search

changmingxie / tcc-transaction

tcc-transaction是TCC型事务java实现
Apache License 2.0
5.78k stars 2.79k forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #407

Closed CVEDetect closed 8 months ago

CVEDetect commented 1 year ago

Hi, In /tcc-transaction-dashboard,there is a dependency org.yaml:snakeyaml:1.25 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
org.mengyun.tcctransaction.dashboard.service.impl.tccserver.TccServerTransactionServiceImpl: detail(org.mengyun.tcctransaction.dashboard.dto.TransactionDetailRequestDto)Lorg.mengyun.tcctransaction.dashboard.dto.ResponseDto; /.m2/repository/org/apache/curator/curator-framework/2.11.1/curator-framework-2.11.1.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /.m2/repository/com/netflix/archaius/archaius-core/0.7.6/archaius-core-0.7.6.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /.m2/repository/com/netflix/archaius/archaius-core/0.7.6/archaius-core-0.7.6.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/com/netflix/archaius/archaius-core/0.7.6/archaius-core-0.7.6.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] org.mengyun:tcc-transaction-dashboard:jar:2.0.1
[INFO] +- org.mengyun:tcc-transaction-core:jar:2.0.1:compile
[INFO] |  +- org.mengyun:tcc-transaction-api:jar:2.0.1:compile
[INFO] |  +- org.quartz-scheduler:quartz:jar:2.3.2:compile
[INFO] |  |  \- com.mchange:mchange-commons-java:jar:0.2.15:compile
[INFO] |  +- com.esotericsoftware:kryo:jar:5.2.0:compile
[INFO] |  |  +- com.esotericsoftware:reflectasm:jar:1.11.9:compile
[INFO] |  |  +- org.objenesis:objenesis:jar:2.6:compile
[INFO] |  |  \- com.esotericsoftware:minlog:jar:1.3.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.5.1:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.5:compile
[INFO] |  +- com.google.guava:guava:jar:20.0:compile
[INFO] |  +- org.aspectj:aspectjweaver:jar:1.9.6:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.9:compile
[INFO] |  +- io.netty:netty-all:jar:4.1.58.Final:compile
[INFO] |  +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.58.Final:compile
[INFO] |  |  +- io.netty:netty-common:jar:4.1.58.Final:compile
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.58.Final:compile
[INFO] |  |  +- io.netty:netty-transport:jar:4.1.58.Final:compile
[INFO] |  |  |  \- io.netty:netty-resolver:jar:4.1.58.Final:compile
[INFO] |  |  \- io.netty:netty-transport-native-unix-common:jar:4.1.58.Final:compile
[INFO] |  +- de.javakaffee:kryo-serializers:jar:0.42:compile
[INFO] |  +- com.mchange:c3p0:jar:0.9.5.4:compile
[INFO] |  \- com.alibaba:fastjson:jar:1.2.83:compile
[INFO] +- org.apache.curator:curator-framework:jar:2.11.1:compile
[INFO] |  \- org.apache.curator:curator-client:jar:2.11.1:compile
[INFO] |     \- org.apache.zookeeper:zookeeper:jar:3.4.14:compile
[INFO] |        +- com.github.spotbugs:spotbugs-annotations:jar:3.1.9:compile
[INFO] |        +- jline:jline:jar:0.9.94:compile
[INFO] |        +- org.apache.yetus:audience-annotations:jar:0.5.0:compile
[INFO] |        \- io.netty:netty:jar:3.10.6.Final:compile
[INFO] +- org.apache.curator:curator-recipes:jar:2.11.1:compile
[INFO] +- com.github.ben-manes.caffeine:caffeine:jar:2.8.8:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] |  \- com.google.errorprone:error_prone_annotations:jar:2.4.0:compile
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.2.13.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.2.13.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context:jar:5.2.12.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.2.13.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.2.13.RELEASE:compile
[INFO] |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.12.1:compile
[INFO] |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile
[INFO] |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.springframework:spring-core:jar:5.2.12.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.2.12.RELEASE:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.25:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.2.13.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.2.13.RELEASE:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.10.5:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.10.5:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.10.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.2.13.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.41:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.41:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.41:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-validation:jar:2.2.13.RELEASE:compile
