search

blazegraph / database

Blazegraph High Performance Graph Database
GNU General Public License v2.0
898 stars 173 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #209

Closed CVEDetect closed 3 years ago

CVEDetect commented 3 years ago

Hi, In database/bigdata-gas,there is a dependency org.apache.httpcomponents:httpclient:4.4 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpHost getHttpHost(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[134]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.DecompressingHttpClient: java.lang.Object execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.DecompressingHttpClient.java:[191]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <org.apache.http.impl.client.HttpRequestTaskCallable: java.lang.Object call()> (org.apache.http.impl.client.HttpRequestTaskCallable.java:[89]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4/httpclient-4.4.jar
at <com.bigdata.rdf.graph.impl.GASContext: java.lang.Object reduceOverFrontier(com.bigdata.rdf.graph.IStaticFrontier,com.bigdata.rdf.graph.IReducer)> (com.bigdata.rdf.graph.impl.GASContext.java:[549]) in /detect/unzip/database-BLAZEGRAPH_2_1_6_RC/bigdata-gas/target/classes

Dependency tree--

[INFO] com.blazegraph:bigdata-gas:jar:2.1.6-SNAPSHOT
[INFO] +- com.blazegraph:bigdata-util:jar:2.1.6-SNAPSHOT:compile
[INFO] |  +- com.blazegraph:bigdata-ganglia:jar:2.1.6-SNAPSHOT:compile
[INFO] |  +- com.blazegraph:bigdata-common-util:jar:2.1.6-SNAPSHOT:compile
[INFO] |  |  \- com.blazegraph:system-utils:jar:2.1.6-SNAPSHOT:compile
[INFO] |  +- com.blazegraph:bigdata-statics:jar:2.1.6-SNAPSHOT:compile
[INFO] |  +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] |  +- com.blazegraph:blazegraph-colt:jar:2.1.6-SNAPSHOT:compile
[INFO] |  +- org.openrdf.sesame:sesame-util:jar:2.8.11:compile
[INFO] |  |  \- com.google.guava:guava:jar:18.0:compile
[INFO] |  +- com.blazegraph:dsi-utils:jar:2.1.6-SNAPSHOT:compile
[INFO] |  |  +- it.unimi.dsi:fastutil:jar:6.5.16:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.1:compile
[INFO] |  |  +- commons-configuration:commons-configuration:jar:1.6:compile
[INFO] |  |  |  +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] |  |  |  +- commons-lang:commons-lang:jar:2.4:compile
[INFO] |  |  |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  |  |  +- commons-digester:commons-digester:jar:1.8:compile
[INFO] |  |  |  |  \- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] |  |  |  \- commons-beanutils:commons-beanutils-core:jar:1.8.0:compile
[INFO] |  |  \- com.martiansoftware:jsap:jar:2.1:compile
[INFO] |  +- com.blazegraph:lgpl-utils:jar:2.1.6-SNAPSHOT:compile
[INFO] |  +- com.github.stephenc.high-scale-lib:high-scale-lib:jar:1.1.2:compile
[INFO] |  +- net.jini:jini-ext:jar:2.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.6.7:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.7:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.6.7:compile
[INFO] +- org.openrdf.sesame:sesame-runtime:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-model:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-repository-api:jar:2.8.11:compile
[INFO] |  |  \- org.openrdf.sesame:sesame-query:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-repository-manager:jar:2.8.11:compile
[INFO] |  |  \- org.openrdf.sesame:sesame-repository-event:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-repository-http:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-repository-sparql:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-repository-contextaware:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-repository-sail:jar:2.8.11:compile
[INFO] |  |  \- org.openrdf.sesame:sesame-queryalgebra-model:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-http-client:jar:2.8.11:compile
[INFO] |  |  +- org.apache.httpcomponents:httpclient:jar:4.4:compile
[INFO] |  |  |  \- org.apache.httpcomponents:httpcore:jar:4.4:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.10:runtime
