security vulnerabilities in jar

[vikeshpandey]

Hi Team,

I am using this jar in one of the projects in my organization. When i run the static code security analysis, it screams lot of vulnerabilities. [ERROR] postgresql-embedded-2.6.jar: CVE-2014-0061, CVE-2016-0766, CVE-2014-0060, CVE-2014-0063, CVE-2014-0062, CVE-2014-0065, CVE-2014-0064, CVE-2014-0067, CVE-2016-0768, CVE-2014-0066, CVE-2015-5288, CVE-2007-4772, CVE-2015-5289, CVE-2007-2138, CVE-2010-0733, CVE-2017-7484, CVE-2015-3165, CVE-2016-5424, CVE-2016-5423, CVE-2017-8806, CVE-2016-0773

Can you please check these and comment on it.

Thanks Vikesh

[vikeshpandey]

a gentle reminder.

[smecsia]

Hi @pandey-vikesh, can you please be more specific? What are you using for the static code security analysis? Why is this important to you? In any case this project is usually used for testing only, where security is not playing the key role.

[vikeshpandey]

we are using org.owasp maven plugin to run the static code security analysis. We are working for an organization where security vulnerabilities are taken very seriously and we cannot release our code having vulnerabilities in it. Yes you are correct by saying this project is used for tests only. I have created a separate maven module for bootstrapping the code with embedded postgres. Doing this way, it is not part of test for that maven module. in any case, why does the code has so many security vulnerabilities. If they are false positives, they should be suppressed or else be fixed.

[tazle]

OWASP DependencyCheck probably misdetects postgresql-embedded as Postgres. @pandey-vikesh Could you please post the complete report from OWASP, especially the CPE that it assigns to the postgresql-embedded JAR.

[vikeshpandey]

owasp-dependency-check.zip

PFA the OWASP report. i am using it against 2.6 version of this JAR. i am using postgres version 9.6 with it.

Hope this helps. And apologies for the delay in response.

Thanks Vikesh

[tazle]

The matching CPE for postgresql-embedded-2.6.jar is cpe:/a:postgresql:postgresql:2.6 which means that DependencyCheck thinks postgresql-embedded-2.6.jar is PostgreSQL version 2.6 when it comes to matching against CVEs. You can imagine that there are many CVEs that are applicable to something like "PostgreSQL versions 9.2 and earlier", and 2.6 is certainly earlier than 9.2, so DependencyCheck gets confused and produces (false positive) reports for those CVEs against postgresql-embedded-2.6.jar.

This project is actually notable in that it in a way does include Postgres. Usually similar issues come up with e.g. client modules for databases, which don't include the database itself. However, postgresql-embedded does not include any specific version of Postgres, so it's not really possible to use DependencyCheck to produce meaningful CVE reports for it. I would suppress any reports for postgresq-embedded locally, and maybe open an issue with DependencyCheck to see if the author thinks there's any reasonable way to get around this.

[vikeshpandey]

thanks for comments. yes, i have suppressed those for the same reason that it is directly dependent on postgressql dependency. I will try to follow up with depdendency check. for now, we can resolve this ticket.