funky-eyes
commented
1 year ago 你这个版本是老的,能否给份最新的安全漏洞名单,比如fastjson在latest中已经升级到1.2.83了。 https://github.com/seata/seata/blob/2.x/dependencies/pom.xml
Open smallwolf99 opened 1 year ago
funky-eyes
commented
1 year ago 你这个版本是老的,能否给份最新的安全漏洞名单,比如fastjson在latest中已经升级到1.2.83了。 https://github.com/seata/seata/blob/2.x/dependencies/pom.xml
smallwolf99
commented
1 year ago 哦,我是用的dockerhub上的最新镜像seataio/seata-server:latest,您这边说的最新是需要指从源码自己构建吗?
smallwolf99
commented
1 year ago 我查了下这个pom.xml里的依赖版本,还有一些不是安全版本,如下:
funky-eyes
commented
1 year ago 哦,我是用的dockerhub上的最新镜像seataio/seata-server:latest,您这边说的最新是需要指从源码自己构建吗?
latest是每日更新的,你拉取的是否是之前的latest版本,你更新下看看
smallwolf99
commented
1 year ago 
我直接用docker pull seataio/seata-server:latest,检测之后,fastjson还是1.2.73。
Dockerfile里面也是latest。 FROM seataio/seata-server:latest
funky-eyes
commented
1 year ago 你docker exec 进去容器看下seata-server里lib里到底是什么版本吧
smallwolf99
commented
1 year ago 
容器里面是1.2.73
smallwolf99
commented
1 year ago 我下载2.x源码分析出来的是1.2.83,是不是镜像不是由2.x源码构建的哦?
slievrly
commented
1 year ago HikariCP-4.0.3.jar animal-sniffer-annotations-1.18.jar annotations-4.1.1.4.jar ant-1.10.12.jar ant-launcher-1.10.12.jar antlr-2.7.7.jar antlr-runtime-3.4.jar aopalliance-1.0.jar apollo-client-2.0.1.jar apollo-core-2.0.1.jar archaius-core-0.7.6.jar audience-annotations-0.5.0.jar bolt-1.4.6.jar byte-buddy-1.10.22.jar checker-qual-3.5.0.jar commons-codec-1.15.jar commons-compiler-3.1.7.jar commons-compress-1.19.jar commons-configuration-1.10.jar commons-dbcp2-2.8.0.jar commons-io-2.7.jar commons-jxpath-1.3.jar commons-lang-2.6.jar commons-logging-1.2.jar commons-math-2.2.jar commons-pool-1.6.jar commons-pool2-2.9.0.jar compactmap-2.0.jar config-1.2.1.jar consul-api-1.4.2.jar dexx-collections-0.2.jar druid-1.2.6.jar error_prone_annotations-2.3.4.jar eureka-client-1.10.17.jar failsafe-2.3.3.jar failureaccess-1.0.1.jar fastjson-1.2.83.jar fst-2.57.jar grpc-api-1.27.1.jar grpc-context-1.27.1.jar grpc-core-1.27.1.jar grpc-grpclb-1.27.1.jar grpc-netty-1.27.1.jar grpc-protobuf-1.27.1.jar grpc-protobuf-lite-1.27.1.jar grpc-stub-1.27.1.jar gson-2.8.9.jar guava-30.1-jre.jar guice-5.0.1.jar h2-1.4.200.jar hessian-3.3.6.jar hessian-4.0.63.jar httpasyncclient-4.1.5.jar httpclient-4.5.13.jar httpcore-4.4.15.jar httpcore-nio-4.4.15.jar j2objc-annotations-1.3.jar jackson-annotations-2.12.6.jar jackson-core-2.12.6.jar jackson-databind-2.12.6.1.jar jackson-datatype-jdk8-2.12.6.jar jackson-datatype-jsr310-2.12.6.jar jackson-module-parameter-names-2.12.6.jar jakarta.annotation-api-1.3.5.jar janino-3.1.7.jar javassist-3.21.0-GA.jar javax.inject-1.jar javax.servlet-api-4.0.1.jar