search

pinterest / ktlint

An anti-bikeshedding Kotlin linter with built-in formatter
https://pinterest.github.io/ktlint/
MIT License
6.19k stars 505 forks source link

CVEs found #2608

Closed eliskapulcova closed 5 months ago

eliskapulcova commented 6 months ago

Hello, during check for Snyk vulnerabilities of my project I found out, that there is a lot of vulnerabilities due to using third party library ch.qos.logback. Please see the attachment. I was using 0.45.1 till the last version of ktlint 0.51.0-FINAL and vulnerability was present in every version. CVEs: CVE-2023-6378, CVE-2023-6481, Dual license: EPL-1.0, LGPL-2.1

I wanted to replace ktlint with ktlint-cli in the newest version, but there is still low vulnerability - Informational Exposure that is not fixed yet, please see the second attachment. CVEs: CVE-2020-29582

Screenshot 2024-03-11 at 16 13 46 Screenshot 2024-03-12 at 9 36 27
paul-dingemans commented 6 months ago

Please check whether this problem is resolved when you migrate to 1.x versions. Most likely you have missed those updates as the Maven coordinates have changed. See https://pinterest.github.io/ktlint/latest/faq/#what-are-the-maven-coordinates-in-ktlint-1x

paul-dingemans commented 6 months ago

Current version of logback is 1.3.14. See https://github.com/pinterest/ktlint/blob/0146337ffdda624222d947de19443c253c6112c4/gradle/libs.versions.toml#L28

eliskapulcova commented 6 months ago

Hello Paul, thank you for your response. :) As I mentioned in the second part of my message I used also ktlint-cli in version 1.1.1 and since upgrade of logback was done in version 1.1.0 as I can see in changelog, I was using the newest version and there is still low vulnerability CVE-2020-29582 present. :)

paul-dingemans commented 6 months ago

Oops, I missed the second part of your original post. Sorry for that.

Might I inquire how you use ktlint-cli in your project? ktlint-cli is not intendend to be a direct dependency in your project. So I fail to see how the logback vulnerabilities via ktlint-cli end up in a spring(boot) project. I use ktlint-cli also in springboot project as build plugin (https://pinterest.github.io/ktlint/latest/install/integrations/#maven-integration) but I have not seen security vulnerabilities being reported (but I do not use Snyk).

Unfortunately, we can not upgrade to logback 1.4 yet, as ktlint is still used in environments using Java8.

Goooler commented 6 months ago

There is no Kotlin 1.4.x in Ktlint's transitive dependencies, are you sure it's from this project?

\--- project :ktlint-cli-reporter-sarif
     +--- org.jetbrains.kotlin:kotlin-stdlib:1.9.23 (*)
     +--- project :ktlint-cli-reporter-core (*)
     +--- io.github.detekt.sarif4k:sarif4k:0.6.0
     |    \--- io.github.detekt.sarif4k:sarif4k-jvm:0.6.0
     |         +--- org.jetbrains.kotlinx:kotlinx-serialization-json:1.4.1
     |         |    \--- org.jetbrains.kotlinx:kotlinx-serialization-json-jvm:1.4.1
     |         |         +--- org.jetbrains.kotlin:kotlin-stdlib:1.7.20 -> 1.9.23 (*)
     |         |         +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.7.20 -> 1.9.23 (*)
     |         |         +--- org.jetbrains.kotlinx:kotlinx-serialization-core:1.4.1
     |         |         |    \--- org.jetbrains.kotlinx:kotlinx-serialization-core-jvm:1.4.1
     |         |         |         +--- org.jetbrains.kotlin:kotlin-stdlib:1.7.20 -> 1.9.23 (*)
     |         |         |         +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.7.20 -> 1.9.23 (*)
     |         |         |         \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.7.20 -> 1.9.10 (*)
     |         |         \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.7.20 -> 1.9.10 (*)
     |         \--- org.jetbrains.kotlin:kotlin-stdlib:1.9.23 (*)
     \--- dev.drewhamilton.poko:poko-annotations:0.15.2 (*)
eliskapulcova commented 6 months ago

Hello @Goooler, this is the whole screenshot from Snyk through what that low vulnerability was introduced in my project and proposed remediation: IMG_4177 IMG_4178

I am not able to see Kotlin 1.4.x in any of the screenshots unfortunately.

paul-dingemans commented 6 months ago

In https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744 it sais:

Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using createTempDir or createTempFile and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system.

Note: As of version 1.4.21, the vulnerable functions have been marked as deprecated. Due to still being usable, this advisory is kept as "unfixed".

For deprecation notices, see:

Ktlint is not using methods above. We can not be sure whether same applies to any of our transitive dependencies.

Goooler commented 6 months ago

May related to the invocations in bundled Kotlin libs, decompiled from Jadx-GUI

image
eliskapulcova commented 6 months ago

Hello @paul-dingemans and @Goooler, thank you both for your findings, wow. :)

paul-dingemans commented 6 months ago

@eliskapulcova Can you provide all detailed paths which might introduce this CVE? Your last screenshot indicates that there are 13 more paths whcih introduce this. Please copy-paste text instead of a new image if possible.

@Goooler From your screenprint I think that only the first match return FilesKt.createTempDir and its overload on the second line relate to the deprecated method. But I have absolutely no clue what kotlin.p002io is referring too.

paul-dingemans commented 5 months ago

@eliskapulcova Closing due to lack of response. Feel free to reopen after supplying requested information.