Closed jellisgwn closed 4 years ago
om26er
commented
4 years ago We dont directly depend on
They might be getting pulled by some other packages. What we could do is to ensure to update all deps to their latest versions.
msgpack and netty, do have newer versions.
jellisgwn
commented
4 years ago Correct. Perhaps this is useful:
[INFO] | | +- org.web3j:core:jar:4.2.0:provided
[INFO] | | | +- org.web3j:crypto:jar:4.2.0:provided
[INFO] | | | | \- org.web3j:rlp:jar:4.2.0:provided
[INFO] | | | +- org.web3j:tuples:jar:4.2.0:provided
[INFO] | | | +- com.github.jnr:jnr-unixsocket:jar:0.21:provided
[INFO] | | | | +- com.github.jnr:jnr-enxio:jar:0.19:provided
[INFO] | | | | \- com.github.jnr:jnr-posix:jar:3.0.47:provided
[INFO] | | | +- com.squareup.okhttp3:okhttp:jar:3.8.1:provided
[INFO] | | | | \- com.squareup.okio:okio:jar:1.13.0:provided
[INFO] | | | +- com.squareup.okhttp3:logging-interceptor:jar:3.8.1:provided
[INFO] | | | +- io.reactivex.rxjava2:rxjava:jar:2.2.2:provided
[INFO] | | | \- org.java-websocket:Java-WebSocket:jar:1.3.8:providedThe bad news on that front is that the latest web3j-core has not updated it's Java-WebSocket dependency.
We're not using any of the "Etherium Client" integration, but that doesn't stop it being flagged by OWASP Dependency Check :-(
oberstet
commented
4 years ago We're not using any of the "Etherium Client" integration, but that doesn't stop it being flagged by OWASP Dependency Check
hhm, argh. I agree, this sucks. we should do sth about it ..
What we could do is to ensure to update all deps to their latest versions.
yes, definitely! for every release of ABJ .. for all dependencies. the default rule should be: "always bump deps to latest upstream version"
We dont directly depend on ..
is there a way to create a dependency tree for java packages like ABJ? is there a way to create a list of deps-of-deps (recursive)? eg we have that for ABPy ...
jellisgwn
commented
4 years ago @oberstet the complete tree of dependencies for any maven project can be generated with the maven dependency plugin's 'dependency:tree' target:
https://maven.apache.org/plugins/maven-dependency-plugin/tree-mojo.html
the output posted above is generated using that method.
how you'd do something similar for ABJ using gradle i don't know, but this seems like a good place to start:
https://docs.gradle.org/current/userguide/userguide_single.html#sec:listing_dependencies
oberstet
commented
4 years ago @om26er so deps are refreshed now via #490 - should we push a v20.6.2 and ship it?
jellisgwn
commented
4 years ago @om26er or 20.7.1 ?
om26er
commented
4 years ago @om26er or 20.7.1 ?
This is now released. Sorry for the delay.
The following dependencies / versions have open CVEs against them:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20200 (disputed, see https://github.com/square/okhttp/issues/4967)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11050
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5234 (probably not relevant as against C# implementation)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16869 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20444 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20445 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11612