[INFO] |  |  +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |  |  \- org.hibernate.validator:hibernate-validator:jar:6.0.22.Final:compile
[INFO] |  |     +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] |  |     \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] |  +- org.springframework:spring-web:jar:5.2.12.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.2.12.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.2.12.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.2.12.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-freemarker:jar:2.2.13.RELEASE:compile
[INFO] |  +- org.freemarker:freemarker:jar:2.3.30:compile
[INFO] |  \- org.springframework:spring-context-support:jar:5.2.12.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.2.13.RELEASE:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.48:compile
[INFO] +- redis.clients:jedis:jar:3.1.0:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.7.0:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.2.13.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.2.13.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.2.13.RELEASE:compile
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:compile
[INFO] |  |  \- net.minidev:json-smart:jar:2.3:compile
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.2:compile
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.5.2:compile
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.5.2:compile
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:compile
[INFO] |  |  |  \- org.junit.platform:junit-platform-commons:jar:1.5.2:compile
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.5.2:compile
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.5.2:runtime
[INFO] |  +- org.junit.vintage:junit-vintage-engine:jar:5.5.2:compile
[INFO] |  |  +- org.apiguardian:apiguardian-api:jar:1.1.0:compile
[INFO] |  |  \- org.junit.platform:junit-platform-engine:jar:1.5.2:compile
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:3.1.0:compile
[INFO] |  +- org.assertj:assertj-core:jar:3.13.2:compile
[INFO] |  +- org.hamcrest:hamcrest:jar:2.1:compile
[INFO] |  +- org.mockito:mockito-core:jar:3.1.0:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.10.19:compile
[INFO] |  |  \- net.bytebuddy:byte-buddy-agent:jar:1.10.19:compile
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:compile
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:compile
[INFO] |  +- org.springframework:spring-test:jar:5.2.12.RELEASE:compile
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.6.4:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:2.1:test
[INFO] +- org.springframework.cloud:spring-cloud-starter-openfeign:jar:2.2.5.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:2.2.5.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.9.RELEASE:compile
[INFO] |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.64:compile
[INFO] |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.64:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-openfeign-core:jar:2.2.5.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-netflix-ribbon:jar:2.2.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-aop:jar:2.2.13.RELEASE:compile
[INFO] |  |  \- io.github.openfeign.form:feign-form-spring:jar:3.8.0:compile
[INFO] |  |     +- io.github.openfeign.form:feign-form:jar:3.8.0:compile
[INFO] |  |     \- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-commons:jar:2.2.5.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-crypto:jar:5.2.8.RELEASE:compile
[INFO] |  +- io.github.openfeign:feign-core:jar:10.10.1:compile
[INFO] |  +- io.github.openfeign:feign-slf4j:jar:10.10.1:compile
[INFO] |  \- io.github.openfeign:feign-hystrix:jar:10.10.1:compile
[INFO] |     +- com.netflix.archaius:archaius-core:jar:0.7.6:compile
[INFO] |     |  \- com.google.code.findbugs:jsr305:jar:3.0.1:compile
[INFO] |     \- com.netflix.hystrix:hystrix-core:jar:1.5.18:compile
[INFO] |        \- org.hdrhistogram:HdrHistogram:jar:2.1.11:compile
[INFO] +- com.alibaba.cloud:spring-cloud-starter-alibaba-nacos-discovery:jar:2.2.5.RELEASE:compile
[INFO] |  +- com.alibaba.cloud:spring-cloud-alibaba-commons:jar:2.2.5.RELEASE:compile
[INFO] |  +- com.alibaba.spring:spring-context-support:jar:1.0.10:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-context:jar:2.2.5.RELEASE:compile
