ncsa / oa4mp

Open Authorization for MyProxy
https://oa4mp.org/
Other
8 stars 10 forks source link

Update dependencies with critical vulnerabilities #183

Closed haoming29 closed 5 months ago

haoming29 commented 6 months ago

There are a bunch of dependencies in this project that have critical vulnerabilities to fix:

Vulnerability Dependency Current Version Fixed in Version
CVE-2015-7501 commons-collections:commons-collections 3.2.1 3.2.2
CVE-2022-46337 org.apache.derby:derby 10.14.2.0 10.17.1.0
CVE-2024-1597 org.postgresql:postgresql 42.4.3 42.4.4

There are other vulnerabilities that are high but should also be updated:

Vulnerability Dependency Current Version Fixed in Version
CVE-2022-3509 com.google.protobuf:protobuf-java 3.19.4 3.19.6
CVE-2014-0114 commons-beanutils:commons-beanutils 1.8.0 1.9.2
CVE-2015-6420 commons-collections:commons-collections 3.2.1 3.2.2
CVE-2023-1370 net.minidev:json-smart 2.4.7 2.4.9
CVE-2022-1471 org.yaml:snakeyaml 1.33 2.0

Most of the dependency update are one bug fix version away, so it shouldn't break anything with one exception org.yaml:snakeyaml that needs to be updated from 1.x version to 2.x

Can we prioritize the easy-to-fix ones so that our downstream application can fix the vulnerability warnings?

If we already had CI tests in place in case of a breaking change, I can prepare a PR to upgrade those bug fix versions.

jjg-123 commented 6 months ago

OA4MP has periodic audits of its dependencies. The current version we are releasing should not be changed. There will be another audit before the next release (which should be within a couple of months).

Also, several of these we have no control over (e.g. protobuf, minidev-json) since they are dependencies of dependencies, and others have requirements we cannot meet, such as Derby 10.17 which requires Java 21. We only support Java 11. The beanutils is vulnerable when un/marshalling beans, which we do not do. It also changed some of their iterators and are not compatible with 1.8, requiring a rewrite to mitigate a risk that does not apply to us, e.g. This list goes on.

It is, in short complicated.

Thanks, Jeff


From: Haoming Meng @.> Sent: Wednesday, May 15, 2024 11:56 AM To: ncsa/oa4mp @.> Cc: Subscribed @.***> Subject: [ncsa/oa4mp] Update dependencies with critical vulnerabilities (Issue #183)

There are a bunch of dependencies in this project that have critical vulnerabilities to fix:

Vulnerability Dependency Current Version Fixed in Version CVE-2015-7501https://avd.aquasec.com/nvd/cve-2015-7501 commons-collections:commons-collections 3.2.1 3.2.2 CVE-2022-46337https://avd.aquasec.com/nvd/cve-2022-46337 org.apache.derby:derby 10.14.2.0 10.17.1.0 CVE-2024-1597https://avd.aquasec.com/nvd/cve-2024-1597 org.postgresql:postgresql 42.4.3 42.4.4

There are other vulnerabilities that are high but should also be updated:

Vulnerability Dependency Current Version Fixed in Version CVE-2022-3509https://avd.aquasec.com/nvd/cve-2022-3509 com.google.protobuf:protobuf-java 3.19.4 3.19.6 CVE-2014-0114https://avd.aquasec.com/nvd/cve-2014-0114 commons-beanutils:commons-beanutils 1.8.0 1.9.2 CVE-2015-6420https://avd.aquasec.com/nvd/cve-2015-6420 commons-collections:commons-collections 3.2.1 3.2.2 CVE-2023-1370https://avd.aquasec.com/nvd/cve-2023-1370 net.minidev:json-smart 2.4.7 2.4.9 CVE-2022-1471https://avd.aquasec.com/nvd/cve-2022-1471 org.yaml:snakeyaml 1.33 2.0

Most of the dependency update are one bug fix version away, so it shouldn't break anything with one exception org.yaml:snakeyaml that needs to be updated from 1.x version to 2.x

Can we prioritize the easy-to-fix ones so that our downstream application can fix the vulnerability warnings?

If we already had CI tests in place in case of a breaking change, I can prepare a PR to upgrade those bug fix versions.

— Reply to this email directly, view it on GitHubhttps://github.com/ncsa/oa4mp/issues/183, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAWRCQK5HGNFO47AJARIV6TZCOHT3AVCNFSM6AAAAABHYRVVZKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4TQNBQGI4TKMI. You are receiving this because you are subscribed to this thread.Message ID: @.***>