gitblit-org / gitblit

pure java git solution
http://gitblit.com
Apache License 2.0
2.28k stars 669 forks source link

Many vulnerabilies #1458

Open fbacchella opened 1 year ago

fbacchella commented 1 year ago

Gitblit 1.9.3 is difficult to deploy in production. Running grype, it returns:

NAME              INSTALLED             FIXED-IN              TYPE          VULNERABILITY        SEVERITY 
bcprov-jdk15on    1.57                  1.60                  java-archive  GHSA-4446-656p-f54g  Critical  
bcprov-jdk15on    1.57                                        java-archive  GHSA-hr8g-6v94-x4m9  Medium    
bcprov-jdk15on    1.57                  1.66                  java-archive  GHSA-6xx3-rg99-gc3p  Medium    
commons-compress  1.4.1                 1.21                  java-archive  GHSA-xqfj-vm6h-2x34  High      
commons-compress  1.4.1                 1.21                  java-archive  GHSA-mc84-pj99-q6hh  High      
commons-compress  1.4.1                 1.21                  java-archive  GHSA-crv7-7245-f45f  High      
commons-compress  1.4.1                 1.21                  java-archive  GHSA-7hfm-57qf-j43q  High      
commons-compress  1.4.1                 1.18                  java-archive  GHSA-hrmr-f5m6-m9pq  Medium    
commons-io        2.2                   2.7                   java-archive  GHSA-gwrp-pvrq-jmwv  Medium    
gitblit           1.9.3                                       java-archive  GHSA-2c65-rq62-fqhq  High      
guava             18.0                  24.1.1                java-archive  GHSA-mvr2-9pj6-7w5j  Medium    
guava             18.0                  32.0.0                java-archive  GHSA-7g45-4rm6-3mm3  Medium    
guava             18.0                  32.0.0                java-archive  GHSA-5mg8-w23w-74h3  Low       
httpclient        4.3.6                 4.5.13                java-archive  GHSA-7r82-7xv7-xcpj  Medium    
jdom              1.0                                         java-archive  GHSA-2363-cqg2-863c  High      
jsch              0.1.53                0.1.54                java-archive  GHSA-q446-82vq-w674  Medium    
jsoup             1.7.3                 1.14.2                java-archive  GHSA-m72m-mhq2-9p6c  High      
jsoup             1.7.3                 1.15.3                java-archive  GHSA-gp7f-rwcx-9369  Medium    
jsoup             1.7.3                 1.8.3                 java-archive  GHSA-48rh-qgjr-xfj6  Medium    
libpam4j          1.8                   1.10                  java-archive  GHSA-x9rg-q5fx-fx66  Medium    
log4j             1.2.17                                      java-archive  GHSA-f7vh-qwp3-x37m  Critical  
log4j             1.2.17                                      java-archive  GHSA-65fg-84f6-3jq3  Critical  
log4j             1.2.17                                      java-archive  GHSA-2qrg-x229-3v8q  Critical  
log4j             1.2.17                                      java-archive  GHSA-w9p3-5cr8-m3jj  High      
log4j             1.2.17                                      java-archive  GHSA-fp5r-v3w9-4333  High      
mina-core         2.0.21                2.0.22                java-archive  GHSA-6mcm-j9cj-3vc3  Medium    
org.eclipse.jgit  4.5.7.201904151645-r  6.6.1.202309021850-r  java-archive  GHSA-3p86-9955-h393  High      
sshd-core         1.2.0                 2.9.2                 java-archive  GHSA-fhw8-8j55-vwgq  Critical  
sshd-core         1.2.0                 2.10.0                java-archive  GHSA-mjmq-gwgm-5qhm  Medium    
tika-core         1.5                   1.14                  java-archive  GHSA-j8g6-2wh7-6439  Critical  
tika-core         1.5                   1.19.1                java-archive  GHSA-h8q5-g2cj-qr5h  High      
tika-core         1.5                   1.19.1                java-archive  GHSA-6jq2-789q-fff2  High      
tika-core         1.5                   1.13                  java-archive  GHSA-4xr4-4c65-hj7f  High      
tika-core         1.5                   1.19                  java-archive  GHSA-w6g3-v46q-5p28  Medium    
tika-core         1.5                   1.19                  java-archive  GHSA-j53j-gmr9-h8g3  Medium    
tika-core         1.5                   1.18                  java-archive  GHSA-5mf7-26mw-3rqr  Medium

