Address Software Dependencies are Affected by Known Vulnerabilities

[vidi42]

Problem Description

The target application uses dependencies that are affected by known vulnerabilities. Applications that use dependencies which are affected by known vulnerabilities offer an additional attack surface. Known vulnerabilities could provide a generic path to compromise the application in different ways, such as extracting sensitive information, manipulating internal application states, or even compromising the underlying operating system. Depending on the vulnerability and the affected software component, they might be publicly available proof-of-concept exploits. Such vulnerabilities are very likely to be exploited, especially on services that are exposed to the Internet where the exploitation could be automated.

The following list of dependencies with known vulnerabilities has been identified:

• jackson-databind:2.0.1 used by com.auth0-java-jwt-2.2.1.jar affected by 35 CVEs
• com.fasterxml.jackson.core-jackson-databind-2.9.8.jar affected by 33 CVEs
• com.google.guava-guava-19.0.jar affected by CVE-2018-10237
• commons-beanutils-commons-beanutils-1.9.2.jar affected by CVE-2019-10086
• commons-beanutils.jar affected by CVE-2019-10086
• org.geotools-gt-shapefile-21.4.jar affected by CVE-2018-18749
• snakeyaml.jar affected by CVE-2017-18640
• vaadin-sass-compiler.jar affected by CVE-2011-0509 and CVE-2019-10799

These libraries were extracted from the release version 1.48.2 of sormas-ui, sormas-ear and sormas-rest. The current OWASP Dependency Checks also show quite a lot possible vulnarabilities (about 90) in used dependencies (java libraries).

Proposed Change

1. Check which findings might be solved by a newer library version. Some might already be cleaned by #3449.
2. Assess which findings are not a vulnarability in our setup (effectifly a false positive).
3. Document which findings will not be addressed in a simple version update due to more complex changes or risks.

System Details

• SORMAS version: 1.48.2

Additional information

Check this after #3449 and #3584 are done because some version updates there will resolve findings.

[JonasCir]

uh not good. I think we should enable GitHub's automatic dependabot alerts for this (and all other) repositories, if possible

[JonasCir]

GitHub sends Dependabot alerts when we detect vulnerabilities affecting your repository.

@fhauptmann and @MartinWahnschaffeSymeda any comments?

---

Edit: GitHub seems to offer more security features, even static security analysis which might prevent things like #3578

[MateStrysewske]

@JonasCir Dependabot should already be enabled

[JonasCir]

Hm, then I propose to investigate why this was not caught . The CVEs are published in GitHub Advisory DB and some of them are rated as severe.

[StefanKock]

For Dependency Check false positives can be suppressed:

• How suppressions need to be defined as XML file: https://jeremylong.github.io/DependencyCheck/general/suppression.html
• Use --suppression as command line argument to supress false positives: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

[StefanKock]

Current findings not (all) fixed by #3584:

• gradle-wrapper.jar (2.10) CVE-2019-16370 -> upgrade gradle tooling from 5.4.1 to 6.x -> #3765
• keycloak-adapter-core.jar, org.keycloak-keycloak-core-11.0.3.jar : CVE-2020-10776, CVE-2020-14366, CVE-2020-14389: fixed in version 12, but not available yet (and addresses also the Keycloak server).
• org.jboss.resteasy-resteasy-jaxrs-3.9.1.Final.jar : CVE-2020-1695 Maybe update to 3.14.0.Final? Belongs to keycloak dependencies.
• org.jboss.resteasy-resteasy-jaxrs-3.9.1.Final.jar : CVE-2020-25633 Not fixed until now? Belongs to keycloak dependencies.

False positives:

• gradle-wrapper.jar : CVE-2019-11065: We are using newer gradle version 5.4.1
• io.openapitools.jackson.dataformat-jackson-dataformat-hal-1.0.4.jar : CVE-2018-18749 addresses data-tools (not Java) which does not seem to be used by jackson-dataformat-hal
• keycloak : CVE-2020-1728 is fixed with version 10, we use 11.0.3
• vaadin-sass-compiler.jar CVE-2011-0509 : We are using a newer version than 6.4.9
• vaadin-sass-compiler.jar CVE-2019-10799 : False positive documented in Dependency Check 6.0.3

Not exploitable:

• gradle-wrapper.jar : CVE-2019-15052 not exploitable because we use Gradle as build tool to get public available dependencies without any credentials. Upgrade from 5.4.1 to 5.6.x might also be an option.
• guava-19.0.jar (in sormas-app) : CVE-2018-10237 not exploitable because it addresses possible DoS attacks against servers.
• logback-core-1.1.7.jar : not relevant at the moment because we do not use SocketServer to receive logs
• maven-ant-tasks-2.1.4-SNAPSHOT_PATCHED.jar (shaded: org.codehaus.plexus:plexus-utils:1.5.15) : not part of the release and is not relied on by the code

[HolgerReiseVSys]

maven-ant-tasks is used for automating some common tasks during development. It is not part of the release and is not relied on by the code, tests or the CI pipeline.

According to https://maven.apache.org/ant-tasks/ it has been superseded by Maven Artifact Resolver Ant Tasks.

[StefanKock]

Evaluation of findings in the comment above, to be discussed with @MartinWahnschaffeSymeda

[StefanKock]

Open findings will be addressed in new tickets (especially Keycloak 12 is not available yet): #3765, #3766

[StefanKock]

Documented all not relevant findings (https://github.com/hzi-braunschweig/SORMAS-Project/issues/3580#issuecomment-740562116) in check-suppressions.xml to exclude them in Dependency-Check on Jenkins, successfully tested.

[StefanKock]

I needed to add this argument for Dependency-Check in Jenkins, I forgot that on monday: --suppression ${WORKSPACE}/sormas-base/dependencies/check-suppressions.xml