Closed eliskapulcova closed 5 months ago
Please check whether this problem is resolved when you migrate to 1.x versions. Most likely you have missed those updates as the Maven coordinates have changed. See https://pinterest.github.io/ktlint/latest/faq/#what-are-the-maven-coordinates-in-ktlint-1x
Current version of logback is 1.3.14. See https://github.com/pinterest/ktlint/blob/0146337ffdda624222d947de19443c253c6112c4/gradle/libs.versions.toml#L28
Hello Paul, thank you for your response. :) As I mentioned in the second part of my message I used also ktlint-cli
in version 1.1.1
and since upgrade of logback was done in version 1.1.0
as I can see in changelog, I was using the newest version and there is still low vulnerability CVE-2020-29582 present. :)
Oops, I missed the second part of your original post. Sorry for that.
Might I inquire how you use ktlint-cli in your project? ktlint-cli
is not intendend to be a direct dependency in your project. So I fail to see how the logback vulnerabilities via ktlint-cli
end up in a spring(boot) project. I use ktlint-cli
also in springboot project as build plugin (https://pinterest.github.io/ktlint/latest/install/integrations/#maven-integration) but I have not seen security vulnerabilities being reported (but I do not use Snyk).
Unfortunately, we can not upgrade to logback 1.4 yet, as ktlint is still used in environments using Java8.
There is no Kotlin 1.4.x in Ktlint's transitive dependencies, are you sure it's from this project?
\--- project :ktlint-cli-reporter-sarif
+--- org.jetbrains.kotlin:kotlin-stdlib:1.9.23 (*)
+--- project :ktlint-cli-reporter-core (*)
+--- io.github.detekt.sarif4k:sarif4k:0.6.0
| \--- io.github.detekt.sarif4k:sarif4k-jvm:0.6.0
| +--- org.jetbrains.kotlinx:kotlinx-serialization-json:1.4.1
| | \--- org.jetbrains.kotlinx:kotlinx-serialization-json-jvm:1.4.1
| | +--- org.jetbrains.kotlin:kotlin-stdlib:1.7.20 -> 1.9.23 (*)
| | +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.7.20 -> 1.9.23 (*)
| | +--- org.jetbrains.kotlinx:kotlinx-serialization-core:1.4.1
| | | \--- org.jetbrains.kotlinx:kotlinx-serialization-core-jvm:1.4.1
| | | +--- org.jetbrains.kotlin:kotlin-stdlib:1.7.20 -> 1.9.23 (*)
| | | +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.7.20 -> 1.9.23 (*)
| | | \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.7.20 -> 1.9.10 (*)
| | \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.7.20 -> 1.9.10 (*)
| \--- org.jetbrains.kotlin:kotlin-stdlib:1.9.23 (*)
\--- dev.drewhamilton.poko:poko-annotations:0.15.2 (*)
Hello @Goooler, this is the whole screenshot from Snyk through what that low vulnerability was introduced in my project and proposed remediation:
I am not able to see Kotlin 1.4.x in any of the screenshots unfortunately.
In https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744 it sais:
Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using createTempDir or createTempFile and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system.
Note: As of version 1.4.21, the vulnerable functions have been marked as deprecated. Due to still being usable, this advisory is kept as "unfixed".
For deprecation notices, see:
Ktlint is not using methods above. We can not be sure whether same applies to any of our transitive dependencies.
May related to the invocations in bundled Kotlin libs, decompiled from Jadx-GUI
Hello @paul-dingemans and @Goooler, thank you both for your findings, wow. :)
@eliskapulcova Can you provide all detailed paths which might introduce this CVE? Your last screenshot indicates that there are 13 more paths whcih introduce this. Please copy-paste text instead of a new image if possible.
@Goooler From your screenprint I think that only the first match return FilesKt.createTempDir
and its overload on the second line relate to the deprecated method. But I have absolutely no clue what kotlin.p002io
is referring too.
@eliskapulcova Closing due to lack of response. Feel free to reopen after supplying requested information.
Hello, during check for Snyk vulnerabilities of my project I found out, that there is a lot of vulnerabilities due to using third party library
ch.qos.logback
. Please see the attachment. I was using0.45.1
till the last version of ktlint0.51.0-FINAL
and vulnerability was present in every version. CVEs: CVE-2023-6378, CVE-2023-6481, Dual license: EPL-1.0, LGPL-2.1I wanted to replace ktlint with ktlint-cli in the newest version, but there is still low vulnerability - Informational Exposure that is not fixed yet, please see the second attachment. CVEs: CVE-2020-29582