jcommander-1.72.jar jdbc jedis-3.6.3.jar jersey-apache-client4-1.19.1.jar jersey-client-1.19.1.jar jersey-core-1.19.1.jar jetcd-common-0.5.0.jar jetcd-core-0.5.0.jar jetcd-resolver-0.5.0.jar jettison-1.4.0.jar jjwt-api-0.10.5.jar jjwt-impl-0.10.5.jar jjwt-jackson-0.10.5.jar joda-time-2.3.jar jsr305-3.0.2.jar jsr311-api-1.1.1.jar jul-to-slf4j-1.7.36.jar kafka-clients-2.7.2.jar kryo-5.4.0.jar kryo-serializers-0.45.jar listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar logback-classic-1.2.11.jar logback-core-1.2.11.jar logback-kafka-appender-0.2.0-RC2.jar logstash-logback-encoder-6.5.jar lz4-java-1.7.1.jar minlog-1.3.1.jar mxparser-1.2.2.jar mysql-connector-java-8.0.28.jar nacos-api-1.4.2.jar nacos-client-1.4.2.jar nacos-common-1.4.2.jar netflix-eventbus-0.3.0.jar netflix-infix-0.3.0.jar netty-all-4.1.76.Final.jar netty-buffer-4.1.76.Final.jar netty-codec-4.1.76.Final.jar netty-codec-dns-4.1.76.Final.jar netty-codec-haproxy-4.1.76.Final.jar netty-codec-http-4.1.76.Final.jar netty-codec-http2-4.1.76.Final.jar netty-codec-memcache-4.1.76.Final.jar netty-codec-mqtt-4.1.76.Final.jar netty-codec-redis-4.1.76.Final.jar netty-codec-smtp-4.1.76.Final.jar netty-codec-socks-4.1.76.Final.jar netty-codec-stomp-4.1.76.Final.jar netty-codec-xml-4.1.76.Final.jar netty-common-4.1.76.Final.jar netty-handler-4.1.76.Final.jar netty-handler-proxy-4.1.76.Final.jar netty-resolver-4.1.76.Final.jar netty-resolver-dns-4.1.76.Final.jar netty-resolver-dns-classes-macos-4.1.76.Final.jar netty-resolver-dns-native-macos-4.1.76.Final-osx-aarch_64.jar netty-resolver-dns-native-macos-4.1.76.Final-osx-x86_64.jar netty-transport-4.1.76.Final.jar netty-transport-classes-epoll-4.1.76.Final.jar netty-transport-classes-kqueue-4.1.76.Final.jar netty-transport-native-epoll-4.1.76.Final-linux-aarch_64.jar netty-transport-native-epoll-4.1.76.Final-linux-x86_64.jar netty-transport-native-epoll-4.1.76.Final.jar netty-transport-native-kqueue-4.1.76.Final-osx-aarch_64.jar netty-transport-native-kqueue-4.1.76.Final-osx-x86_64.jar netty-transport-native-unix-common-4.1.76.Final.jar netty-transport-rxtx-4.1.76.Final.jar netty-transport-sctp-4.1.76.Final.jar netty-transport-udt-4.1.76.Final.jar objenesis-3.2.jar perfmark-api-0.19.0.jar postgresql-42.2.25.jar proto-google-common-protos-1.17.0.jar protobuf-java-3.16.3.jar protobuf-java-util-3.11.0.jar reflectasm-1.11.9.jar registry-client-all-5.2.0.jar seata-common-2.0.0-SNAPSHOT.jar seata-compressor-7z-2.0.0-SNAPSHOT.jar seata-compressor-all-2.0.0-SNAPSHOT.jar seata-compressor-bzip2-2.0.0-SNAPSHOT.jar seata-compressor-deflater-2.0.0-SNAPSHOT.jar seata-compressor-gzip-2.0.0-SNAPSHOT.jar