frankfliu
commented
11 months ago @yefangwong
- We are using MXNet 1.9.1, based on CVE-2022-24294, 1.9.1 should be fine
- CVE-2018-1281, DJL only integrated MXNet C API, it doesn't support distributed mode, and will not listen on any port
DJL is not using any python code from MXNet, so even lower version of MXNet is not vulnerable to CVE-2022-24294
Description
我使用 mxnet-engine 0.25.0 在 dependency check 發現 CVE-2022-24294 and CVE-2018-1281
Expected Behavior
不會出現 CVE-2022-24294 and CVE-2018-1281
Error Message
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:8.2.1:check (default) on project csp-ckernel:
[ERROR] [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': [ERROR] [ERROR] mxnet-engine-0.25.0.jar: CVE-2022-24294(7.5), CVE-2018-1281(6.5)
How to Reproduce?
pull from https://github.com/yefangwong/madaga.git
Steps to reproduce
(Paste the commands you ran that produced the error.) in windows .\build.bat; in unix-like .\build.sh
What have you tried to solve it?
Environment Info
Please run the command
./gradlew debugEnvfrom the root directory of DJL (if necessary, clone DJL first). It will output information about your system, environment, and installation that can help us debug your issue. Paste the output of the command below:----------- System Properties ----------- java.specification.version: 17 sun.cpu.isalist: amd64 sun.jnu.encoding: MS950 java.class.path: C:\Users\user\Documents\Projects\djl\djl\integration\build\classes\java\main;C:\Users\user\Documents\Projects\djl\djl\integration\build\resources\main;C:\Users\user.gradle\caches\modules-2\files-2.1\commons-cli\commons-cli\1.5.0\dc98be5d5390230684a092589d70ea76a147925c\commons-cli-1.5.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-slf4j-impl\2.21.0\911fdb5b1a1df36719c579ecc6f2957b88bce1ab\log4j-slf4j-impl-2.21.0.jar;C:\Users\user\Documents\Projects\djl\djl\basicdataset\build\libs\basicdataset-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\model-zoo\build\libs\model-zoo-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\testing\build\libs\testing-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\mxnet\mxnet-model-zoo\build\libs\mxnet-model-zoo-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\pytorch\pytorch-model-zoo\build\libs\pytorch-model-zoo-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\pytorch\pytorch-jni\build\libs\pytorch-jni-2.0.1-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\tensorflow\tensorflow-model-zoo\build\libs\tensorflow-model-zoo-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\ml\xgboost\build\libs\xgboost-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\ml\lightgbm\build\libs\lightgbm-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\onnxruntime\onnxruntime-engine\build\libs\onnxruntime-engine-0.25.0-SNAPSHOT.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-core\2.21.0\122e1a9e0603cc9eae07b0846a6ff01f2454bc49\log4j-core-2.21.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-api\2.21.0\760192f2b69eacf4a4afc78e5a1d7a8de054fcbd\log4j-api-2.21.0.jar;C:\Users\user\Documents\Projects\djl\djl\engines\mxnet\mxnet-engine\build\libs\mxnet-engine-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\pytorch\pytorch-engine\build\libs\pytorch-engine-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\engines\tensorflow\tensorflow-engine\build\libs\tensorflow-engine-0.25.0-SNAPSHOT.jar;C:\Users\user\Documents\Projects\djl\djl\api\build\libs\api-0.25.0-SNAPSHOT.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.testng\testng\7.8.0\90ff6902a350432ce23ef209b2f109bcf587069c\testng-7.8.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.36\6c62681a2f655b49963a5983b8b0950a6120ae14\slf4j-api-1.7.36.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-csv\1.10.0\8669bee353424c3223c93723291b5c3753260c1c\commons-csv-1.10.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\ml.dmlc\xgboost4j_2.12\2.0.1\a3b4c8f9a6cd9729672dc52d8c8e282c8e0cdcf2\xgboost4j_2.12-2.0.1.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\commons-logging\commons-logging\1.2\4bfc12adfe4842bf07b657f0369c4cb522955686\commons-logging-1.2.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\com.microsoft.ml.lightgbm\lightgbmlib\3.2.110\f6c85e5d7cc44d49c4544240ea5c96004680007b\lightgbmlib-3.2.110.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\com.microsoft.onnxruntime\onnxruntime\1.16.0\e05d731e016be3bf1137e9995e4c109202c52060\onnxruntime-1.16.