Security vulnerability error for Apigee Deploy Maven Plugin

[SnehansuBhuyan]

Hi @ssvaidyanathan ,

Hope you are doing well !!
 We are working to automate the proxy deployment using CI/CD pipeline . Current our pipeline is using the below maven plugin to do the Apigee config and proxy deployment both SaaS and X. But the plugin is throwing errors because the maven plugin appears in Sonatype IQ identified Critical or High vulnerability or vulnerabilities associated w/ this requested artifact, log4j/log4j/1.2.12/log4j-1.2.12.jar. We tried few options to fixing the plugin vulnerabilities but its not working . This is a bigger blocker for us now as we are not able to proceed for automated deployment and we need your help and guidance to fix the use.

Here is the below GitHub and maven plugin version using in our CI/CD

Currently using Latest version of plugins for Apigee SaaS: Maven deploys plugin: 1.3.3 Maven config plugin : 1.5.3 Currently using Latest version of plugins for Apigee X: Maven deploys plugin: 2.3.1 Maven config plugin : 2.4.0

[ssvaidyanathan]

@SnehansuBhuyan - The plugin itself doesn't use those versions of log4j. It could be possible that one or a few of the plugin's dependency has that as a dependency. However I am not seeing at my end Can you please run the following commands pointing to the Maven repo:

DEPLOY_VERSION=1.3.3
mvn -f $HOME/.m2/repository/io/apigee/build-tools/enterprise4g/apigee-edge-maven-plugin/$DEPLOY_VERSION/apigee-edge-maven-plugin-$DEPLOY_VERSION.pom dependency:list | grep log4j

DEPLOY_VERSION=2.3.1
mvn -f $HOME/.m2/repository/io/apigee/build-tools/enterprise4g/apigee-edge-maven-plugin/$DEPLOY_VERSION/apigee-edge-maven-plugin-$DEPLOY_VERSION.pom dependency:list | grep log4j

If you find log4j-1.x in the response from the above commands, then please run these to see which dependency is using that jar

DEPLOY_VERSION=1.3.3
mvn -f $HOME/.m2/repository/io/apigee/build-tools/enterprise4g/apigee-edge-maven-plugin/$DEPLOY_VERSION/apigee-edge-maven-plugin-$DEPLOY_VERSION.pom dependency:tree 

DEPLOY_VERSION=2.3.1
mvn -f $HOME/.m2/repository/io/apigee/build-tools/enterprise4g/apigee-edge-maven-plugin/$DEPLOY_VERSION/apigee-edge-maven-plugin-$DEPLOY_VERSION.pom dependency:tree

[ssvaidyanathan]

@smita0502 - can we close this too as you were able to fix it (https://github.com/apigee/apigee-config-maven-plugin/issues/160#issuecomment-1244522486)

[smita0502]

yes please we can close this too as there is no vulnerability in this plugin.

[smita0502]

Hi @ssvaidyanathan, I am reopening this case as we are seeing some vulnerabilities in transitive dependencies of this plugin.

Smitas-MBP:apigee-deploy-maven-plugin-apigee-edge-maven-plugin-2.3.1 smitarani$ mvn -f $HOME/.m2/repository/io/apigee/build-tools/enterprise4g/apigee-edge-maven-plugin/$DEPLOY_VERSION/apigee-edge-maven-plugin-$DEPLOY_VERSION.pom dependency:list | grep commons [INFO] commons-io:commons-io:jar:1.2:compile [INFO] commons-logging:commons-logging:jar:1.1.1:provided [INFO] commons-fileupload:commons-fileupload:jar:1.1.1:compile [INFO] org.apache.ws.commons.axiom:axiom-api:jar:1.2.5:compile [INFO] commons-httpclient:commons-httpclient:jar:3.0.1:compile [INFO] org.apache.ws.commons.axiom:axiom-dom:jar:1.2.5:compile [INFO] org.apache.ws.commons.axiom:axiom-impl:jar:1.2.5:compile [INFO] commons-codec:commons-codec:jar:1.10:compile [INFO] org.apache.ws.commons.schema:XmlSchema:jar:1.3.2:compile [INFO] org.apache.commons:commons-lang3:jar:3.1:compile

[common](commons-fileupload:commons-fileupload:jar:1.1.1:compile) has a couple of vulnerabilities and can be verified here https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload/1.1.1 which is not getting passed in our Nexus IQ server. I do see it has newer version as 1.4 which doesn't have any security vulnerability.

