Reported Vulnerabilities from Transitive Dependencies

[jonathan-neufeld-asurion]

As of Test Containers v0.39.5 for Scala 2 (and I believe v0.39.7) our Snyk pipeline has reported the following vulnerabilities with transitive dependencies of Test Containers:

• JUnit @ 4.12: Information Exposure / Man-in-the-Middle
• Apache Commons Compress @ 1.18: Denial of Service

These both have a low priority score. If these are legitimate vulnerabilities is there a planned or available fix version for test containers?

[rnorth]

Hi @jonathan-neufeld-asurion I think these are likely not going to have any serious impact, as AFAICT:

• if this is the JUnit vulnerability you're referencing, it relates to a feature of JUnit that we don't use.
• The commons-compress DoS issue in 1.18 relates to decompression of untrusted zip files, which Testcontainers does not use. Another DoS issue in 1.19 would require an attacker to specially craft local files in order to affect the TAR archiving that Testcontainers does use. However, to do this the attacker wouldd already be in a position of being able to execute code locally, so have countless other opportunities to DoS the system.

Still, we bump dependencies regularly and I believe both of these should be addressed in the next release in order to prevent false positives being flagged in future.

[kiview]

The first issue is fixed through #4167.

[conan]

GitHub Dependabot is reporting four High severity vulnerabilities in org.testcontainers/junit-jupiter:1.19.8 related to commons-compress:

• Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
• Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
• Improper Handling of Length Parameter Inconsistency in Compress
• Excessive Iteration in Compress

Any chance of an upgrade to commons-compress 1.26.0 which would resolve all of these?