[INFO] |  \- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:2.2.5.RELEASE:compile
[INFO] |     +- com.netflix.ribbon:ribbon:jar:2.3.0:compile
[INFO] |     |  +- com.netflix.ribbon:ribbon-transport:jar:2.3.0:runtime
[INFO] |     |  |  +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] |     |  |  \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] |     |  +- javax.inject:javax.inject:jar:1:runtime
[INFO] |     |  \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] |     +- com.netflix.ribbon:ribbon-core:jar:2.3.0:compile
[INFO] |     |  \- commons-lang:commons-lang:jar:2.6:compile
[INFO] |     +- com.netflix.ribbon:ribbon-httpclient:jar:2.3.0:compile
[INFO] |     |  +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |     |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |     |  +- com.sun.jersey:jersey-client:jar:1.18.1:runtime
[INFO] |     |  |  \- com.sun.jersey:jersey-core:jar:1.18.1:runtime
[INFO] |     |  +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] |     |  +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] |     |  |  \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] |     |  \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] |     +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.3.0:compile
[INFO] |     |  \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] |     \- io.reactivex:rxjava:jar:1.3.8:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-zookeeper-discovery:jar:2.2.5.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-zookeeper:jar:2.2.5.RELEASE:compile
[INFO] |  |  \- org.springframework.cloud:spring-cloud-zookeeper-core:jar:2.2.5.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-zookeeper-discovery:jar:2.2.5.RELEASE:compile
[INFO] |  |  \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] |  +- org.apache.curator:curator-x-discovery:jar:2.11.1:compile
[INFO] |  |  \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] |  |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-hystrix:jar:2.2.8.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:2.2.8.RELEASE:compile
[INFO] |  |  \- org.springframework.cloud:spring-cloud-netflix-archaius:jar:2.2.8.RELEASE:compile
[INFO] |  \- org.springframework.cloud:spring-cloud-starter-loadbalancer:jar:2.2.8.RELEASE:compile
[INFO] |     +- org.springframework.cloud:spring-cloud-loadbalancer:jar:2.2.8.RELEASE:compile
[INFO] |     |  +- io.projectreactor:reactor-core:jar:3.3.13.RELEASE:compile
[INFO] |     |  |  \- org.reactivestreams:reactive-streams:jar:1.0.3:compile
[INFO] |     |  \- io.projectreactor.addons:reactor-extra:jar:3.3.5.RELEASE:compile
[INFO] |     +- org.springframework.boot:spring-boot-starter-cache:jar:2.2.13.RELEASE:compile
[INFO] |     \- com.stoyanr:evictor:jar:1.0.0:compile
[INFO] +- com.alibaba.nacos:nacos-client:jar:1.4.1:compile
[INFO] |  +- com.alibaba.nacos:nacos-common:jar:1.4.1:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.6:compile
[INFO] |  |  \- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] |  |     +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile
[INFO] |  |     \- org.apache.httpcomponents:httpcore-nio:jar:4.4.14:compile
[INFO] |  +- com.alibaba.nacos:nacos-api:jar:1.4.1:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.11:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.10.5:compile
[INFO] |  \- io.prometheus:simpleclient:jar:0.5.0:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.2.13.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.2.12.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:5.2.8.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-core:jar:5.2.8.RELEASE:compile
[INFO] |  \- org.springframework.security:spring-security-web:jar:5.2.8.RELEASE:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.0:compile
[INFO] \- org.mengyun:tcc-transaction-spring-boot-starter:jar:2.0.1:compile
[INFO]    \- org.mengyun:tcc-transaction-spring:jar:2.0.1:compile
[INFO]       +- org.springframework:spring-jdbc:jar:5.2.12.RELEASE:compile
[INFO]       |  \- org.springframework:spring-tx:jar:5.2.12.RELEASE:compile
[INFO]       \- com.xfvape.uid:uid-generator:jar:0.0.4-RELEASE:compile
[INFO]          +- org.mybatis:mybatis:jar:3.4.4:compile
[INFO]          \- org.mybatis:mybatis-spring:jar:2.0.4:compile

Suggested solutions:

Update dependency version

Thank you very much.

nervose commented 10 months ago

Thx for your suggestion, we'll handle it soon!