Closed EllieAtWHL closed 2 months ago
jfeingold35
commented
3 months ago @EllieAtWHL , commons-text-1.9.jar is coming from one of our nested dependencies, gremlin-core-3.5.1.jar. We believe we can safely upgrade that dependency to 3.5.8, which upgrades commons-text.jar to a version without vulnerabilities, but still has other dependencies with their own vulnerabilities. Can you check that page and see if it's going to be sufficient for you?
EllieAtWHL
commented
3 months ago @jfeingold35, thanks for responding so quickly - I have reached out to our IT Security team to check - keeping my fingers crossed!
EllieAtWHL
commented
3 months ago Thank again @jfeingold35 - our IT Security team have said they think that will be okay - so it would be great if you can upgrade so I can install again 😊
gavignon
commented
3 months ago Hello @jfeingold35 ! We recently scan the docker image that we are using on the CICD (with Aqua) and we have several vulnerabilities in addition to the one described in this issue. To avoid creating a duplicate, I'm adding the list of vulnerabilities here, please tell me if I need to create a new issue:
| Name | Resource | Severity | Score | Fix Version | Layer |
|---|---|---|---|---|---|
| CVE-2023-6378 | logback-classic | high | 7.5 | 1.2.13 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2023-6378 | logback-core | high | 7.5 | 1.2.13 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2020-36518 | jackson-databind | high | 7.5 | 2.12.6.1 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2021-46877 | jackson-databind | high | 7.5 | 2.12.6 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2022-42003 | jackson-databind | high | 7.5 | 2.12.7.1 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2022-42004 | jackson-databind | high | 7.5 | 2.12.7.1 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2023-2976 | guava | high | 7.1 | 32.0.0 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # |
| CVE-2023-2976 | guava | high | 7.1 | 32.0.0 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2023-3635 | okio | high | 7.5 | 1.17.6 | COPY /opt/sonar-scanner /opt/sonar-scanner # buildkit |
| CVE-2021-44906 | json5 | critical | 9.8 | 2.2.1 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2022-33980 | commons-configuration2 | critical | 9.8 | 2.8.0 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2022-42889 | commons-text | critical | 9.8 | 1.10.0 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2022-1471 | snakeyaml | critical | 9.8 | 2.0 | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2023-37466 | vm2 | critical | 10 | None | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
| CVE-2023-37903 | vm2 | critical | 10 | None | RUN /bin/sh -c sf plugins install @salesforce/sfdx-scanner@3.26.0 # buildkit |
jfeingold35
commented
2 months ago @EllieAtWHL , thanks for letting us know. We'll update the dependency in question and it will go out in the upcoming July release. @gavignon , could you try upgrading to v4.x of the scanner, and let us know if any of these vulnerabilities are resolved (or if any new ones are added)?
git2gus[bot]
commented
2 months ago This issue has been linked to a new work item: W-16206934
jfeingold35
commented
2 months ago @gavignon , also, some good news:
commons-configuration, commons-text, and snakeyaml.Please let me know if any of the other vulnerabilities persist into v4, as I'm unable to find them in our dependency tree.
jfeingold35
commented
2 months ago @gavignon , I've determined that upgrading to v4.x of Code Analyzer will resolve the vulnerabilities from vm2, as this library was required by an old version of RetireJS that we upgraded away from.
Also, is CVE-2021-44906 correct? The table mentions json5, but the vulnerability itself is for minimist. Is it possible there's a mismatch between those two? If the vulnerability is correct, then I can say that we're on a safe version of minimist on v4.x as well.
jfeingold35
commented
2 months ago @gavignon , amendment: I've determined that upgrading to the version of v4.x that we'll be publishing at the end of the month should resolve all of the vulnerabilities listed with the exception of the following:
jackson-databind in our project, so we can't say whether that will be impacted.minimist, that one should be resolved too, but if it's about json5, then we can't say for sure without the correct vulnerability information.Please let us know if there's anything we're missing here.
I'd really love for me and my team to be able to use the scanner to improve things like the security of our code as part of our development and deployment process - however, whenever I install the plugin on my computer, I always end up getting message from my IT team that vulnerable software is installed - relating to the commons-text-1.9.jar. I started jsut trying to delete this file and the scanner seemed to work fine, but then it keeps reappearing again (maybe after doing updates, is my guess) so ended up just uninstalling the plug in. Does anyone know a way to avoid having this vulnerability installed as part of the plug-in so we can start using the scanner?