Critical Security Vulnerability

[spardue]

Hi when running mvn dependency-check:check on a repository that uses this dependency, I get the following critical (9.8/10) security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-0839

[lbruun]

The CVE refers to the Liquibase project, specifically to the org.liquibase:liquibase-core Maven artifact.

Pre-Liquibase project does not pull in this dependency, rather it assumes the consumer of Pre-Liquibase will provide it on his own accord. Hence you'll in Pre-Liquibase see that in Maven terms the dependency on org.liquibase:liquibase-core is of type provided.

In other words: it is up to you, the consumer of Pre-Liquibase, to supply a org.liquibase:liquibase-core in your project. This can be of any version, even one which is lower than the one stated in Pre-Liquibase (yes, weird, Maven doesn't even enforce that). The version number for org.liquibase:liquibase-core stated in Pre-Liquibase is not in any way inherited by the consumer of Pre-Liquibase. For Pre-Libuibase the version is simply the one used for compiling against when Pre-Liquibase artifacts are build, it doesn't make Pre-Liquibase itself vulnerable to anything. What matters is the version used at runtime, meaning the one you state in your project.

For most Spring Boot projects you probably wouldn't explicitly set the version of org.liquibase:liquibase-core (or most other deps) rather you would inherit it from Spring Boot as it is good practice to piggyback on the curated set of dependencies made by the nice folks at Pivotal. So the first thing to try - assuming your project does this - is to upgrade the minor (2nd digit) or patch version (3rd digit) of the Spring Boot you are using. However, if you state the version of org.liquibase:liquibase-core explicitly in your project then you just need to update that.

Btw, I got this weird feeling that your project is based on some old Spring Boot stuff, 2.6 or lower? Could that be true? If so, you really, really should consider upgrading. Keep in mind that the version of Pre-Liquibase you use need to be somewhat aligned with the version of Spring Boot you use.

[spardue]

Hi,

I am using Spring Boot 3.1.5, and liquibase-core 4.24.0, which are both the latest the last I checked.

[lbruun]

I can replicate the issue using

mvn org.owasp:dependency-check-maven:8.4.2:check

executed on the Example1 project in this repo. This is clearly a false positive.

I've logged a False Positive Report with the OWASP Dependency Checker project: https://github.com/jeremylong/DependencyCheck/issues/6038. It seems the tool simply uses some string matching, meaning it is purely the fact that there's some string match between the name of the net.lbruun.springboot:preliquibase-spring-boot-starter maven dependency (which obviously has the letters 'liquibase' in both its coordinate name and in many places in its POM too) and this happens to match with a CVE. All in all it has determined that the artifact net.lbruun.springboot:preliquibase-spring-boot-starter looks like a distribution of 'Liquibase 1.4.0' (where the 1.4.0 is taken from the artifact version). At first I thought the tool did analysis of the Maven dependency tree and found a too old version of Maven org.liquibase:liquibase-core in that tree but as you can see the check analysis is based on far more simple algorithm in this case.

Anyway, as a convenience, the GitHub Bot has already created a Suppression Rule that you can apply in your own project ... until such time when the maintainers of the OWASP Dependency Checker puts this rule on their official suppression list.

[lbruun]

Closing as this is a False Positive.