[INFO] |  +- org.openrdf.sesame:sesame-sail-api:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-sail-federation:jar:2.8.11:compile
[INFO] |  |  \- org.openrdf.sesame:sesame-queryalgebra-evaluation:jar:2.8.11:compile
[INFO] |  |     \- org.mapdb:mapdb:jar:1.0.7:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.10:compile
[INFO] |  +- org.openrdf.sesame:sesame-queryparser-api:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-queryparser-serql:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-queryparser-sparql:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-queryresultio-api:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-queryresultio-binary:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-queryresultio-sparqljson:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-queryresultio-sparqlxml:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-queryresultio-text:jar:2.8.11:runtime
[INFO] |  |  \- com.opencsv:opencsv:jar:3.2:runtime
[INFO] |  |     \- org.apache.commons:commons-lang3:jar:3.3.2:runtime
[INFO] |  +- org.openrdf.sesame:sesame-repository-dataset:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-http-protocol:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-rio-api:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-rio-datatypes:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-languages:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-binary:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-jsonld:jar:2.8.11:runtime
[INFO] |  |  \- com.github.jsonld-java:jsonld-java:jar:0.5.1:runtime
[INFO] |  |     +- org.apache.httpcomponents:httpclient-cache:jar:4.2.5:runtime
[INFO] |  |     \- org.slf4j:jcl-over-slf4j:jar:1.7.7:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-ntriples:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-rio-nquads:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-n3:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-rdfjson:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-rdfxml:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-trix:jar:2.8.11:runtime
[INFO] |  +- org.openrdf.sesame:sesame-rio-turtle:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-rio-trig:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-sail-inferencer:jar:2.8.11:compile
[INFO] |  |  \- org.openrdf.sesame:sesame-sail-model:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-sail-lucene4:jar:2.8.11:runtime
[INFO] |  |  +- org.openrdf.sesame:sesame-sail-lucene-api:jar:2.8.11:runtime
[INFO] |  |  |  \- com.spatial4j:spatial4j:jar:0.4.1:runtime
[INFO] |  |  +- org.apache.lucene:lucene-core:jar:4.10.4:runtime
[INFO] |  |  +- org.apache.lucene:lucene-queries:jar:4.10.4:runtime
[INFO] |  |  +- org.apache.lucene:lucene-highlighter:jar:4.10.4:runtime
[INFO] |  |  |  \- org.apache.lucene:lucene-memory:jar:4.10.4:runtime
[INFO] |  |  +- org.apache.lucene:lucene-analyzers-common:jar:4.10.4:runtime
[INFO] |  |  +- org.apache.lucene:lucene-queryparser:jar:4.10.4:runtime
[INFO] |  |  |  \- org.apache.lucene:lucene-sandbox:jar:4.10.4:runtime
[INFO] |  |  \- org.apache.lucene:lucene-spatial:jar:4.10.4:runtime
[INFO] |  +- org.openrdf.sesame:sesame-sail-memory:jar:2.8.11:compile
[INFO] |  |  \- org.openrdf.sesame:sesame-sail-base:jar:2.8.11:compile
[INFO] |  +- org.openrdf.sesame:sesame-sail-nativerdf:jar:2.8.11:runtime
[INFO] |  \- org.openrdf.sesame:sesame-sail-rdbms:jar:2.8.11:runtime
[INFO] |     \- commons-dbcp:commons-dbcp:jar:1.4:runtime
[INFO] |        \- commons-pool:commons-pool:jar:1.5.4:runtime
[INFO] +- com.blazegraph:ctc-striterators:jar:2.1.6-SNAPSHOT:compile
[INFO] \- log4j:log4j:jar:1.2.17:compile

Suggested solutions:

Update dependency version to 4.5.13 or higher

Thank you very much.

CVEDetect commented 3 years ago

@beebs-systap Could please help me check this issue? May I pull a request to fix it? Thanks again.

beebs-systap commented 3 years ago

@CVEDetect Yes, please raise a PR and we'll take a look.