rabbitmq:amqp-client:jar:5.14.2:compile
[INFO] |  +- org.springframework:spring-context:jar:5.3.24:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:5.3.24:compile
[INFO] |  |  \- org.springframework:spring-expression:jar:5.3.24:compile
[INFO] |  +- org.springframework:spring-messaging:jar:5.3.24:compile
[INFO] |  \- org.springframework:spring-tx:jar:5.3.24:compile
[INFO] +- org.postgresql:postgresql:jar:42.2.19:compile
[INFO] |  \- org.checkerframework:checker-qual:jar:3.5.0:runtime
[INFO] +- io.netty:netty-handler:jar:4.1.77.Final:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] |  +- io.netty:netty-resolver:jar:4.1.86.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.86.Final:compile
[INFO] |  \- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] +- org.springframework.security.oauth:spring-security-oauth2:jar:2.5.0.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:5.3.24:compile
[INFO] |  +- org.springframework:spring-webmvc:jar:5.3.24:compile
[INFO] |  |  \- org.springframework:spring-web:jar:5.3.24:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:5.7.6:compile
[INFO] |  |  \- org.springframework.security:spring-security-crypto:jar:5.7.6:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:5.7.6:compile
[INFO] |  +- org.springframework.security:spring-security-web:jar:5.7.6:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.15:compile
[INFO] +- com.h2database:h2:jar:2.1.214:test
[INFO] +- org.apache.qpid:qpid-broker-core:jar:9.0.0:test
[INFO] |  \- com.google.guava:guava:jar:31.1-jre:test
[INFO] |     +- com.google.guava:failureaccess:jar:1.0.1:test
[INFO] |     \- com.google.j2objc:j2objc-annotations:jar:1.3:test
[INFO] +- org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol:jar:9.0.0:test
[INFO] \- org.apache.qpid:qpid-broker-plugins-memory-store:jar:9.0.0:test

Suggested solutions:

Update dependency version