search

siddhi-io / siddhi

Stream Processing and Complex Event Processing Engine
http://siddhi.io
Apache License 2.0
1.52k stars 527 forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #1814

Open CVEDetect opened 1 year ago

CVEDetect commented 1 year ago

Hi, In /modules/siddhi-service,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

io.siddhi.service.impl.SiddhiApiServiceImpl: siddhiArtifactDeployPost(java.lang.String)Ljavax.ws.rs.core.Response; /download/apache-maven-3.6.3/repository_mount/io/siddhi/siddhi-core/5.1.29-SNAPSHOT/siddhi-core-5.1.29-SNAPSHOT.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/wso2/orbit/javax/xml/bind/jaxb-api/2.3.1.wso2v1/jaxb-api-2.3.1.wso2v1.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/wso2/orbit/javax/xml/bind/jaxb-api/2.3.1.wso2v1/jaxb-api-2.3.1.wso2v1.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/wso2/orbit/javax/xml/bind/jaxb-api/2.3.1.wso2v1/jaxb-api-2.3.1.wso2v1.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] io.siddhi:siddhi-service:jar:5.1.29-SNAPSHOT
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] +- com.google.code.gson:gson:jar:2.9.1:compile
[INFO] +- io.siddhi:siddhi-query-api:jar:5.1.29-SNAPSHOT:compile
[INFO] +- io.siddhi:siddhi-core:jar:5.1.29-SNAPSHOT:compile
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
[INFO] |  +- org.slf4j:slf4j-simple:jar:1.7.35:compile
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.35:compile
[INFO] |  +- org.wso2.orbit.com.lmax:disruptor:jar:3.4.2.wso2v1:compile
[INFO] |  +- com.google.guava:guava:jar:31.1-jre:compile
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.11.0:compile
[INFO] |  |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  +- org.quartz-scheduler:quartz:jar:2.3.2:compile
[INFO] |  |  +- com.mchange:c3p0:jar:0.9.5.4:compile
[INFO] |  |  +- com.mchange:mchange-commons-java:jar:0.2.15:compile
[INFO] |  |  \- com.zaxxer:HikariCP-java7:jar:2.4.13:compile
[INFO] |  +- io.dropwizard.metrics:metrics-core:jar:3.1.0:compile
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:compile
[INFO] |  |  \- net.minidev:json-smart:jar:2.3:compile
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.2:compile
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] |  +- org.eclipse.osgi:org.eclipse.osgi.services:jar:3.3.100.v20130513-1956:compile
[INFO] |  +- org.osgi:org.osgi.core:jar:6.0.0:compile
[INFO] |  +- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  +- org.wso2.orbit.javax.xml.bind:jaxb-api:jar:2.3.1.wso2v1:compile
[INFO] |  +- com.sun.xml.bind:jaxb-impl:jar:2.4.0-b180830.0438:compile
[INFO] |  +- org.apache.geronimo.specs:geronimo-activation_1.1_spec:jar:1.1:compile
[INFO] |  +- com.sun.istack:istack-commons-runtime:jar:3.0.8:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] |  \- com.sun.activation:javax.activation:jar:1.2.0:compile
[INFO] +- io.siddhi:siddhi-query-compiler:jar:5.1.29-SNAPSHOT:compile
[INFO] |  +- org.mvel:mvel2:jar:2.4.5.Final:compile
[INFO] |  \- org.antlr:antlr4-runtime:jar:4.11.1:compile
[INFO] +- io.siddhi:siddhi-annotations:jar:5.1.29-SNAPSHOT:compile
[INFO] |  \- org.atteo.classindex:classindex:jar:3.9:compile
[INFO] +- org.wso2.msf4j:msf4j-all:jar:2.8.1:compile
[INFO] +- javax.servlet:servlet-api:jar:2.5:compile
[INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.13.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.13.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.1:compile
[INFO] |  \- joda-time:joda-time:jar:2.10.8:compile
[INFO] \- org.testng:testng:jar:7.1.0:test
[INFO]    +- com.beust:jcommander:jar:1.72:test
[INFO]    \- com.google.inject:guice:jar:no_aop:4.1.0:test
[INFO]       +- javax.inject:javax.inject:jar:1:test
[INFO]       \- aopalliance:aopalliance:jar:1.0:test

Suggested solutions:

Update dependency version

Thank you very much.