seata-compressor-lz4-2.0.0-SNAPSHOT.jar seata-compressor-zip-2.0.0-SNAPSHOT.jar seata-compressor-zstd-2.0.0-SNAPSHOT.jar seata-config-all-2.0.0-SNAPSHOT.jar seata-config-apollo-2.0.0-SNAPSHOT.jar seata-config-consul-2.0.0-SNAPSHOT.jar seata-config-core-2.0.0-SNAPSHOT.jar seata-config-etcd3-2.0.0-SNAPSHOT.jar seata-config-nacos-2.0.0-SNAPSHOT.jar seata-config-spring-cloud-2.0.0-SNAPSHOT.jar seata-config-zk-2.0.0-SNAPSHOT.jar seata-console-2.0.0-SNAPSHOT.jar seata-core-2.0.0-SNAPSHOT.jar seata-discovery-all-2.0.0-SNAPSHOT.jar seata-discovery-consul-2.0.0-SNAPSHOT.jar seata-discovery-core-2.0.0-SNAPSHOT.jar seata-discovery-custom-2.0.0-SNAPSHOT.jar seata-discovery-etcd3-2.0.0-SNAPSHOT.jar seata-discovery-eureka-2.0.0-SNAPSHOT.jar seata-discovery-nacos-2.0.0-SNAPSHOT.jar seata-discovery-redis-2.0.0-SNAPSHOT.jar seata-discovery-sofa-2.0.0-SNAPSHOT.jar seata-discovery-zk-2.0.0-SNAPSHOT.jar seata-metrics-all-2.0.0-SNAPSHOT.jar seata-metrics-api-2.0.0-SNAPSHOT.jar seata-metrics-core-2.0.0-SNAPSHOT.jar seata-metrics-exporter-prometheus-2.0.0-SNAPSHOT.jar seata-metrics-registry-compact-2.0.0-SNAPSHOT.jar seata-serializer-all-2.0.0-SNAPSHOT.jar seata-serializer-fst-2.0.0-SNAPSHOT.jar seata-serializer-hessian-2.0.0-SNAPSHOT.jar seata-serializer-kryo-2.0.0-SNAPSHOT.jar seata-serializer-protobuf-2.0.0-SNAPSHOT.jar seata-serializer-seata-2.0.0-SNAPSHOT.jar seata-spring-autoconfigure-core-2.0.0-SNAPSHOT.jar seata-spring-autoconfigure-server-2.0.0-SNAPSHOT.jar servo-core-0.12.21.jar simpleclient-0.10.0.jar simpleclient_common-0.10.0.jar simpleclient_httpserver-0.10.0.jar slf4j-api-1.7.36.jar snakeyaml-1.28.jar snappy-java-1.1.7.7.jar sofa-common-tools-1.0.12.jar spring-aop-5.3.20.jar spring-beans-5.3.20.jar spring-boot-2.5.13.jar spring-boot-autoconfigure-2.5.13.jar spring-boot-starter-2.5.13.jar spring-boot-starter-json-2.5.13.jar spring-boot-starter-logging-2.5.13.jar spring-boot-starter-security-2.5.13.jar spring-boot-starter-tomcat-2.5.13.jar spring-boot-starter-web-2.5.13.jar spring-context-5.3.20.jar spring-core-5.3.20.jar spring-expression-5.3.20.jar spring-jcl-5.3.20.jar spring-security-config-5.5.6.jar spring-security-core-5.5.6.jar spring-security-crypto-5.5.6.jar spring-security-web-5.5.6.jar spring-web-5.3.20.jar spring-webmvc-5.3.20.jar stringtemplate-3.2.1.jar tomcat-embed-core-9.0.62.jar tomcat-embed-el-9.0.62.jar tomcat-embed-websocket-9.0.62.jar tools.jar xmlpull-1.1.3.1.jar xstream-1.4.19.jar xz-1.8.jar zkclient-0.11.jar zookeeper-3.5.9.jar zookeeper-jute-3.5.9.jar zstd-jni-1.5.0-4.jar
funky-eyes
commented
1 year ago 把你的镜像源改为docker官方的,不要用第三方的试试?
