search

spring-cloud / spring-cloud-netflix

Integration with Netflix OSS components
http://cloud.spring.io/spring-cloud-netflix/
Apache License 2.0
4.87k stars 2.44k forks source link

A vulnerability in jersey-apache-client4 #2463

Closed ammy1999 closed 6 years ago

ammy1999 commented 6 years ago

Hello, Using spring-cloud-starter-ribbon version 2.0.0.M2 or 1.3.0.RELEASE, I have a high vulnerability in jersey-apache-client4-1.19.1.jar ( when using dependency check ) , So I upgarde the version to 1.19.4 ,

com.sun.jersey.contribs jersey-apache-client4 1.19.4

but nothing change, So, what can I do to remove this vulnerability

spencergibb commented 6 years ago

I'm unsure what we can do about this. What is the vulnerability? What does "but nothing change" mean?

ammy1999 commented 6 years ago

I add the plugin dependency check in jenkins, then I run It, I have a vulnerability in jersey-apache-client4 1.19.4 , when I run mvn dependency:tree , 

+- org.springframework.cloud:spring-cloud-starter-eureka:jar:1.3.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.3.0.RELEASE:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:1.6.2:compile
[INFO] |  |  +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:runtime
[INFO] |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] |  |  |  |  \- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] |  |  |  |     +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] |  |  |  |     \- antlr:antlr:jar:2.7.7:runtime
[INFO] |  |  |  \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] |  |  +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.3:runtime
[INFO] |  |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.6:runtime
[INFO] |  |  \- com.google.inject:guice:jar:4.1.0:runtime
[INFO] |  +- com.netflix.eureka:eureka-core:jar:1.6.2:compile
[INFO] |  |  \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] |  |     +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] |  |     \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] |  \- com.netflix.ribbon:ribbon-eureka:jar:2.2.2:compile

So vulnerabilty is in spring-cloud-starter-eureka:jar:1.3.0.RELEASE

spencergibb commented 6 years ago

Please learn how to properly format code and logs.

Run dependency:tree -X to see what is overriding the version. The vulnerability isn't in spring-cloud-starter-eureka it is in a dependency. jersey-apache-client4 is a dependency of com.netflix.eureka:eureka-client. Any upgrades to that library should be made in the eureka repo.

spencergibb commented 6 years ago

Closing this due to inactivity. Please re-open if there's more to discuss.

lquinn16 commented 5 years ago

Hi Spencer, are there any plans to update the jersey-apache-client4 version in a later release of Eureka? If not, is it compatible with later versions of jersey?

spencergibb commented 5 years ago

Not really a question for a consumer of eureka, which this project is. Please ask here https://github.com/Netflix/eureka/issues