Would you be able to help us to update this?

[smita0502]

The above issue is with DEPLOY_VERSION=2.3.1

[ssvaidyanathan]

Fixed in v2.3.2 Should be available in a few hours

[smita0502]

thank you so much @ssvaidyanathan

[smita0502]

Hi @ssvaidyanathan

I have tried testing v2.3.2 and seeing some more vulnerabilities. Adding the actual output of the build

[DEBUG] Writing tracking file /builds/fts-apimanagement/new-gitlab-runner-testing-apigeex-proxy/.m2/repository/javax/xml/bind/jaxb-api/2.0/jaxb-api-2.0.jar.lastUpdated [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 01:20 min [INFO] Finished at: 2022-09-16T18:40:56Z [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:2.3.2:configure (configure-bundle) on project apigeex-proxy-nexus-prod-testing: Execution configure-bundle of goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:2.3.2:configure failed: Plugin io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:2.3.2 or one of its dependencies could not be resolved: The following artifacts could not be resolved: org.codehaus.woodstox:wstx-asl:jar:3.2.1, org.apache.ws.commons.axiom:axiom-impl:jar:1.2.5, org.apache.ws.commons.axiom:axiom-dom:jar:1.2.5, javax.mail:mail:jar:1.4, commons-io:commons-io:jar:1.2, org.apache.axis2:axis2-metadata:jar:1.3, org.apache.axis2:axis2-jws-api:jar:1.3, org.apache.ant:ant:jar:1.7.0, org.apache.ant:ant-launcher:jar:1.7.0, org.apache.axis2:axis2-jaxws-api:jar:1.3, org.apache.axis2:axis2-saaj-api:jar:1.3, org.apache.geronimo.specs:geronimo-javamail_1.4_spec:jar:1.0-M1, org.apache.geronimo.specs:geronimo-activation_1.1_spec:jar:1.0-M1, org.apache.axis2:axis2-saaj:jar:1.3, com.sun.xml.bind:jaxb-impl:jar:2.0.5, javax.xml.bind:jsr173_api:jar:1.0, com.sun.xml.bind:jaxb-xjc:jar:2.0.5, javax.xml.bind:jaxb-api:jar:2.0, com.fasterxml.jackson.core:jackson-databind:jar:2.8.4, com.google.auth:google-auth-library-oauth2-http:jar:0.18.0, com.google.auto.value:auto-value-annotations:jar:1.6.6, com.google.auth:google-auth-library-credentials:jar:0.18.0: Could not transfer artifact org.codehaus.woodstox:wstx-asl:jar:3.2.1 from/to maven-central (https://nexus.onefiserv.net/repository/Maven_Central/): authorization failed for https://nexus.onefiserv.net/repository/Maven_Central/org/codehaus/woodstox/wstx-asl/3.2.1/wstx-asl-3.2.1.jar, status: 403 -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> https://lifecycle.1dc.com/ui/links/repositories/quarantinedComponent/MWU4ZGY3NmQwY2I1NGE1YWFlMjY3ZTg0NWM1OGVhZjg <<<------ -> [Help 1]

Seems like this is one of the dependencies org.apache.axis2:axis2-metadata:jar:1.3 has new version as V1.8.2 https://mvnrepository.com/artifact/org.apache.axis2/axis2-metadata without any security vulnerabilities. I am checking every transitive dependency as well and will be posting here as follow up comments.

[ssvaidyanathan]

Please check your security report and share that. Having to fix one after the other is not going to be feasible. I fixed it as it was marked as Critical. If there are other "high", I can look into them later.

[smita0502]

IQ Server - Quarantined Component Report.pdf Can you please check if you can access the attachment for security report.

[smita0502]

IQ Server - Vulnerability Lookup.pdf

[ssvaidyanathan]

Is that the only vulnerability that needs to be fixed?

[smita0502]

Smitas-MacBook-Pro:apigee-deploy-maven-plugin-apigee-edge-maven-plugin-2.3.2 smitarani$ mvn -f $HOME/.m2/repository/io/apigee/build-tools/enterprise4g/apigee-edge-maven-plugin/$DEPLOY_VERSION/apigee-edge-maven-plugin-$DEPLOY_VERSION.pom dependency:list | grep wstx [INFO] org.codehaus.woodstox:wstx-asl:jar:3.2.1:compile

[smita0502]

I am seeing only this so far during the build and in Sonatype but can't say for sure if it would be the only vulnerability because I don't know if it runs in sequence.