codefromthecrypt
commented
4 months ago Here's the new trivy. Most of it is due to spring stuff. spring-rabbit is highly neglected and stuck until someone helps with its internal drift (reflection-fu)
$ trivy repo --skip-dirs "**/src/it,**/target" .
2024-02-27T15:24:27.173+0800 INFO Vulnerability scanning is enabled
2024-02-27T15:24:27.173+0800 INFO Secret scanning is enabled
2024-02-27T15:24:27.173+0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-27T15:24:27.173+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-27T15:26:44.214+0800 INFO Number of language-specific files: 41
2024-02-27T15:26:44.214+0800 INFO Detecting pom vulnerabilities...
instrumentation/benchmarks/pom.xml (pom)
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 1)
┌──────────────────────────────────────┬──────────────────┬──────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────┼──────────────────┼──────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.rabbitmq:amqp-client │ CVE-2023-46120 │ MEDIUM │ fixed │ 5.9.0 │ 5.18.0 │ RabbitMQ Java client's Lack of Message Size Limitation leads │
│ │ │ │ │ │ │ to Remote DoS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-46120 │
├──────────────────────────────────────┼──────────────────┤ ├──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.jboss.resteasy:resteasy-undertow │ CVE-2023-0482 │ │ affected │ 3.15.6.Final │ │ RESTEasy: creation of insecure temp files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0482 │
├──────────────────────────────────────┼──────────────────┤ ├──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.amqp:spring-amqp │ CVE-2021-22095 │ │ fixed │ 2.3.6 │ 2.2.19, 2.3.11 │ Deserialization of Untrusted Data in Spring AMQP │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22095 │
│ ├──────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-22097 │ │ │ │ │ Deserialization of Untrusted Data in Spring AMQP │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-22097 │
├──────────────────────────────────────┼──────────────────┤ │ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-messaging │ CVE-2022-22971 │ │ │ 5.3.5 │ 5.3.20, 5.2.22.RELEASE │ DoS with STOMP over WebSocket │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22971 │
├──────────────────────────────────────┼──────────────────┼──────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web │ CVE-2016-1000027 │ CRITICAL │ │ 5.3.32 │ 6.0.0 │ spring: HttpInvokerServiceExporter readRemoteInvocation │
│ │ │ │ │ │ │ method untrusted java deserialization │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-1000027 │
└──────────────────────────────────────┴──────────────────┴──────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
This updates all the versions we can prior to the patch release 6.0.2