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\com.google.code.gson\gson\2.10.1\b3add478d4382b78ea20b1671390a858002feb6c\gson-2.10.1.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\5.13.0\1200e7ebeedbe0d10062093f32925a912020e747\jna-5.13.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-compress\1.23.0\4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc\commons-compress-1.23.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\com.beust\jcommander\1.82\a7c5fef184d238065de38f81bbc6ee50cca2e21\jcommander-1.82.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.webjars\jquery\3.6.1\d08df6250157cd2db3d9b01b11b76e9b7225083a\jquery-3.6.1.jar;C:\Users\user\Documents\Projects\djl\djl\engines\tensorflow\tensorflow-api\build\libs\tensorflow-api-0.25.0-SNAPSHOT.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.scala-lang.modules\scala-collection-compat_2.12\2.10.0\bf81785e892f4185f470bddd205b011237aab553\scala-collection-compat_2.12-2.10.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.tensorflow\tensorflow-core-api\0.5.0\6dfb7f13a9d96e6c4bd0705f122bd00d3b596b0d\tensorflow-core-api-0.5.0.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.bytedeco\javacpp\1.5.9\bee92b783ea619381df7577527f8739f778cf2f6\javacpp-1.5.9.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\com.google.protobuf\protobuf-java\3.23.3\6ea96f2109fb6cf8f827aa58eebf784c4708d01f\protobuf-java-3.23.3.jar;C:\Users\user.gradle\caches\modules-2\files-2.1\org.tensorflow\ndarray\0.4.0\7ab74f002dbec93944b7feb38de013afe8d4e8de\ndarray-0.4.0.jar java.vm.vendor: Microsoft sun.arch.data.model: 64 user.variant: java.vendor.url: https://www.microsoft.com user.timezone: Asia/Taipei java.vm.specification.version: 17 os.name: Windows 11 sun.java.launcher: SUN_STANDARD user.country: TW sun.boot.library.path: C:+++++\jdk-17.0.9+8\bin;C:+++++\jdk-17.0.9+8\bin sun.java.command: ai.djl.integration.util.DebugEnvironment jdk.debug: release sun.cpu.endian: little user.home: C:\Users\user org.gradle.appname: gradlew user.language: zh java.specification.vendor: Oracle Corporation java.version.date: 2023-10-17 java.home: C:+++++\jdk-17.0.9+8 ai.djl.logging.level: debug org.gradle.internal.http.connectionTimeout: 60000 file.separator: \ java.vm.compressedOopsMode: Zero based line.separator:
java.vm.specification.vendor: Oracle Corporation java.specification.name: Java Platform API Specification user.script: sun.management.compiler: HotSpot 64-Bit Tiered Compilers java.runtime.version: 17.0.9+8-LTS user.name: user path.separator: ; os.version: 10.0 java.runtime.name: OpenJDK Runtime Environment file.encoding: MS950 java.vm.name: OpenJDK 64-Bit Server VM java.vendor.version: Microsoft-8552009 java.vendor.url.bug: https://github.com/microsoft/openjdk/issues java.io.tmpdir: C:\Users\user\AppData\Local\Temp\ org.gradle.internal.http.socketTimeout: 120000 java.version: 17.0.9 user.dir: C:\Users\user\Documents\Projects\djl\djl\integration os.arch: amd64 java.vm.specification.name: Java Virtual Machine Specification sun.os.patch.level: native.encoding: MS950 java.library.path: C:+++++\jdk-17.0.9+8\bin;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.6\bin;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.6\libnvvp;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\Git\cmd;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\NVIDIA Corporation\Nsight Compute 2022.1.1\;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDNN\cudnn-windows-x86_64-8.9.4.25_cuda11\bin;C:\Program Files\Docker\Docker\resources\bin;C:+++++\apache-maven-3.9.5\bin;C:+++++\jdk-17.0.9+8\bin;C:\Program Files\TortoiseGit\bin;C:\Users\user\scoop\shims;C:\Users\user\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2023.2.5\bin;;. java.vm.info: mixed mode, sharing java.vendor: Microsoft java.vm.version: 17.0.9+8-LTS sun.io.unicode.encoding: UnicodeLittle library.jansi.path: C:\Users\user.gradle\native\jansi\1.18\windows64 java.class.version: 61.0 org.gradle.internal.publish.checksums.insecure: true
