search

apache / shiro

Apache Shiro
https://shiro.apache.org/
Apache License 2.0
4.32k stars 2.31k forks source link

Transitive vulnerable dependency #898

Closed rasa-app closed 1 year ago

rasa-app commented 1 year ago

IntelliJ complains about vulnerable dependency in shiro-core version 1.11.0:


Provides transitive vulnerable dependency maven:commons-collections:commons-collections:3.2.2
Cx78f40514-81ff 7.5 Uncontrolled Recursion vulnerability pending CVSS allocation
lprimak commented 1 year ago

Not sure what’s going on. Snyk isn’t reporting any vulnerabilities: https://security.snyk.io/package/maven/commons-collections:commons-collections/3.2.2

rzo1 commented 1 year ago

@lprimak Perhaps https://advisory.checkmarx.net/advisory/vulnerability/Cx78f40514-81ff/ (guess IDEA is using checkmarx under the covers)

lprimak commented 1 year ago

I don't think Shiro is vulnerable to this anyway, and I am not sure what Shiro can do, since beanutils depends on Collection3 and 3.2.2 is the latest version available.

fpapon commented 1 year ago

We can try to exclude the v3 and add the v4 of commons-collection but I'm not sure about the backward compatibility

lprimak commented 1 year ago

@fpapon package names are different in colleztions4 so that would not work.

fpapon commented 1 year ago

@lprimak ok, so bad idea :)

lprimak commented 1 year ago

I even checked comons-beanutils2 to see if it uses commons-collections4, but it doesn't. You may want to open an issue for commons-beanutils2 for them to use commons-collections4

Since this is not a vulnerability that exposed by Shiro, and there is nothing actionable that can be done, I am going to close this issue. Please feel free to reopen if you have any further actionable suggestions.

bmarwell commented 2 months ago

@rasa-app FWIW, if your application does not make use of commons-collections, which is likely if you do not parse environment variables in shiro.ini into lists, then you can just exclude it like this:

      <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-config-ogdl</artifactId>
        <version>${dependency.shiro.version}</version>
        <exclusions>
          <exclusion>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
          </exclusion>
        </exclusions>
      </dependency>

HTH