search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.47k stars 1.29k forks source link

Fix CVE on this plugin itself #7156

Open jycr opened 1 week ago

jycr commented 1 week ago

Describe the bug We use your great plugin on our projects with following configuration:

<scanPlugins>true</scanPlugins>

So, dependency-check-maven reports some CVE including CVE from dependency-check-maven itself.

Version of dependency-check used The problem occurs using version 11.1.0 of the maven plugin

Log file DependencyName Description Sha1 Identifiers CPE CVE CWE Vulnerability Source CVSSv2_Severity CVSSv2_Score CVSSv2 CVSSv3_BaseSeverity CVSSv3_BaseScore CVSSv3
h2-2.3.232.jar H2 Database Engine 4fcc05d966ccdb2812ae8b9a718f69226c0cf4e2 pkg:maven/com.h2database/h2@2.3.232 cpe:2.3:a:h2database:h2:2.3.232:::::::* CVE-2018-14335 CWE-59 Improper Link Resolution Before File Access ('Link Following') h2database - Improper Link Resolution Before File Access The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. OSSINDEX MEDIUM 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
javax.json-1.1.4.jar Default provider for JSR 374:Java API for Processing JSON 943f240a509d3c70b448a55c6735591ecbd37c88 pkg:maven/org.glassfish/javax.json@1.1.4 CVE-2023-7272 CWE-787 Out-of-bounds Write In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents. OSSINDEX HIGH 8.699999809265137 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
logback-core-1.2.11.jar logback-core module a01230df5ca5c34540cdaa3ad5efb012f1f1f792 pkg:maven/ch.qos.logback/logback-core@1.2.11 cpe:2.3:a:qos:logback:1.2.11:::::::* CVE-2023-6378 CWE-502 Deserialization of Untrusted Data A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. NVD HIGH 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A
maven-core-3.6.3.jar Maven Core classes eca800aa73e750ec9a880eb224f0bb68f5b7873b pkg:maven/org.apache.maven/maven-core@3.6.3 cpe:2.3:a:apache:maven:3.6.3:::::::* CVE-2021-26291 CWE-346 Origin Validation Error Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html NVD MEDIUM 6.4 /AV:N/AC:L/Au:N/C:P/I:P/A:N CRITICAL 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A
maven-settings-3.6.3.jar Maven Settings model bbf4e06dcdb0bb33d1546c080df5c8d92b535d30 pkg:maven/org.apache.maven/maven-settings@3.6.3 CVE-2021-26291 CWE-346 Origin Validation Error Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html OSSINDEX CRITICAL 9.100000381469727 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

To Reproduce Steps to reproduce the behavior:

  1. Go to root of this project
  2. Launch following command : 
    mvn org.owasp:dependency-check-maven:RELEASE:aggregate -Dformat=all
  3. go to target/ repository to see report

Expected behavior Upgrade dependencies to fix issue (javax.json can be replaced with org.glassfish:jakarta.json:2.0.1).