search

apache / incubator-hugegraph-commons

(Archived Warning)Please visit "apache/hugegraph" repo instead
https://github.com/apache/hugegraph/tree/master/hugegraph-commons
Apache License 2.0
29 stars 45 forks source link

[Bug] Dependency junit:junit, leading to CVE problem #109

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Bug Type (问题类型)

No response

Before submit

Environment (环境信息)

Expected & Actual behavior (期望与实际表现)

Hi, In /incubator-hugegraph-commons,there is a dependency junit:junit:4.12 that calls the risk method.

CVE-2020-15250

The scope of this CVE affected version is [4.7,4.13.1)

After further analysis, in this project, the main Api called is org.junit.rules.TemporaryFolder: createTemporaryFolderIn(java.io.File)Ljava.io.File

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

org.apache.hugegraph.rest.AbstractRestClient: request(java.util.concurrent.Callable)Ljakarta.ws.rs.core.Response; /.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
org.junit.internal.runners.statements.FailOnTimeout$CallableStatement: call()Ljava.lang.Object; /.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
org.junit.internal.runners.statements.FailOnTimeout$CallableStatement: call()Ljava.lang.Throwable; /.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
org.junit.rules.ExternalResource$1: evaluate()V /.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
org.junit.rules.TemporaryFolder: before()V /.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
org.junit.rules.TemporaryFolder: create()V /.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
org.junit.rules.TemporaryFolder: createTemporaryFolderIn(java.io.File)Ljava.io.File;

Dependency tree--

[INFO] org.apache.hugegraph:hugegraph-common:jar:1.0.0
[INFO] +- junit:junit:jar:4.12:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- org.mockito:mockito-core:jar:4.1.0:test
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.12.1:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.1:test
[INFO] |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.0:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.0:compile
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.0:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.glassfish:javax.json:jar:1.0:compile
[INFO] +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] +- org.apache.commons:commons-configuration2:jar:2.3:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- commons-io:commons-io:jar:2.7:compile
[INFO] +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- commons-codec:commons-codec:jar:1.11:compile
[INFO] +- com.google.guava:guava:jar:25.1-jre:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:2.0.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- com.google.code.findbugs:jsr305:jar:3.0.1:compile
[INFO] +- joda-time:joda-time:jar:2.10.8:compile
[INFO] +- org.javassist:javassist:jar:3.28.0-GA:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.12.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.1:compile
[INFO] +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.1:compile
[INFO] |  \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.12.1:compile
[INFO] +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.12.1:compile
[INFO] +- org.glassfish.jersey.core:jersey-client:jar:3.0.3:compile
[INFO] |  +- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.0.0:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:3.0.3:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:2.0.0:compile
[INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:compile
[INFO] |  \- jakarta.inject:jakarta.inject-api:jar:2.0.0:compile
[INFO] +- org.glassfish.jersey.media:jersey-media-json-jackson:jar:3.0.3:compile
[INFO] |  +- org.glassfish.jersey.ext:jersey-entity-filtering:jar:3.0.3:compile
[INFO] |  \- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |     \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] +- org.glassfish.jersey.connectors:jersey-apache-connector:jar:3.0.3:compile
[INFO] |  \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |     \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] +- org.glassfish.jersey.inject:jersey-hk2:jar:3.0.3:compile
[INFO] |  \- org.glassfish.hk2:hk2-locator:jar:3.0.1:compile
[INFO] |     +- org.glassfish.hk2.external:aopalliance-repackaged:jar:3.0.1:compile
[INFO] |     +- org.glassfish.hk2:hk2-api:jar:3.0.1:compile
[INFO] |     \- org.glassfish.hk2:hk2-utils:jar:3.0.1:compile
[INFO] +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.0-RC2:compile
[INFO] \- com.sun.xml.bind:jaxb-impl:jar:3.0.2:runtime
[INFO]    \- com.sun.xml.bind:jaxb-core:jar:3.0.2:runtime
[INFO]       \- com.sun.activation:jakarta.activation:jar:2.0.1:runtime

Suggested solutions:

Update dependency version

Thank you very much.

Vertex/Edge example (问题点 / 边数据举例)

No response

Schema [VertexLabel, EdgeLabel, IndexLabel] (元数据结构)

No response

imbajin commented 1 year ago

thanks for report, would u like to submit a PR to fix it?

Update: I submit a PR for it, and also address other CVE reports in dependencies