jQAssistant / jqassistant

Your Software. Your Structures. Your Rules.
https://jqassistant.org/
GNU General Public License v3.0
198 stars 35 forks source link

Many alerts from OWASP dependency checker #413

Open lathspell opened 3 years ago

lathspell commented 3 years ago

Bug Description

I use the OWASP Dependency Check Gradle Plugin (org.owasp.dependencycheck:6.2.2, https://owasp.org/www-project-dependency-check/) to scan all my dependencies for known security issues.

Usually it reports none but after applying the following ones in version 1.10.0,

com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv3
com.buschmais.jqassistant.plugin:common
com.buschmais.jqassistant.plugin:java
com.buschmais.jqassistant.plugin:junit

I get a ton of security issues reported:

asciidoctorj-diagram-2.1.2.jar: batik-all-1.13.jar (cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987
commons-beanutils-1.9.3.jar (pkg:maven/commons-beanutils/commons-beanutils@1.9.3, cpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*) : CVE-2019-10086
commons-io-2.6.jar (pkg:maven/commons-io/commons-io@2.6, cpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*) : CVE-2021-29425
dirgra-0.3.jar (pkg:maven/org.jruby/dirgra@0.3, cpe:2.3:a:jruby:jruby:0.3:*:*:*:*:*:*:*) : CVE-2010-1330, CVE-2011-4838
guava-28.1-jre.jar (pkg:maven/com.google.guava/guava@28.1-jre, cpe:2.3:a:google:guava:28.1:*:*:*:*:*:*:*) : CVE-2020-8908
jruby-stdlib-9.2.17.0.jar: bcprov-jdk15on-1.65.jar (cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.65:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*) : CVE-2020-28052
jruby-stdlib-9.2.17.0.jar: jopenssl.jar/META-INF/maven/rubygems/jruby-openssl/pom.xml (pkg:maven/rubygems/jruby-openssl@0.10.5, cpe:2.3:a:jruby:jruby:0.10.5:*:*:*:*:*:*:*, cpe:2.3:a:openssl:openssl:0.10.5:*:*:*:*:*:*:*) : CVE-2009-1387, CVE-2010-1330, CVE-2010-4252, CVE-2010-5298, CVE-2011-1945, CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-4838, CVE-2012-0027, CVE-2013-6449, CVE-2014-0076, CVE-2015-4000, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-7056
jruby-stdlib-9.2.17.0.jar: readline.jar/META-INF/maven/rubygems/jruby-readline/pom.xml (pkg:maven/rubygems/jruby-readline@1.3.7, cpe:2.3:a:jruby:jruby:1.3.7:*:*:*:*:*:*:*) : CVE-2010-1330, CVE-2011-4838
neo4j-browser-4.2.5.jar: app-b776cfaa3af4c1e870e9.js (pkg:javascript/bootstrap@3.3.7) : CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331
tika-core-1.22.jar (pkg:maven/org.apache.tika/tika-core@1.22, cpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*) : CVE-2020-1950, CVE-2020-1951, CVE-2021-28657

I don't know if false positives are among them but maybe you care enough to check the dependency tree for old versions.

Expected Behaviour

No reported CVE

Your Environment

How can we reproduce the bug?

Add this and then run ./gradlew dependencyCheckAnalyze

plugins {
     id 'org.owasp.dependencycheck' version '6.2.2'
}
murdos commented 8 months ago

I think that configuring dependabot on the various jqa respositories would help keeping dependencies up-to-date, and limit known security issues in transitive dependencies.

DirkMahler commented 8 months ago

Two cents from my side: