snyk-bot commented 3 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Upgrade	Breaking Change	Exploit Maturity
399/1000 Why? Has a fix available, CVSS 3.7	Information Exposure SNYK-JAVA-COMMONSCODEC-561518		No	No Known Exploit
649/1000 Why? Has a fix available, CVSS 8.7	Elliptic Curve Key Disclosure SNYK-JAVA-COMNIMBUSDS-30205	`com.mesosphere:marathon-client:` `0.6.2 -> 0.6.3`	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Invalid Elliptic Curve Attack SNYK-JAVA-COMNIMBUSDS-31558	`com.mesosphere:marathon-client:` `0.6.2 -> 0.6.3`	No	No Known Exploit
529/1000 Why? Has a fix available, CVSS 6.3	Improper Check for Unusual or Exceptional Conditions SNYK-JAVA-COMNIMBUSDS-536068	`com.mesosphere:marathon-client:` `0.6.2 -> 0.6.3`	No	No Known Exploit
454/1000 Why? Has a fix available, CVSS 4.8	Security Bypass SNYK-JAVA-IOUNDERTOW-567266		Yes	No Known Exploit
801/1000 Why? Mature exploit, Has a fix available, CVSS 8.3	Arbitrary File Upload SNYK-JAVA-IOUNDERTOW-567770		Yes	Mature
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JAVA-IOUNDERTOW-568918		Yes	No Known Exploit
605/1000 Why? Has a fix available, CVSS 7.6	HTTP Request Smuggling SNYK-JAVA-IOUNDERTOW-570455		Yes	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Insecure Default SNYK-JAVA-ORGAPACHEANT-569130		No	No Known Exploit
454/1000 Why? Has a fix available, CVSS 4.8	Denial of Service (DoS) SNYK-JAVA-ORGAPACHEIGNITE-456561	`org.apache.ignite:ignite-slf4j:` `2.3.0 -> 2.8.1` `org.apache.ignite:ignite-spring:` `2.3.0 -> 2.8.1`	No	No Known Exploit
669/1000 Why? Has a fix available, CVSS 9.1	Incorrect Authorization SNYK-JAVA-ORGAPACHEIGNITE-571662	`org.apache.ignite:ignite-slf4j:` `2.3.0 -> 2.8.1` `org.apache.ignite:ignite-spring:` `2.3.0 -> 2.8.1`	No	No Known Exploit
369/1000 Why? Has a fix available, CVSS 3.1	Session Fixation SNYK-JAVA-ORGAPACHETOMCATEMBED-538488		Yes	No Known Exploit
791/1000 Why? Mature exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHETOMCATEMBED-570072		Yes	Mature
479/1000 Why? Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JAVA-ORGAPACHETOMCATEMBED-584427		Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JAVA-ORGHIBERNATE-568162		Yes	No Known Exploit
619/1000 Why? Has a fix available, CVSS 8.1	SQL Injection SNYK-JAVA-ORGHIBERNATE-584563		Yes	No Known Exploit
635/1000 Why? Has a fix available, CVSS 8.2	XML External Entity (XXE) Injection SNYK-JAVA-ORGPOSTGRESQL-571481		No	No Known Exploit
440/1000 Why? Has a fix available, CVSS 4.3	Denial of Service (DoS) SNYK-JAVA-ORGYAML-537645		Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Vulnerabilities that could not be fixed

Upgrade:
- Could not upgrade org.liquibase:liquibase-core@3.5.5 to org.liquibase:liquibase-core@3.8.1; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.postgresql:postgresql@9.4.1212.jre7 to org.postgresql:postgresql@42.2.13; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-actuator@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-actuator@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-cache@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-cache@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-data-jpa@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-data-jpa@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-hateoas@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-hateoas@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-jta-bitronix@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-jta-bitronix@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-security@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-security@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-undertow@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-undertow@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-validation@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-validation@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-web@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.security.oauth:spring-security-oauth2@2.0.17.RELEASE to org.springframework.security.oauth:spring-security-oauth2@2.4.1.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

t6pc-bot commented 3 years ago

Can one of the admins verify this patch?

sonarcloud[bot] commented 3 years ago

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
0 Code Smells

No Coverage information
0.0% Duplication

The version of Java (1.8.0_252) you have used to run this analysis is deprecated and we will stop accepting it from October 2020. Please update to at least Java 11. Read more here

codecov-commenter commented 3 years ago

Codecov Report

Merging #407 into master will not change coverage. The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #407   +/-   ##
=========================================
  Coverage     58.99%   58.99%           
  Complexity     1059     1059           
=========================================
  Files           220      220           
  Lines          6731     6731           
  Branches        452      452           
=========================================
  Hits           3971     3971           
  Misses         2587     2587           
  Partials        173      173

Flag	Coverage Δ	Complexity Δ
#integration	`7.11% <ø> (ø)`	`193.00 <ø> (ø)`
#unittests	`55.02% <ø> (ø)`	`955.00 <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 85fb1a3...404f03e. Read the comment docs.

codecov-io commented 3 years ago

Codecov Report

Merging #407 (404f03e) into master (85fb1a3) will not change coverage. The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #407   +/-   ##
=========================================
  Coverage     58.99%   58.99%           
  Complexity     1059     1059           
=========================================
  Files           220      220           
  Lines          6731     6731           
  Branches        452      452           
=========================================
  Hits           3971     3971           
  Misses         2587     2587           
  Partials        173      173

Flag	Coverage Δ	Complexity Δ
integration	`7.11% <ø> (ø)`	`0.00 <ø> (ø)`
unittests	`55.02% <ø> (ø)`	`0.00 <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 85fb1a3...404f03e. Read the comment docs.

maricaantonacci commented 3 years ago

Superseded by https://github.com/indigo-dc/orchestrator/pull/411

indigo-dc / orchestrator

[Snyk] Fix for 18 vulnerabilities #407

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Vulnerabilities that could not be fixed

Codecov Report

Codecov Report