slievrly
commented
1 year ago docker pull seataio/seata-server:latest docker run --name=seata-server -d seataio/seata-server:latest docker exec -it xxxxxx bash cd /seata-server/libs
smallwolf99
commented
1 year ago PS C:\Users\cmk> docker run --name=seata-server -d seataio/seata-server:latest 0d9119ced78f0ddcd317acf81e1f277bbec4b45363578e6326ebf613ddd81f6a PS C:\Users\cmk> docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 0d9119ced78f seataio/seata-server:latest "java -Djava.securit…" 10 seconds ago Up 7 seconds 8091/tcp seata-server 93f51516270d gitlab/gitlab-ee:latest "/assets/wrapper" 2 months ago Up 3 days (healthy) 0.0.0.0:22->22/tcp, 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp gitlab PS C:\Users\cmk> docker exec -it 0d911 bash root@0d9119ced78f:/seata-server# cd /seata-server/libs root@0d9119ced78f:/seata-server/libs# ls -lh total 78M -rw-r--r-- 1 root root 153K Jan 1 1970 HikariCP-3.4.5.jar -rw-r--r-- 1 root root 3.4K Jan 1 1970 animal-sniffer-annotations-1.17.jar -rw-r--r-- 1 root root 2.2M Jan 1 1970 ant-1.10.6.jar -rw-r--r-- 1 root root 19K Jan 1 1970 ant-launcher-1.10.6.jar -rw-r--r-- 1 root root 435K Jan 1 1970 antlr-2.7.7.jar -rw-r--r-- 1 root root 161K Jan 1 1970 antlr-runtime-3.4.jar -rw-r--r-- 1 root root 4.4K Jan 1 1970 aopalliance-1.0.jar -rw-r--r-- 1 root root 171K Jan 1 1970 apollo-client-1.6.0.jar -rw-r--r-- 1 root root 80K Jan 1 1970 apollo-core-1.6.0.jar -rw-r--r-- 1 root root 137K Jan 1 1970 archaius-core-0.7.6.jar -rw-r--r-- 1 root root 53K Jan 1 1970 asm-5.0.4.jar -rw-r--r-- 1 root root 20K Jan 1 1970 audience-annotations-0.5.0.jar -rw-r--r-- 1 root root 230K Jan 1 1970 bolt-1.4.6.jar -rw-r--r-- 1 root root 277K Jan 1 1970 cglib-3.1.jar -rw-r--r-- 1 root root 210K Jan 1 1970 checker-qual-3.5.0.jar -rw-r--r-- 1 root root 340K Jan 1 1970 commons-codec-1.14.jar -rw-r--r-- 1 root root 601K Jan 1 1970 commons-compress-1.19.jar -rw-r--r-- 1 root root 355K Jan 1 1970 commons-configuration-1.10.jar -rw-r--r-- 1 root root 204K Jan 1 1970 commons-dbcp2-2.7.0.jar -rw-r--r-- 1 root root 270K Jan 1 1970 commons-io-2.7.jar -rw-r--r-- 1 root root 293K Jan 1 1970 commons-jxpath-1.3.jar -rw-r--r-- 1 root root 278K Jan 1 1970 commons-lang-2.6.jar -rw-r--r-- 1 root root 60K Jan 1 1970 commons-logging-1.1.1.jar -rw-r--r-- 1 root root 966K Jan 1 1970 commons-math-2.2.jar -rw-r--r-- 1 root root 109K Jan 1 1970 commons-pool-1.6.jar -rw-r--r-- 1 root root 130K Jan 1 1970 commons-pool2-2.8.1.jar -rw-r--r-- 1 root root 24K Jan 1 1970 compactmap-2.0.jar -rw-r--r-- 1 root root 215K Jan 1 1970 config-1.2.1.jar -rw-r--r-- 1 root root 157K Jan 1 1970 consul-api-1.4.2.jar -rw-r--r-- 1 root root 162K Jan 1 1970 dexx-collections-0.2.jar -rw-r--r-- 1 root root 3.5M Jan 1 1970 druid-1.2.6.jar -rw-r--r-- 1 root root 14K Jan 1 1970 error_prone_annotations-2.2.0.jar -rw-r--r-- 1 