As an information security officer I want that the critical and major dependency issues found by OWASP Dependency Check scanner are fixed to avoid possible vulnerabilities

[hanhaka]

Affected components: Java and jRuby dependencies Affected documentation: - Estimated delivery: - External reference: https://jira.csc.fi/browse/PVAYLADEV-458

Problem OWASP Dependency Check Jenkins and Gradle plugins were taken into use as a part of Security Server build process (as request by F-Secure cyber security and privacy company). As the result of the scanning of the dependency vulnerabilities, a lot of critical and major issues were found. These should be fixed as soon as possible to avoid later issues in security. Fixing should be quite straightforward as it requires in many cases only to updating of the affected component to the latest version.

Updating of dependency components may however generate compiling errors and/or some other break downs. That's why the updating process need careful attention and testing work after updating work has been done.

For more information about the OWASP Dependency Check plugin, see below links: https://www.owasp.org/index.php/OWASP_Dependency_Check https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/ https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

Acceptance criteria

• Critical and major issues are fixed by updating the out-of-date components to the latest ones
• Compiling errors and/or other related errors are fixed
• Clean build of Security Server can be done

[hanhaka]

After investigation of OWASP scanner results, it is recommended to update all below components to newest possible version:

• jruby
• jruby-openssl
• jackson-databinding
• jackson-annotations
• jackson-core
• Apache Commons BeanUtils
• Apache Commons Collections
• Java Native Access

After update work of above components is ready, we should should see how many dependency problems has been fixed.

[PriitParmakson]

That scanner seems to be a very useful tool.

[hanhaka]

Upgraded depedencies to develop branch in VRK-KPA repository via several commits: https://github.com/vrk-kpa/xroad/commit/7c21171cc23d73b79bbd95780820021e0230b242 https://github.com/vrk-kpa/xroad/commit/44a041efb1cb87cfff429c279af09b5f121f6b5d https://github.com/vrk-kpa/xroad/commit/f1a2c8c4c8bdba2eaf2514ef4482a80b1e229018 https://github.com/vrk-kpa/xroad/commit/8e48fe2a483f84af97f763cb1ea38301d2891407 https://github.com/vrk-kpa/xroad/commit/4983e159c4b0be03f539fe7c8644dc327ec74023 https://github.com/vrk-kpa/xroad/commit/45b38265ff8a379b49bc88b5c049da93c3051bbe

[hanhaka]

Commited to XM/develop (finnish-6.9.0 pull request). Will be available with 6.9 release.