search

tmobile / pacbot

PacBot (Policy as Code Bot)
https://tmobile.github.io/pacbot/
Apache License 2.0
1.29k stars 277 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #517

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In pacbot/jobs/pacman-qualys-enricher,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <com.tmobile.cso.pacman.qualys.util.HttpUtil: java.lang.String post(java.lang.String,java.lang.String,java.lang.String,java.lang.String)> (com.tmobile.cso.pacman.qualys.util.HttpUtil.java:[112]) in /detect/unzip/pacbot-2.0/jobs/pacman-qualys-enricher/target/classes

Dependency tree--

[INFO] com.tmobile.cso.pacman:pacman-qualys-enricher:jar:0.0.1-SNAPSHOT
[INFO] +- org.elasticsearch.client:rest:jar:5.3.0:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.5:compile
[INFO] |  +- org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
[INFO] |  +- org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.17:compile
[INFO] +- com.google.code.gson:gson:jar:2.8.5:compile
[INFO] +- com.google.guava:guava:jar:18.0:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] \- com.tmobile.cloud:batch-commons:jar:1.0.0-SNAPSHOT:provided
[INFO]    +- com.microsoft.azure:azure:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-client-runtime:jar:1.6.4:provided
[INFO]    |  |  \- com.microsoft.rest:client-runtime:jar:1.6.4:provided
[INFO]    |  |     +- com.squareup.retrofit2:retrofit:jar:2.4.0:provided
[INFO]    |  |     +- com.squareup.okhttp3:okhttp:jar:3.11.0:provided
[INFO]    |  |     |  \- com.squareup.okio:okio:jar:1.14.0:provided
[INFO]    |  |     +- com.squareup.okhttp3:logging-interceptor:jar:3.11.0:provided
[INFO]    |  |     +- com.squareup.okhttp3:okhttp-urlconnection:jar:3.11.0:provided
[INFO]    |  |     +- com.squareup.retrofit2:converter-jackson:jar:2.4.0:provided
[INFO]    |  |     +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.9.4:provided
[INFO]    |  |     +- org.apache.commons:commons-lang3:jar:3.4:provided
[INFO]    |  |     \- com.squareup.retrofit2:adapter-rxjava:jar:2.4.0:provided
[INFO]    |  +- com.microsoft.azure:azure-client-authentication:jar:1.6.4:provided
[INFO]    |  |  +- com.microsoft.azure:adal4j:jar:1.6.2:provided
[INFO]    |  |  |  \- com.nimbusds:oauth2-oidc-sdk:jar:5.64.4:provided
[INFO]    |  |  |     +- com.sun.mail:javax.mail:jar:1.6.1:provided
[INFO]    |  |  |     +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:provided
[INFO]    |  |  |     +- net.minidev:json-smart:jar:2.3:provided (version selected from constraint [1.3.1,2.3])
[INFO]    |  |  |     |  \- net.minidev:accessors-smart:jar:1.2:provided
[INFO]    |  |  |     |     \- org.ow2.asm:asm:jar:5.0.4:provided
[INFO]    |  |  |     +- com.nimbusds:lang-tag:jar:1.5:provided (version selected from constraint [1.4.3,))
[INFO]    |  |  |     \- com.nimbusds:nimbus-jose-jwt:jar:9.13:provided (version selected from constraint [5.5,))
[INFO]    |  |  \- com.microsoft.azure:azure-annotations:jar:1.7.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-resources:jar:1.22.0:provided
[INFO]    |  |  \- io.reactivex:rxjava:jar:1.3.8:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-storage:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-network:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-compute:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-graph-rbac:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-keyvault:jar:1.22.0:provided
[INFO]    |  |  \- com.microsoft.azure:azure-keyvault:jar:1.0.0:provided
[INFO]    |  |     \- com.microsoft.azure:azure-keyvault-webkey:jar:1.0.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-batch:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-trafficmanager:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-dns:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-redis:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-appservice:jar:1.22.0:provided
[INFO]    |  |  \- com.microsoft.azure:azure-storage:jar:6.1.0:provided
[INFO]    |  |     \- com.microsoft.azure:azure-keyvault-core:jar:0.8.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-locks:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-eventhub:jar:1.22.0:provided
[INFO]    |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.4:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-cdn:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-sql:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-containerinstance:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-containerregistry:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-containerservice:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-cosmosdb:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-search:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-msi:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-monitor:jar:1.22.0:provided
[INFO]    |  +- com.microsoft.azure:azure-mgmt-servicebus:jar:1.22.0:provided
[INFO]    |  |  \- joda-time:joda-time:jar:2.1:provided
[INFO]    |  \- com.microsoft.azure:azure-mgmt-batchai:jar:1.22.0:provided
[INFO]    +- com.amazonaws:aws-java-sdk-efs:jar:1.11.636:provided
[INFO]    |  +- com.amazonaws:aws-java-sdk-core:jar:1.11.636:provided
[INFO]    |  |  +- software.amazon.ion:ion-java:jar:1.0.2:provided
[INFO]    |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.7.2:provided
[INFO]    |  |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:provided
[INFO]    |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.6.7:provided
[INFO]    |  \- com.amazonaws:jmespath-java:jar:1.11.636:provided
[INFO]    +- com.amazonaws:aws-java-sdk-redshift:jar:1.11.636:provided
[INFO]    +- com.amazonaws:aws-java-sdk-elasticsearch:jar:1.11.636:provided
[INFO]    +- ch.qos.logback:logback-classic:jar:1.2.3:provided
[INFO]    +- ch.qos.logback:logback-core:jar:1.2.3:provided
[INFO]    \- javax.xml.bind:jaxb-api:jar:2.1:provided
[INFO]       +- javax.xml.stream:stax-api:jar:1.0-2:provided
[INFO]       \- javax.activation:activation:jar:1.1:provided

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@bleggett Could please help me check this issue? May I pull a request to fix it? Thanks again.