iggbom
commented
3 years ago Hi @morganottosson,
The referenced .jar(s) with vulnerabilities are all dependencies. You can rebuild the plugin (mvn clean and mvn package), re-deploy according to the instructions and then re-run your scan.
Not needed but you can also bump the version of identityserver.sdk 5.2.0 -> 6.2.0 and software.amazon.awssdk 2.16.57 -> 2.16.81.
Hello, we are using trendmicro ancor scan and we got above alerts. Some of them are on your plugins so could you please take a look at those and update your repository?
I am pasting our entire log so you get the entire picture
MEDIUM Vulnerability found in non-os package type (java) - /opt/idsvr/usr/share/plugins/aws_token_publisher/httpclient-4.5.9.jar (CVE-2020-13956 - https://nvd.nist.gov/vuln/detail/CVE-2020-13956) warn
vulnerabilities package MEDIUM Vulnerability found in non-os package type (java) - httpclient (fixed in: 4.5.13)(GHSA-7r82-7xv7-xcpj - https://github.com/advisories/GHSA-7r82-7xv7-xcpj) warn
vulnerabilities package MEDIUM Vulnerability found in os package type (dpkg) - libgcrypt20 (fixed in: 1.8.4-5+deb10u1)(CVE-2021-33560 - https://security-tracker.debian.org/tracker/CVE-2021-33560) warn
vulnerabilities package MEDIUM Vulnerability found in os package type (dpkg) - libgnutls30 (CVE-2011-3389 - https://security-tracker.debian.org/tracker/CVE-2011-3389) whitelisted(Global Whitelist)
vulnerabilities package MEDIUM Vulnerability found in os package type (dpkg) - libgnutls30 (fixed in: 3.6.7-4+deb10u7)(CVE-2020-24659 - https://security-tracker.debian.org/tracker/CVE-2020-24659) warn
vulnerabilities package MEDIUM Vulnerability found in os package type (dpkg) - libhogweed4 (fixed in: 3.4.1-1+deb10u1)(CVE-2021-20305 - https://security-tracker.debian.org/tracker/CVE-2021-20305) warn
vulnerabilities package MEDIUM Vulnerability found in os package type (dpkg) - libnettle6 (fixed in: 3.4.1-1+deb10u1)(CVE-2021-20305 - https://security-tracker.debian.org/tracker/CVE-2021-20305) warn
vulnerabilities package MEDIUM Vulnerability found in non-os package type (java) - netty-codec-http (fixed in: 4.1.59.Final)(GHSA-5mcr-gq6c-3hq2 - https://github.com/advisories/GHSA-5mcr-gq6c-3hq2) warn
vulnerabilities package MEDIUM Vulnerability found in non-os package type (java) - netty-codec-http2 (fixed in: 4.1.60.Final)(GHSA-wm47-8v5p-wjpj - https://github.com/advisories/GHSA-wm47-8v5p-wjpj) warn
vulnerabilities package HIGH Vulnerability found in non-os package type (java) - /opt/idsvr/usr/share/plugins/aws_token_publisher/jackson-databind-2.10.4.jar (CVE-2020-25649 - https://nvd.nist.gov/vuln/detail/CVE-2020-25649) stop
vulnerabilities package HIGH Vulnerability found in non-os package type (java) - jackson-databind (fixed in: 2.10.5.1)(GHSA-288c-cq4h-88gq - https://github.com/advisories/GHSA-288c-cq4h-88gq) stop
vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - json-smart (fixed in: 1.3.2)(GHSA-v528-7hrm-frqp - https://github.com/advisories/GHSA-v528-7hrm-frqp) stop
vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - json-smart (fixed in: 2.4.1)(GHSA-v528-7hrm-frqp - https://github.com/advisories/GHSA-v528-7hrm-frqp) stop
vulnerabilities package HIGH Vulnerability found in os package type (dpkg) - libgnutls30 (fixed in: 3.6.7-4+deb10u7)(CVE-2021-20231 - https://security-tracker.debian.org/tracker/CVE-2021-20231) stop
vulnerabilities package HIGH Vulnerability found in os package type (dpkg) - libgnutls30 (fixed in: 3.6.7-4+deb10u7)(CVE-2021-20232 - https://security-tracker.debian.org/tracker/CVE-2021-20232) stop
vulnerabilities package HIGH Vulnerability found in os package type (dpkg) - liblz4-1 (fixed in: 1.8.3-1+deb10u1)(CVE-2021-3520 - https://security-tracker.debian.org/tracker/CVE-2021-3520) stop