search

futurewei-cloud / alcor

Alcor: Cloud native SDN platform powered by Kubernetes and Istio
MIT License
32 stars 33 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #760

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Hi, In services/pseudo_controller/,there is a dependency org.apache.httpcomponents:httpclient:4.5.11 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

com.futurewei.alcor.pseudo_controller.ncm_test.ncm_test: run_test_against_ncm()V .m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar
org.apache.http.impl.client.DecompressingHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpResponse; .m2/repository/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar
org.apache.http.impl.client.DecompressingHttpClient: getHttpHost(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] com.futurewei.alcor:pseudo_controller:jar:1.0-SNAPSHOT
[INFO] +- com.futurewei.alcor:common:jar:0.1.0-SNAPSHOT:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] |  |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] |  |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] |  |  |  \- org.yaml:snakeyaml:jar:1.23:runtime
[INFO] |  |  +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.9:runtime
[INFO] |  |  \- io.micrometer:micrometer-core:jar:1.1.5:compile
[INFO] |  |     +- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
[INFO] |  |     \- org.latencyutils:LatencyUtils:jar:2.0.3:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-data-redis:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.data:spring-data-redis:jar:2.1.9.RELEASE:compile
[INFO] |  |  |  +- org.springframework.data:spring-data-keyvalue:jar:2.1.9.RELEASE:compile
[INFO] |  |  |  |  \- org.springframework.data:spring-data-commons:jar:2.1.9.RELEASE:compile
[INFO] |  |  |  +- org.springframework:spring-oxm:jar:5.1.8.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-context-support:jar:5.1.8.RELEASE:compile
[INFO] |  |  \- io.lettuce:lettuce-core:jar:5.1.7.RELEASE:compile
[INFO] |  |     +- io.netty:netty-common:jar:4.1.36.Final:compile
[INFO] |  |     +- io.netty:netty-handler:jar:4.1.36.Final:compile
[INFO] |  |     |  +- io.netty:netty-buffer:jar:4.1.36.Final:compile
[INFO] |  |     |  \- io.netty:netty-codec:jar:4.1.36.Final:compile
[INFO] |  |     +- io.netty:netty-transport:jar:4.1.36.Final:compile
[INFO] |  |     |  \- io.netty:netty-resolver:jar:4.1.36.Final:compile
[INFO] |  |     \- io.projectreactor:reactor-core:jar:3.2.8.RELEASE:compile
[INFO] |  |        \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.thymeleaf:thymeleaf-spring5:jar:3.0.11.RELEASE:compile
[INFO] |  |  |  \- org.thymeleaf:thymeleaf:jar:3.0.11.RELEASE:compile
[INFO] |  |  |     +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |  |  |     \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] |  |  \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-aop:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:5.1.8.RELEASE:compile
[INFO] |  |  \- org.aspectj:aspectjweaver:jar:1.9.4:compile
[INFO] |  +- org.apache.kafka:kafka-clients:jar:2.3.0:compile
[INFO] |  |  +- com.github.luben:zstd-jni:jar:1.4.0-1:compile
[INFO] |  |  +- org.lz4:lz4-java:jar:1.6.0:compile
[INFO] |  |  +- org.xerial.snappy:snappy-java:jar:1.1.7.3:compile
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] |  +- org.apache.commons:commons-pool2:jar:2.4.2:compile
[INFO] |  +- org.springframework.kafka:spring-kafka:jar:2.2.7.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-context:jar:5.1.7.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-expression:jar:5.1.7.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-messaging:jar:5.1.7.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-tx:jar:5.1.7.RELEASE:compile
[INFO] |  |  \- org.springframework.retry:spring-retry:jar:1.2.4.RELEASE:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:3.16.3:compile
[INFO] |  +- io.grpc:grpc-netty-shaded:jar:1.42.2:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.9.0:compile
[INFO] |  |  +- io.perfmark:perfmark-api:jar:0.23.0:runtime
[INFO] |  |  \- io.grpc:grpc-core:jar:1.42.2:compile
[INFO] |  |     +- com.google.android:annotations:jar:4.1.1.4:runtime
[INFO] |  |     \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
[INFO] |  +- io.grpc:grpc-protobuf:jar:1.42.2:compile
[INFO] |  |  +- io.grpc:grpc-api:jar:1.42.2:compile
[INFO] |  |  |  \- io.grpc:grpc-context:jar:1.42.2:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
[INFO] |  |  \- io.grpc:grpc-protobuf-lite:jar:1.42.2:compile
[INFO] |  +- io.grpc:grpc-stub:jar:1.42.2:compile
[INFO] |  +- io.grpc:protoc-gen-grpc-java:pom:1.42.2:compile
[INFO] |  +- org.apache.ignite:ignite-core:jar:2.10.0:compile
[INFO] |  |  +- javax.cache:cache-api:jar:1.0.0:compile
[INFO] |  |  +- org.jetbrains:annotations:jar:16.0.3:compile
[INFO] |  |  \- org.gridgain:ignite-shmem:jar:1.0.0:compile
[INFO] |  +- ai.grakn:redis-mock:jar:0.1.6:compile
[INFO] |  |  \- com.github.kstyrc:embedded-redis:jar:0.6:compile
[INFO] |  |     \- commons-io:commons-io:jar:2.4:compile
[INFO] |  +- org.projectlombok:lombok:jar:1.18.0:compile
[INFO] |  +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] |  |  \- junit:junit:jar:4.10:compile
