search

ballcat-projects / ballcat

😸一个快速开发脚手架,快速搭建企业级后台管理系统,并提供多种便捷starter进行功能扩展。主要功能包括前后台用户分离,菜单权限,数据权限,定时任务,访问日志,操作日志,异常日志,统一异常处理,XSS过滤,SQL防注入,国际化 等多种功能
http://docs.ballcat.org
Apache License 2.0
1.53k stars 297 forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #241

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Hi, In /ballcat-spring-boot-starter-redis,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
com.hccake.ballcat.autoconfigure.redis.AddMessageEventListenerToContainer: addMessageListener()V .m2/repository/io/netty/netty-transport/4.1.89.Final/netty-transport-4.1.89.Final.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; .m2/repository/io/netty/netty-transport/4.1.89.Final/netty-transport-4.1.89.Final.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/io/netty/netty-transport/4.1.89.Final/netty-transport-4.1.89.Final.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/io/netty/netty-transport/4.1.89.Final/netty-transport-4.1.89.Final.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.hccake:ballcat-spring-boot-starter-redis:jar:1.1.0-SNAPSHOT
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.5:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.5:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.5:compile
[INFO] +- com.hccake:ballcat-common-redis:jar:1.1.0-SNAPSHOT:compile
[INFO] |  +- com.hccake:ballcat-common-core:jar:1.1.0-SNAPSHOT:compile
[INFO] |  |  +- cn.hutool:hutool-core:jar:5.8.11:compile
[INFO] |  |  +- cn.hutool:hutool-crypto:jar:5.8.11:compile
[INFO] |  |  +- cn.hutool:hutool-http:jar:5.8.11:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.5:compile
[INFO] |  |  +- com.hccake:ballcat-common-model:jar:1.1.0-SNAPSHOT:compile
[INFO] |  |  |  +- com.baomidou:mybatis-plus-annotation:jar:3.5.3.1:compile
[INFO] |  |  |  +- com.hccake:ballcat-common-i18n:jar:1.1.0-SNAPSHOT:compile
[INFO] |  |  |  |  \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |  |  |  +- io.swagger.core.v3:swagger-annotations:jar:2.2.7:compile
[INFO] |  |  |  +- org.hibernate.validator:hibernate-validator:jar:6.2.5.Final:compile
[INFO] |  |  |  |  +- org.jboss.logging:jboss-logging:jar:3.4.3.Final:compile
[INFO] |  |  |  |  \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] |  |  |  \- org.springdoc:springdoc-openapi-common:jar:1.6.14:compile
[INFO] |  |  |     \- io.swagger.core.v3:swagger-core:jar:2.2.7:compile
[INFO] |  |  |        +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] |  |  |        +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.5:compile
[INFO] |  |  |        \- io.swagger.core.v3:swagger-models:jar:2.2.7:compile
[INFO] |  |  +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] |  |  +- org.springframework:spring-context:jar:5.3.25:compile
[INFO] |  |  \- org.springframework:spring-web:jar:5.3.25:compile
[INFO] |  +- com.hccake:ballcat-common-util:jar:1.1.0-SNAPSHOT:compile
[INFO] |  |  \- org.jsoup:jsoup:jar:1.15.3:compile
[INFO] |  +- org.aspectj:aspectjweaver:jar:1.9.7:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.7.9:compile
[INFO] |  \- org.springframework.data:spring-data-redis:jar:2.7.8:compile
[INFO] |     +- org.springframework.data:spring-data-keyvalue:jar:2.7.8:compile
[INFO] |     |  \- org.springframework.data:spring-data-commons:jar:2.7.8:compile
[INFO] |     +- org.springframework:spring-tx:jar:5.3.25:compile
[INFO] |     +- org.springframework:spring-oxm:jar:5.3.25:compile
[INFO] |     \- org.springframework:spring-context-support:jar:5.3.25:compile
[INFO] +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.9:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.7.9:compile
[INFO] +- org.springframework.boot:spring-boot-starter-aop:jar:2.7.9:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.7.9:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.9:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  \- org.springframework:spring-aop:jar:5.3.25:compile
[INFO] |     \- org.springframework:spring-beans:jar:5.3.25:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-redis:jar:2.7.9:compile
[INFO] |  \- io.lettuce:lettuce-core:jar:6.1.10.RELEASE:compile
[INFO] |     +- io.netty:netty-common:jar:4.1.89.Final:compile
[INFO] |     +- io.netty:netty-handler:jar:4.1.89.Final:compile
[INFO] |     |  +- io.netty:netty-resolver:jar:4.1.89.Final:compile
[INFO] |     |  +- io.netty:netty-buffer:jar:4.1.89.Final:compile
[INFO] |     |  +- io.netty:netty-transport-native-unix-common:jar:4.1.89.Final:compile
[INFO] |     |  \- io.netty:netty-codec:jar:4.1.89.Final:compile
[INFO] |     +- io.netty:netty-transport:jar:4.1.89.Final:compile
[INFO] |     \- io.projectreactor:reactor-core:jar:3.4.27:compile
[INFO] |        \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] +- org.mapstruct:mapstruct:jar:1.5.3.Final:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.24:provided
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.7.9:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.7.9:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.9:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.4.8:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] |  |        \- org.ow2.asm:asm:jar:9.1:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |  +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  +- org.mockito:mockito-core:jar:4.5.1:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.23:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.23:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.1:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.3.25:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.25:compile
[INFO] |  +- org.springframework:spring-test:jar:5.3.25:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.9.1:test
[INFO] \- org.springframework.security:spring-security-test:jar:5.7.7:test
[INFO]    +- org.springframework.security:spring-security-core:jar:5.7.7:test
[INFO]    |  +- org.springframework.security:spring-security-crypto:jar:5.7.7:test
[INFO]    |  \- org.springframework:spring-expression:jar:5.3.25:compile
[INFO]    \- org.springframework.security:spring-security-web:jar:5.7.7:test

Suggested solutions:

Update dependency version

Hccake commented 1 year ago

org.yaml:snakeyaml follows spring-boot-dependency version management, regardless of the specified version in ballcat.

Also see https://github.com/spring-projects/spring-boot/issues/33457.