search

euc-releases / workspace-ONE-SDK-integration-samples

Workspace ONE SDK Integration Samples
BSD 3-Clause "New" or "Revised" License
16 stars 8 forks source link

Update the openssl dependency to avoid problems with vulnerabilities #31

Open novikov1337danil opened 8 months ago

novikov1337danil commented 8 months ago

Describe the bug

I'm using your integration package for flutter v24.2.0. When scanning the application for vulnerabilities, they tell me that the openssl@1.0.2 library has several vulnerabilities: CVE-2023-5678, CVE-2018-16395, CVE-2016-7798.

Scan details ![image](https://github.com/vmware-samples/workspace-ONE-SDK-integration-samples/assets/44060868/340cdb49-35b6-4f69-a1c7-5c2323d8baa1) ![image](https://github.com/vmware-samples/workspace-ONE-SDK-integration-samples/assets/44060868/a689ac38-693a-4703-bb13-bea68792339b)

Reproduction steps

  1. integrate your SDK package into the flutter application
  2. scan the application for vulnerabilities (for example using the https://ostorlab.co/ service)
  3. see that the application will have several vulnerabilities (including those related to openssl with high-risk, but it would be useful to look at the others, which are of lower priority)

Expected behavior

Using a newer version of the openssl dependency, which is not subject to vulnerabilities

p.s. I didn’t find how I can send this report to you in the “security” section, or by email, so I’m leaving it here

Maddy79 commented 8 months ago

@novikov1337danil - we are on OpenSSL 1.0.2zi, we have analyzed that the vulnerabilities (High and Medium) reported above are not impacting the flow that we use from the OpenSSL library.