search

scylladb / scylla-tools-java

Apache Cassandra, supplying tools for Scylla
Apache License 2.0
53 stars 85 forks source link

Old version of `logback` dependencies #364

Closed yaronkaikov closed 11 months ago

yaronkaikov commented 11 months ago

Scylla-tools-java uses logback version 1.2.9. Those dependencies are flagged by security scanners and should be updated.

[yaronkaikov@london]~/git/scylla-pkg (releng-3814-trivy-clamav)$ trivy image --exit-code 1 --no-progress --ignore-unfixed --skip-files var/lib/dpkg/info/scylla-tools-core.list  docker.io/yaronkaikov/scylla:6.6.7
2023-12-12T09:11:35.260+0200    INFO    Vulnerability scanning is enabled
2023-12-12T09:11:35.260+0200    INFO    Secret scanning is enabled
2023-12-12T09:11:35.260+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-12T09:11:35.260+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-12T09:12:00.281+0200    INFO    Detected OS: ubuntu
2023-12-12T09:12:00.281+0200    INFO    Detecting Ubuntu vulnerabilities...
2023-12-12T09:12:00.282+0200    INFO    Number of language-specific files: 1
2023-12-12T09:12:00.282+0200    INFO    Detecting jar vulnerabilities...

docker.io/yaronkaikov/scylla:6.6.7 (ubuntu 22.04)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2023-12-12T09:12:00.285+0200    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 3, CRITICAL: 0)

┌────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│                          Library                           │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version      │                            Title                             │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-classic (logback-classic-1.2.9.jar) │ CVE-2023-6378       │ HIGH     │ fixed  │ 1.2.9             │ 1.3.12, 1.4.12, 1.2.13 │ logback: serialization vulnerability in logback receiver     │
│                                                            │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-6378                    │
├────────────────────────────────────────────────────────────┤                     │          │        │                   │                        │                                                              │
│ ch.qos.logback:logback-core (logback-core-1.2.9.jar)       │                     │          │        │                   │                        │                                                              │
│                                                            │                     │          │        │                   │                        │                                                              │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.guava:guava (guava-18.0.jar)                    │ CVE-2018-10237      │ MEDIUM   │        │ 18.0              │ 24.1.1-android         │ guava: Unbounded memory allocation in AtomicDoubleArray and  │
│                                                            │                     │          │        │                   │                        │ CompoundOrdering classes allow remote attackers...           │
│                                                            │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2018-10237                   │
│                                                            ├─────────────────────┤          │        │                   ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-2976       │          │        │                   │ 32.0.0-android         │ guava: insecure temporary directory creation                 │
│                                                            │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-2976                    │
│                                                            ├─────────────────────┼──────────┤        │                   │                        ├──────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2020-8908       │ LOW      │        │                   │                        │ local information disclosure via temporary directory created │
│                                                            │                     │          │        │                   │                        │ with unsafe permissions                                      │
│                                                            │                     │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2020-8908                    │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
mykaul commented 11 months ago

https://github.com/scylladb/java-driver/pull/262 and friends are related, perhaps.

yaronkaikov commented 10 months ago

@scylladb/scylla-maint Please backport this to 2022.2 and 2022.1