I downloaded code using git clone, build it and rerun grype:

bcprov-jdk15on    1.69                                         java-archive  GHSA-hr8g-6v94-x4m9  Medium    
commons-compress  1.22                   1.24.0                java-archive  GHSA-cgwf-w82q-5jrr  Medium    
guava             31.1-jre               32.0.0                java-archive  GHSA-7g45-4rm6-3mm3  Medium    
guava             31.1-jre               32.0.0                java-archive  GHSA-5mg8-w23w-74h3  Low       
httpclient        4.5.2                  4.5.13                java-archive  GHSA-7r82-7xv7-xcpj  Medium    
jdom              1.0                                          java-archive  GHSA-2363-cqg2-863c  High      
jsoup             1.7.3                  1.14.2                java-archive  GHSA-m72m-mhq2-9p6c  High      
jsoup             1.7.3                  1.15.3                java-archive  GHSA-gp7f-rwcx-9369  Medium    
jsoup             1.7.3                  1.8.3                 java-archive  GHSA-48rh-qgjr-xfj6  Medium    
log4j             1.2.17                                       java-archive  GHSA-f7vh-qwp3-x37m  Critical  
log4j             1.2.17                                       java-archive  GHSA-65fg-84f6-3jq3  Critical  
log4j             1.2.17                                       java-archive  GHSA-2qrg-x229-3v8q  Critical  
log4j             1.2.17                                       java-archive  GHSA-w9p3-5cr8-m3jj  High      
log4j             1.2.17                                       java-archive  GHSA-fp5r-v3w9-4333  High      
mina-core         2.0.21                 2.0.22                java-archive  GHSA-6mcm-j9cj-3vc3  Medium    
org.eclipse.jgit  4.11.9.201909030838-r  6.6.1.202309021850-r  java-archive  GHSA-3p86-9955-h393  High      
sshd-core         1.7.0                  2.9.2                 java-archive  GHSA-fhw8-8j55-vwgq  Critical  
sshd-core         1.7.0                  2.10.0                java-archive  GHSA-mjmq-gwgm-5qhm  Medium    
tika-core         1.5                    1.14                  java-archive  GHSA-j8g6-2wh7-6439  Critical  
tika-core         1.5                    1.19.1                java-archive  GHSA-h8q5-g2cj-qr5h  High      
tika-core         1.5                    1.19.1                java-archive  GHSA-6jq2-789q-fff2  High      
tika-core         1.5                    1.13                  java-archive  GHSA-4xr4-4c65-hj7f  High      
tika-core         1.5                    1.19                  java-archive  GHSA-w6g3-v46q-5p28  Medium    
tika-core         1.5                    1.19                  java-archive  GHSA-j53j-gmr9-h8g3  Medium    
tika-core         1.5                    1.18                  java-archive  GHSA-5mf7-26mw-3rqr  Medium

Any plan to issue a release with at least all vulnerabilities closed, or should I give up on using gitblit ?

flaix commented 1 year ago

A clear yes and no. Yes, but not in the near future, re all vulnerabilities. No, as in some dependencies will need more work in order to update them safely.

The thing with dependencies is that it is not always so easy to simply update to the latest version. Sometimes yes, then we can easily add that. Other times, it involves rewriting parts of the application to adapt to changed interfaces and even more testing. One problem currently is the state of the test suite and that no one went to work on it to make it stable and reliable. Which helps a lot when rewriting your code. Also some dependencies would require a newer Java version as a minimal version than we can currently support.

Often it is a simple numbers game from a tool's perspective, and I understand this from an operator's view. Just check for the version and update. But not every vulnerability in package A is a problem when used in software X, because the problematic code is never used in the software. This is the case for log4j and Gitblit, for example. But, again, I understand that these details may be important for the developer, but not the operator running many, many tools.

The latest version with updated dependencies is also available as nightly Docker container builds as gitblit/gitblit:nightly.