search

SAP / cloud-sdk

The SAP Cloud SDK documentation and support repository.
https://sap.github.io/cloud-sdk/
Apache License 2.0
45 stars 41 forks source link

BlackDuck reports critical vulnerability due to usage of json-sanitizer 1.2.0 in version 2 SDK #101

Closed sabineheider closed 3 years ago

sabineheider commented 3 years ago

Issue Description

A BlackDuck scan reports a critical vulnerability in 

    <dependency>
        <groupId>com.sap.cloud.s4hana.cloudplatform</groupId>
        <artifactId>scp-cf</artifactId>
        <version>2.28.0</version>
    </dependency>

due to the usage of json-sanitizer 1.2.0.

This is from the maven dependency tree:

com.sap.bdpt.xs:margin-assurance-java-findings_service:war:2.60.7
 +- com.sap.cloud.s4hana.cloudplatform:scp-cf:jar:2.28.0:compile
 |  +- com.sap.cloud.s4hana.cloudplatform:auditlog-scp-cf:jar:2.28.0:compile
 |  |  +- com.sap.cloud.s4hana.cloudplatform:core:jar:2.28.0:compile
 |  |  +- com.sap.cloud.s4hana.cloudplatform:auditlog:jar:2.28.0:compile
 |  |  \- org.slf4j:jcl-over-slf4j:jar:1.7.26:runtime
 |  +- com.sap.cloud.s4hana.cloudplatform:caching:jar:2.28.0:compile
 |  |  +- com.sap.cloud.s4hana.cloudplatform:security:jar:2.28.0:compile
 |  |  \- com.sap.cloud.s4hana.cloudplatform:tenant:jar:2.28.0:compile
 |  +- com.sap.cloud.s4hana.cloudplatform:core-scp-cf:jar:2.28.0:compile
 |  |  +- com.mikesamuel:json-sanitizer:jar:1.2.0:compile
 |  |  \- com.auth0:java-jwt:jar:3.4.0:compile

BlackDuck suggests to upgrade the json-sanitizer to 1.2.2.

Could you please provide a fixed version of the SDK?

Thanks and best regards, Sabine

artemkovalyov commented 3 years ago

Hi Sabine,

Thanks for approaching us about this. Version 2 of SAP Cloud SDK for Java is long deprecated. We do not develop it anymore and do not provide updates. Migrating to version 3 of the SDK is the only way forward. Luckily it shouldn't be too complicated, check out this tutorial and our documentation for the details on moving to SDK v3.

I hope it helps. Let's know if we can further assist you with migration.

sabineheider commented 3 years ago

Hi Artem, this is very unfortunate since the product where we use SDK V2 is also an old one that isn't developed any further. Seems there is no way but to migrate now. I'll close this issue. If we encounter any problems during migration, I'll open another one instead. Thanks and best regards, Sabine

artemkovalyov commented 3 years ago

Hi Sabine,

Thanks for understanding. It's exactly because of security and compatibility with the latest SAP Cloud Platform features we decided to discontinue V2. Supporting it in shape would be a huge effort. Migration should be relatively easy. We're staying available to help you with migration.