search

apigee / apigee-config-maven-plugin

apigee-config-maven-plugin
Apache License 2.0
55 stars 108 forks source link

Security vulnerability error for Apigee Maven Plugin #160

Closed SnehansuBhuyan closed 2 years ago

SnehansuBhuyan commented 2 years ago

Hi @ssvaidyanathan , Hope you are doing well !! We are working to automate the proxy deployment using CI/CD pipeline . Current our pipeline is using the below maven plugin to do the Apigee config and proxy deployment both SaaS and X. But the plugin is throwing errors because the maven plugin appears in Sonatype IQ identified Critical or High vulnerability or vulnerabilities associated w/ this requested artifact, log4j/log4j/1.2.12/log4j-1.2.12.jar. We tried few options to fixing the plugin vulnerabilities but its not working .

This is a bigger blocker for us now as we are not able to proceed for automated deployment and we need your help and guidance to fix the use.

Here is the below GitHub and maven plugin version using in our CI/CD

Apigee plugin GitHub location: https://github.com/apigee/apigee-config-maven-plugin/

Currently using Latest version of plugins for Apigee SaaS:

Maven deploys plugin: 1.3.3

Maven config plugin : 1.5.3

Currently using Latest version of plugins for Apigee X:

Maven deploys plugin: 2.3.1

Maven config plugin : 2.4.0

Thanks, Snehansu.

ssvaidyanathan commented 2 years ago

@SnehansuBhuyan - The plugin itself doesn't use those versions of log4j. It could be possible that one or a few of the plugin's dependency has that as a dependency. However I am not seeing at my end Can you please run the following commands pointing to the Maven repo:

CONFIG_VERSION=1.5.3
mvn -f $HOME/.m2/repository/com/apigee/edge/config/apigee-config-maven-plugin/$CONFIG_VERSION/apigee-config-maven-plugin-$CONFIG_VERSION.pom dependency:list | grep log4j

CONFIG_VERSION=2.4.0
mvn -f $HOME/.m2/repository/com/apigee/edge/config/apigee-config-maven-plugin/$CONFIG_VERSION/apigee-config-maven-plugin-$CONFIG_VERSION.pom dependency:list | grep log4j

If you find log4j-1.x in the response from the above commands, then please run these to see which dependency is using that jar

CONFIG_VERSION=1.5.3
mvn -f $HOME/.m2/repository/com/apigee/edge/config/apigee-config-maven-plugin/$CONFIG_VERSION/apigee-config-maven-plugin-$CONFIG_VERSION.pom dependency:tree 

CONFIG_VERSION=2.4.0
mvn -f $HOME/.m2/repository/com/apigee/edge/config/apigee-config-maven-plugin/$CONFIG_VERSION/apigee-config-maven-plugin-$CONFIG_VERSION.pom dependency:tree
smita0502 commented 2 years ago

Hi @ssvaidyanathan,

Sorry for the late response here. Please check the output for the commands for both the plugins 1.5.3 & 2.4.0. I do not see log4j-1.x so is there any way we can also check for the transit dependencies this plugin is using?

Smitas-MacBook-Pro:apigee-config-maven-plugin-apigee-config-maven-plugin-1.5.3 smitarani$ CONFIG_VERSION=1.5.3 Smitas-MacBook-Pro:apigee-config-maven-plugin-apigee-config-maven-plugin-1.5.3 smitarani$ mvn -f $HOME/.m2/repository/com/apigee/edge/config/apigee-config-maven-plugin/$CONFIG_VERSION/apigee-config-maven-plugin-$CONFIG_VERSION.pom dependency:list | grep log4j [INFO] org.apache.logging.log4j:log4j-core:jar:2.17.1:compile [INFO] org.apache.logging.log4j:log4j-api:jar:2.17.1:compile

Smitas-MacBook-Pro:apigee-config-maven-plugin-apigee-config-maven-plugin-2.4.0 smitarani$ CONFIG_VERSION=2.4.0 Smitas-MacBook-Pro:apigee-config-maven-plugin-apigee-config-maven-plugin-2.4.0 smitarani$ mvn -f $HOME/.m2/repository/com/apigee/edge/config/apigee-config-maven-plugin/$CONFIG_VERSION/apigee-config-maven-plugin-$CONFIG_VERSION.pom dependency:list | grep log4j [INFO] org.apache.logging.log4j:log4j-core:jar:2.17.1:compile [INFO] org.apache.logging.log4j:log4j-api:jar:2.17.1:compile

ssvaidyanathan commented 2 years ago

It should show them too. Try running the same commands with the older versions of Apigee. You will see it showing.

For example

CONFIG_VERSION=1.4.6
mvn -f $HOME/.m2/repository/com/apigee/edge/config/apigee-config-maven-plugin/$CONFIG_VERSION/apigee-config-maven-plugin-$CONFIG_VERSION.pom dependency:list | grep log4j

[INFO]    log4j:log4j:jar:1.2.17:compile
[INFO]    org.slf4j:slf4j-log4j12:jar:1.6.6:compile

Can you find more info from Sonatype and see which jar is causing the vulnerability?

smita0502 commented 2 years ago

Yes, I was able to list/tree for all the dependencies and I do not see log4j with the 1.x version which is great. I will also try now for the older versions. And the next step is to get the CVEs from the Sonatype team to debug this further. Thanks @ssvaidyanathan for the quick response.

smita0502 commented 2 years ago

I was able to resolve the issue. The issue was with the maven compiler plugin which has the dependency on the log4j and I was using the old version where log4j has some vulnerabilities. As part of the debugging, I updated the maven compiler plugin to use the latest version, and the issue got fixed. Thank you again. 

ssvaidyanathan commented 2 years ago

Similar to https://github.com/apigee/apigee-deploy-maven-plugin/issues/196#issuecomment-1248652454, there was a vulnerability

ssvaidyanathan commented 2 years ago

Fixed in v2.4.1 Should be available in a few hours