search

feedzai / feedzai-openml-java

Implementations for Feedzai's OpenML APIs to allow for usage of machine learning models in the Java programming language.
https://www.feedzai.com
Apache License 2.0
2 stars 11 forks source link

Bump jetty and log4j in H2O provider to avoid CVEs #100

Closed paulojrp closed 2 years ago

paulojrp commented 2 years ago

Some CVEs were found in the OpenML provider of H2o.

In order to fix them the version of H2o was upgraded from 3.30.0.7 to 3.36.0.3. That allowed to easily bump the versions of log4j to 2.17.1 and of jetty to 9.4.44.v20210927.

CVE Component Version Location Security Riska
CVE-2020-27216 jetty-client 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-continuation 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-http 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-io 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-jaas 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-proxy 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-security 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-server 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-servlet 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-servlets 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2020-27216 jetty-util 9.4.11.v20180605 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
CVE-2019-17571 log4j 1.2.17 ./pulse-aws/pulse/lib/com.feedzai.openml-h2o-1.1.0.jar High
codecov[bot] commented 2 years ago

Codecov Report

Merging #100 (74445c6) into hf-1.0.X (4469c95) will decrease coverage by 0.16%. The diff coverage is 92.30%.

@@              Coverage Diff               @@
##             hf-1.0.X     #100      +/-   ##
==============================================
- Coverage       79.25%   79.09%   -0.17%     
- Complexity        382      389       +7     
==============================================
  Files              39       40       +1     
  Lines            1364     1387      +23     
  Branches          127      130       +3     
==============================================
+ Hits             1081     1097      +16     
- Misses            215      223       +8     
+ Partials           68       67       -1
Impacted Files Coverage Δ
...feedzai/openml/java/utils/ModelParameterUtils.java 90.00% <90.00%> (ø)
...n/java/com/feedzai/openml/h2o/H2OModelCreator.java 74.39% <100.00%> (+0.97%) :arrow_up:
...edzai/openml/h2o/params/ParametersBuilderUtil.java 54.30% <0.00%> (-2.69%) :arrow_down:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 4469c95...74445c6. Read the comment docs.