--------- Environment Variables --------- USERDOMAIN_ROAMINGPROFILE: DESKTOP-JS1B4A9 PROCESSOR_LEVEL: 6 SESSIONNAME: Console ALLUSERSPROFILE: C:\ProgramData PROCESSOR_ARCHITECTURE: AMD64 PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules SystemDrive: C: =ExitCode: 00000000 DIRNAME: C:\Users\user\Documents\Projects\djl\djl\ USERNAME: user CMD_LINE_ARGS: debugEnv ProgramFiles(x86): C:\Program Files (x86) APP_HOME: C:\Users\user\Documents\Projects\djl\djl\ PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC DriverData: C:\Windows\System32\Drivers\DriverData OneDriveConsumer: C:\Users\user\OneDrive IntelliJ IDEA Community Edition: C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2023.2.5\bin; ProgramData: C:\ProgramData ProgramW6432: C:\Program Files HOMEPATH: \Users\user PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 151 Stepping 2, GenuineIntel ProgramFiles: C:\Program Files PUBLIC: C:\Users\Public windir: C:\WINDOWS =::: ::\ ZES_ENABLE_SYSMAN: 1 _SKIP: 2 IGCCSVC_DB: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAIqFB8EffQkWTaumhSdM/PAQAAAACAAAAAAAQZgAAAAEAACAAAADyd9wLXjfhF3oZLbrnNyt6eQ9+N3s51eAOyMLhs9b5agAAAAAOgAAAAAIAACAAAAA2w83dyBY/spFAWMSxfMTwrFMqTPhjaPHidtAtdAeYtGAAAAC3SWIacg7VNJvu8398qmpASbHcewQA43d5d4hwiDO3f058X60REfvUDGo2ZzG0wyIRibgYk28JyLEwWqyaz23uZpYN/wJxREaAnP/g94IJARpSGzGo2YzLIWPCz8gSnNxAAAAA+uaebFBS4QIa57L2eIhCudLXLOxPuPkG31WctWiwJjPhqC747PxNIMZA2FER1LHYzTKWEKLQm91F/woDlnG8fg== LOCALAPPDATA: C:\Users\user\AppData\Local USERDOMAIN: DESKTOP-JS1B4A9 LOGONSERVER: \DESKTOP-JS1B4A9 JAVA_HOME: C:+++++\jdk-17.0.9+8 PROMPT: $P$G OneDrive: C:\Users\user\OneDrive =C:: C:\Users\user\Documents\Projects\djl\djl APPDATA: C:\Users\user\AppData\Roaming DOWNLOAD_URL: "https://raw.githubusercontent.com/gradle/gradle/master/gradle/wrapper/gradle-wrapper.jar" JAVA_EXE: C:+++++\jdk-17.0.9+8/bin/java.exe CUDA_PATH_V11_6: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.6 NVTOOLSEXT_PATH: C:\Program Files\NVIDIA Corporation\NvToolsExt\ CommonProgramFiles: C:\Program Files\Common Files Path: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.6\bin;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.6\libnvvp;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\Git\cmd;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\NVIDIA Corporation\Nsight Compute 2022.1.1\;C:\Program Files\NVIDIA GPU Computing Toolkit\CUDNN\cudnn-windows-x86_64-8.9.4.25_cuda11\bin;C:\Program Files\Docker\Docker\resources\bin;C:+++++\apache-maven-3.9.5\bin;C:+++++\jdk-17.0.9+8\bin;C:\Program Files\TortoiseGit\bin;C:\Users\user\scoop\shims;C:\Users\user\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\JetBrains\IntelliJ IDEA Community Edition 2023.2.5\bin; OS: Windows_NT COMPUTERNAME: DESKTOP-JS1B4A9 CUDA_PATH: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.6 PROCESSOR_REVISION: 9702 CLASSPATH: C:\Users\user\Documents\Projects\djl\djl\gradle\wrapper\gradle-wrapper.jar CommonProgramW6432: C:\Program Files\Common Files ComSpec: C:\WINDOWS\system32\cmd.exe APP_BASE_NAME: gradlew EFC_7700: 1 SystemRoot: C:\WINDOWS TEMP: C:\Users\user\AppData\Local\Temp HOMEDRIVE: C: USERPROFILE: C:\Users\user TMP: C:\Users\user\AppData\Local\Temp CommonProgramFiles(x86): C:\Program Files (x86)\Common Files NUMBER_OF_PROCESSORS: 12
-------------- Directories -------------- temp directory: C:\Users\user\AppData\Local\Temp DJL cache directory: C:\Users\user.djl.ai Engine cache directory: C:\Users\user.djl.ai
------------------ CUDA ----------------- [DEBUG] - Found cudart: C:\Program Files\NVIDIA GPU Computing Toolkit\CUDA\v11.6\bin\cudart64_110.dll GPU Count: 1 CUDA: 116 ARCH: 86 GPU(0) memory used: 1129840640 bytes
----------------- Engines --------------- DJL version: 0.25.0-SNAPSHOT [WARN ] - No matching cuda flavor for win found: cu116mkl/sm_86. [DEBUG] - Using cache dir: C:\Users\user.djl.ai\mxnet\1.9.1-mkl-win-x86_64 [INFO ] - Downloading libgcc_s_seh-1.dll ... [INFO ] - Downloading libgfortran-3.dll ... [INFO ] - Downloading libopenblas.dll ... [INFO ] - Downloading libquadmath-0.dll ... [INFO ] - Downloading mxnet.dll ... [DEBUG] - Loading mxnet library from: C:\Users\user.djl.ai\mxnet\1.9.1-mkl-win-x86_64\mxnet.dll [WARN ] - No matching cuda flavor for win found: cu116mkl/sm_86. Default Engine: MXNet:1.9.0, capabilities: [ SIGNAL_HANDLER, LAPACK, BLAS_OPEN, OPENMP, OPENCV, MKLDNN, ] MXNet Library: C:\Users\user.djl.ai\mxnet\1.9.1-mkl-win-x86_64\mxnet.dll Default Device: cpu() PyTorch: 2 MXNet: 0 XGBoost: 10 LightGBM: 10 OnnxRuntime: 10 TensorFlow: 3
--------------- Hardware -------------- Available processors (cores): 12 Byte Order: LITTLE_ENDIAN Free memory (bytes): 1053525856 Maximum memory (bytes): 17121148928 Total memory available to JVM (bytes): 1073741824 Heap committed: 1073741824 Heap nonCommitted: 30670848
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.