Closed mrjonstrong closed 1 year ago
@mrjonstrong thanks for your report!
your log contains com.fasterxml.jackson.core:jackson-databind:2.13.0
.
it seems this package has a problematic dependency:
2022-04-19T14:49:14.207+0100 DEBUG Resolving com.fasterxml.jackson.core:jackson-databind:2.13.0...
...
{
"VulnerabilityID": "CVE-2020-36518",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"InstalledVersion": "2.13.0",
"FixedVersion": "2.12.6.1, 2.13.2.1",
...
Hi, i have a similar behaviour.
After looping through all my dependencies, I found out that ehcache-2.10.9.2.jar is the culprit.\ It embeds third party libraries and Trivy seems to be pulling the data from rest-management-private-classpath/META-INF/maven/**/pom.xml files.
If feasable, #1912 might show the "full embedded path" of the dependency ? Eg. in the JSON file, something like "PkgPath": "foo/bar/xxx.jar/baz/.../yyy.jar"
would allow us to filter it with OPA.
Update on ehcache : Version 3.x already has a patch for the next version : https://github.com/ehcache/ehcache3/pull/3006 \ People have asked for ehcache 2.x but not sure if this will be backported -> https://groups.google.com/g/ehcache-users/c/oU3gcjkVBts
$ trivy --version
Version: 0.25.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-04-19 12:11:46.793914247 +0000 UTC
NextUpdate: 2022-04-19 18:11:46.793913847 +0000 UTC
DownloadedAt: 2022-04-19 14:45:33.796876269 +0000 UTC
$ trivy --debug rootfs ehcache-2.10.9.2.jar
ehcache-2.10.9.2.jar
2022-04-19T18:52:17.797+0200 [35mDEBUG[0m Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-19T18:52:17.797+0200 [35mDEBUG[0m cache dir: /home/ctrung/.cache/trivy
2022-04-19T18:52:17.797+0200 [35mDEBUG[0m DB update was skipped because the local DB is the latest
2022-04-19T18:52:17.797+0200 [35mDEBUG[0m DB Schema: 2, UpdatedAt: 2022-04-19 12:11:46.793914247 +0000 UTC, NextUpdate: 2022-04-19 18:11:46.793913847 +0000 UTC, DownloadedAt: 2022-04-19 14:45:33.796876269 +0000 UTC
2022-04-19T18:52:17.797+0200 [35mDEBUG[0m Vulnerability type: [os library]
2022-04-19T18:52:17.797+0200 [35mDEBUG[0m Parsing Java artifacts... {"file": "ehcache-2.10.9.2.jar"}
2022-04-19T18:52:17.803+0200 [35mDEBUG[0m Parsing Java artifacts... {"file": "net/sf/ehcache/pool/sizeof/sizeof-agent.jar"}
2022-04-19T18:52:18.168+0200 [35mDEBUG[0m No such POM in the central repositories {"file": "sizeof-agent.jar"}
2022-04-19T18:52:18.170+0200 [35mDEBUG[0m OS is not detected and vulnerabilities in OS packages are not detected.
2022-04-19T18:52:18.170+0200 [35mDEBUG[0m Detected OS: unknown
2022-04-19T18:52:18.170+0200 [34mINFO[0m Number of language-specific files: 1
2022-04-19T18:52:18.170+0200 [34mINFO[0m Detecting jar vulnerabilities...
2022-04-19T18:52:18.170+0200 [35mDEBUG[0m Detecting library vulnerabilities, type: jar, path:
Java (jar)
==========
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.11.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service |
| | | | | | via a large depth of nested objects |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can |
| | | | | 11.0.3 | prevent a session from being |
| | | | | | invalidated breaking logout |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-34428 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.glassfish.jersey.core:jersey-common | CVE-2021-28168 | MEDIUM | 2.31 | 2.34, 3.0.2 | jersey: Local information disclosure |
| | | | | | via system temporary directory |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-28168 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
Thanks @afdesk but I think I didn't explain it well.
trivy is misidentifying it as a different version, as you pointed out installed version trviy thinks is com.fasterxml.jackson.core:jackson-databind:2.13.0
But as per maven tree I'm using com.fasterxml.jackson.core:jackson-databind:2.13.2 [INFO] | - com.fasterxml.jackson.core:jackson-databind:jar:2.13.2:compile
If it helps I can share the pom.xml it is scanning, but here is a bit
<jackson.version>2.13.2</jackson.version>
<jackson-bom.version>${jackson.version}</jackson-bom.version>
Thanks @ctrung
I'm not sure if it is the same thing or not, your example was a rootfs scan instead of mine being a filesystem scan and reading the pom.xml When building I thought maven would pick only one version of jackson-databind and pick the one declared in the properties.
I tried the same scan with version 0.23.0 of trivy and got the expected result of it only picking up com.fasterxml.jackson.core:jackson-databind:2.13.2 so I wondered what might have changed in between versions.
I noticed https://github.com/aquasecurity/trivy/pull/1959 but thought that might of helped.
@afdesk @knqyf263 im having the same issue. Looks like trivy is not resolving the right dependency version. It might be related to #1728 as it might be picking the wrong version of the dependency?
If it helps here is the pom ' <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<groupId>your.group.id</groupId>
<artifactId>your-artifact-id</artifactId>
<version>your-version</version>
<packaging>jar</packaging>
<name>hello-world</name>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.6</version>
<relativePath/>
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>11</java.version>
<maven.compiler.plugin.version>2.3.2</maven.compiler.plugin.version>
<maven.resources.plugin.version>2.6</maven.resources.plugin.version>
<maven.dependency.plugin.version>2.8</maven.dependency.plugin.version>
<maven.deploy.plugin.version>2.7</maven.deploy.plugin.version>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<maven.release.plugin.version>2.5.3</maven.release.plugin.version>
<maven.test.skip>false</maven.test.skip>
<jackson.version>2.13.2</jackson.version>
<jackson-bom.version>${jackson.version}</jackson-bom.version>
<jacoco.version>0.8.6</jacoco.version>
<env.BUILD_NUMBER>0</env.BUILD_NUMBER>
<argLine/>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>2021.0.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-bootstrap</artifactId>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.22</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>2.6.5</version>
<scope>test</scope>
</dependency>
</dependencies>
'
This issue is stale because it has been labeled with inactivity.
This issue is stale because it has been labeled with inactivity.
In favor of #3986
Checklist
-f json
that shows data sources and make sure that the security advisory is correct.Description
org.fasterxml.jackson.core:jackson-annotations org.fasterxml.jackson.core:jackson-core org.fasterxml.jackson.core:jackson-databind are identified by trivy as version 2.13.0 (having come from org.springframework.cloud/spring-cloud-starter-config@3.1.0). However, on the pom.xml in properties jackson version is given as 2.13.2 and maven tree (output below) shows them correctly as 2.13.2.
JSON Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
Maven tree with correct versions showing
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.6.6:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.2:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.2:compile [INFO] | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.2:compile [INFO] | +- org.springframework.cloud:spring-cloud-config-client:jar:3.1.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile [INFO] | - com.fasterxml.jackson.core:jackson-databind:jar:2.13.2:compile [INFO] | - com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile