search

graphql-java-generator / graphql-maven-plugin-project

graphql-maven-plugin is a Maven Plugin for GraphQL, based on graphql-java. It accelerates the development for both the client and the server, by generating the Java code. It allows a quicker development when in contract-first approach, by avoiding to code the boilerplate code.
https://graphql-maven-plugin-project.graphql-java-generator.com
MIT License
118 stars 47 forks source link

Vulnerable dependency maven:org.codehaus.plexus:plexus-utils:1.5.8 #203

Closed andreikrutsko closed 10 months ago

andreikrutsko commented 10 months ago 
        <dependency>
            <groupId>com.graphql-java-generator</groupId>
            <artifactId>graphql-maven-plugin</artifactId>
            <version>2.3.2</version>
        </dependency>
Provides transitive vulnerable dependency maven:org.codehaus.plexus:plexus-utils:1.5.8
CVE-2017-1000487 9.8 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability
CVE-2022-4244 7.5 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability
Results powered by Checkmarx(c)

Not sure if it possible due to compatibility. But it would be very appreciated to try to upper plexus-utils version to [3.0.24]+ (or higher)

etienne-sf commented 10 months ago

Hello,

What's strange here, is that I can't see the vulnerability on github or on the maven repository.

The upgrade for plexus-utils will be available in the next version : As this dependency is only used for the code generation (not for the code execution), I don't see this vulnerability as critical.

I have a question about the extract of your pom, that you provided. Why is graphql-maven-plugin in a dependency tag ? It should be in a plugin, like below.

In the meanwhile, if it's important for you, you can change your pom to add the CVE free version of plexus-utils, like this:

        <plugin>
            <groupId>com.graphql-java-generator</groupId>
            <artifactId>graphql-maven-plugin</artifactId>
            <version>2.3.2</version>
            <configuration>
...
            </configuration>
            <dependencies>
                <dependency>
                    <groupId>org.codehaus.plexus</groupId>
                    <artifactId>plexus-utils</artifactId>
                    <version>3.0.24</version>
                </dependency>
            </dependencies>
        </plugin>
andreikrutsko commented 10 months ago

It is not there but analyzer some how finds and reports that. And yes, we've already updated and specified plexus-utils directly. Might be closed as fixed and version updated. Many thanks for support!!!