root root 435K Jan 1 1970 eureka-client-1.10.16.jar -rw-r--r-- 1 root root 4.6K Jan 1 1970 failureaccess-1.0.1.jar -rw-r--r-- 1 root root 639K Jan 1 1970 fastjson-1.2.73.jar -rw-r--r-- 1 root root 388K Jan 1 1970 fst-2.57.jar -rw-r--r-- 1 root root 28K Jan 1 1970 grpc-context-1.17.1.jar -rw-r--r-- 1 root root 730K Jan 1 1970 grpc-core-1.17.1.jar -rw-r--r-- 1 root root 144K Jan 1 1970 grpc-grpclb-1.17.1.jar -rw-r--r-- 1 root root 208K Jan 1 1970 grpc-netty-1.17.1.jar -rw-r--r-- 1 root root 4.9K Jan 1 1970 grpc-protobuf-1.17.1.jar -rw-r--r-- 1 root root 7.5K Jan 1 1970 grpc-protobuf-lite-1.17.1.ja
按您的方法操作了,应该是最新镜像了,为啥还不行呢?好奇怪啊
smallwolf99
commented
1 year ago PS C:\Users\cmk> docker images REPOSITORY TAG IMAGE ID CREATED SIZE mongo 6.0.1 d34d21a9eb5b 7 months ago 693MB seataio/seata-server latest 3d094d47f5eb 15 months ago 349MB gitlab/gitlab-ee latest 7217de545a48 15 months ago 2.55GB
也没有其他镜像了,我特意每次都删了,重新下载
funky-eyes
commented
1 year ago 镜像源改一下,应该是镜像源没有同步更新
smallwolf99
commented
1 year ago 我把源改成hub.docker.com,可以拉到最新的镜像了,但是最新镜像漏洞有点多,安全审查过不了,近期有没有更新基础镜像和依赖的计划????
smallwolf99
commented
1 year ago 几位老哥,有没有交流群,或者及时通讯,沟通和反馈问题方便一些。
funky-eyes
commented
1 year ago 方便的话把最新latest中所有存在漏洞的依赖发出来,社区这边看下怎么修一下
smallwolf99
commented
1 year ago 
smallwolf99
commented
1 year ago 
smallwolf99
commented
1 year ago 
smallwolf99
commented
1 year ago 
smallwolf99
commented
1 year ago 
smallwolf99
commented
1 year ago 
smallwolf99
commented
1 year ago 导不了列表,只能截图了
funky-eyes
commented
1 year ago 其实不用太担心这个,社区一向都会在每次发版前修一波已知的安全漏洞,这些漏洞都是seata所依赖的第三方库暴露的,而seata-server是定位在服务内通信的,只要不暴露到公网,这些漏洞被利用的可能性非常低
smallwolf99
commented
1 year ago 好的,期待下个版本。另外,后面1.6.1也会更新吗?还是说只更新2.x ?
slievrly
commented
1 year ago @smallwolf99 We hope that you can participate in fixing the vulnerabilities and welcome you to submit a PR.
smallwolf99
commented
1 year ago 我查了下这个pom.xml里的依赖版本,还有一些不是安全版本,如下:
1.4.19 -----建议修复版本:1.4.201.4.2 -----建议修复版本:2.0.4 > 你这个版本是老的,能否给份最新的安全漏洞名单,比如fastjson在latest中已经升级到1.2.83了。 https://github.com/seata/seata/blob/2.x/dependencies/pom.xml
seata 2.x是稳定版吗?我们看release里面还是v1.6.1。2.x向下兼容吗?之前v1.6.1的镜像可替换使用2.x吗?
smallwolf99
commented
1 year ago @smallwolf99 We hope that you can participate in fixing the vulnerabilities and welcome you to submit a PR.
Thanks for the invitation, but I'm on projects
Ⅰ. Issue Description
使用Docker Hub上的seataio/seata-server:latest镜像被检测出大量安全漏洞 https://hub.docker.com/r/seataio/seata-server/tags
Ⅱ. Describe what happened
seataio/seata-server:latest镜像存在292个漏洞
If there is an exception, please attach the exception trace:
Ⅲ. Describe what you expected to happen
通过镜像部署seata后,上线安全测试检测出292个安全漏洞,涉及组件依赖,我们也不敢升级里面的组件
Ⅳ. How to reproduce it (as minimally and precisely as possible)
Minimal yet complete reproducer code (or URL to code):
Ⅴ. Anything else we need to know?
Ⅵ. Environment:
java -version):uname -a):