[INFO] |  |     \- org.hamcrest:hamcrest-core:jar:1.1:compile
[INFO] |  +- org.springframework:spring-web:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:5.1.8.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-core:jar:5.1.8.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-web:jar:2.1.1:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-web-servlet-filter:jar:0.3.0:compile
[INFO] |  +- com.google.guava:guava:jar:31.1-jre:compile (version selected from constraint [30.0-jre,))
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] |  |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  \- org.apache.ignite:ignite-kubernetes:jar:2.12.0:compile
[INFO] |     +- com.fasterxml.jackson.core:jackson-core:jar:2.12.4:compile
[INFO] |     +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile
[INFO] |     \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.4:compile
[INFO] +- io.jaegertracing:jaeger-tracerresolver:jar:1.3.2:compile
[INFO] |  +- io.jaegertracing:jaeger-core:jar:1.3.2:compile
[INFO] |  |  \- com.google.code.gson:gson:jar:2.8.6:compile
[INFO] |  \- io.opentracing.contrib:opentracing-tracerresolver:jar:0.1.8:compile
[INFO] +- io.opentracing.contrib:opentracing-spring-jaeger-cloud-starter:jar:3.3.1:compile
[INFO] |  \- io.opentracing.contrib:opentracing-spring-jaeger-starter:jar:3.3.1:compile
[INFO] |     +- io.opentracing.contrib:opentracing-spring-tracer-configuration-starter:jar:0.4.0:compile
[INFO] |     \- io.jaegertracing:jaeger-client:jar:1.3.2:compile
[INFO] |        \- io.jaegertracing:jaeger-thrift:jar:1.3.2:compile
[INFO] |           +- org.apache.thrift:libthrift:jar:0.13.0:compile
[INFO] |           \- com.squareup.okhttp3:okhttp:jar:4.2.2:compile
[INFO] |              +- com.squareup.okio:okio:jar:2.2.2:compile
[INFO] |              \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.3.50:compile
[INFO] |                 \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.3.50:compile
[INFO] +- org.awaitility:awaitility:jar:4.1.0:compile
[INFO] |  \- org.hamcrest:hamcrest:jar:2.1:compile
[INFO] +- io.opentracing.contrib:opentracing-spring-cloud-starter:jar:0.3.12:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-core:jar:0.3.12:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-concurrent:jar:0.3.0:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-web-starter:jar:2.1.1:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.5.RELEASE:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-messaging-starter:jar:0.1.2:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-spring-messaging:jar:0.1.2:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-rabbitmq-starter:jar:2.0.5:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-spring-rabbitmq:jar:2.0.5:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-jdbc-starter:jar:0.3.12:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-jdbc:jar:0.1.1:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-jms-starter:jar:0.3.12:compile
[INFO] |  |  +- io.opentracing.contrib:opentracing-jms-spring:jar:0.1.0:compile
[INFO] |  |  +- io.opentracing.contrib:opentracing-jms-1:jar:0.1.0:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-jms-common:jar:0.1.0:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-feign-starter:jar:0.3.12:compile
[INFO] |  |  +- io.github.openfeign.opentracing:feign-opentracing:jar:0.3.0:compile
[INFO] |  |  \- io.github.openfeign.opentracing:feign-hystrix-opentracing:jar:0.3.0:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-hystrix-starter:jar:0.3.12:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-reactor-starter:jar:0.3.12:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-reactor:jar:0.1.0:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-rxjava-starter:jar:0.3.12:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-rxjava-1:jar:0.1.0:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-redis-starter:jar:0.3.12:compile
[INFO] |  |  +- io.opentracing.contrib:opentracing-redis-spring-data2:jar:0.1.2:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-redis-common:jar:0.1.2:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-mongo-starter:jar:0.3.12:compile
[INFO] |  |  +- io.opentracing.contrib:opentracing-mongo-driver:jar:0.1.2:compile
[INFO] |  |  \- io.opentracing.contrib:opentracing-mongo-common:jar:0.1.2:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-websocket-starter:jar:0.3.12:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-zuul-starter:jar:0.3.12:compile
[INFO] |  +- io.opentracing.contrib:opentracing-spring-cloud-gateway-starter:jar:0.3.12:compile
[INFO] |  \- io.opentracing:opentracing-api:jar:0.32.0:compile
[INFO] +- io.opentracing.contrib:opentracing-grpc:jar:0.2.3:compile
[INFO] |  \- io.opentracing:opentracing-util:jar:0.33.0:compile
[INFO] |     \- io.opentracing:opentracing-noop:jar:0.33.0:compile
[INFO] +- com.futurewei.alcor:schema:jar:0.1.0-SNAPSHOT:compile
[INFO] |  \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] +- com.jcraft:jsch:jar:0.1.54:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.11:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.11:compile
[INFO] \- com.github.seancfoley:ipaddress:jar:5.3.3:compile

Suggested solutions:

Update dependency version

Thank you very much.