search

jfrog / build-info

Artifactory's open integration layer for CI build servers
https://www.buildinfo.org
Apache License 2.0
147 stars 156 forks source link

repave dependencies #760

Open gregallen opened 1 year ago

gregallen commented 1 year ago

I have read the CLA Document and I hereby sign the CLA

github-actions[bot] commented 1 year ago
[![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](https://github.com/jfrog/frogbot#readme)

📦 Vulnerable Dependencies

✍️ Summary

| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES | | :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableMediumSeverity.png)
Medium | Applicable | org.jfrog.buildinfo:build-info-extractor:2.41.x-SNAPSHOT
com.fasterxml.jackson.core:jackson-databind:2.15.2
com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.2
org.mock-server:mockserver-netty:5.15.0
com.github.docker-java:docker-java:3.3.3
org.jfrog.buildinfo:build-info-extractor-docker:2.41.x-SNAPSHOT | com.fasterxml.jackson.core:jackson-databind:2.15.2 | - | CVE-2023-35116 |

🔬 Research Details

[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)
github-actions[bot] commented 1 year ago 
mapper.writeValueAsString(this)

at build-info-client/src/main/java/org/jfrog/build/client/artifactoryXrayResponse/ArtifactoryXrayResponse.java (line 60)

📦🔍 Contextual Analysis CVE Vulnerability

| Severity | Impacted Dependency | Finding | CVE | | :--------------: | :---: | :---: | :---: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableMediumSeverity.png)
Medium | com.fasterxml.jackson.core:jackson-databind:2.15.2 | At least one of the vulnerable functions writeValueAsString, writeValueAsBytes, writeValue, serializeValue is called with external input | CVE-2023-35116 |
Description
The scanner checks for calls to the vulnerable functions with external input: * `ObjectMapper.writeValue()` * `ObjectMapper.writeValueAsString()` * `ObjectMapper.writeValueAsBytes()` * `ObjectWriter.writeValue()` * `ObjectWriter.writeValueAsString()` * `ObjectWriter.writeValueAsBytes()` * `ser.DefaultSerializerProvider.serializeValue()` For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The input argument to those functions is a cyclic object (e.g. a `HashMap` object with a reference to itself).
CVE details
An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)
gregallen commented 1 year ago

the jackson-databind vulnerability is rejected by jackson team - see https://github.com/FasterXML/jackson-databind/issues/3972

suggest you need to whitelist this dependency (as has been done at my employer in a similar dep scanning tool)

yahavi commented 1 year ago

Thanks for your contribution, @gregallen!

It appears that all Gradle tests are failing. You can check out the details here: https://github.com/jfrog/build-info/actions/runs/6308986191/job/17137306523?pr=760

Would you be able to take a look?