diemol
commented
4 years ago @Montti37 is not under development anymore, if you wish, you could send a PR and build the new version yourself.
Open Montti37 opened 4 years ago
diemol
commented
4 years ago @Montti37 is not under development anymore, if you wish, you could send a PR and build the new version yourself.
Johnny2136
commented
4 years ago @Montti37 we have found jackson.core to be problematic, if you update it in spring boot, then you will get a failing SAST scan with Checkmarx or similar if you roll back Twist lock catches it. Spring boot needs to fix their library, but if you find a good solution please post it ok? I think we are in the same boat as you.
Montti37
commented
4 years ago We have a fix, once I get approval to fork it in from my company I will
On Thu, Sep 24, 2020, 5:11 PM Johnny Johnson notifications@github.com wrote:
@Montti37 https://github.com/Montti37 we have found jackson.core to be problematic, if you update it in spring boot, then you will get a failing SAST scan with Checkmarx or similar if you roll back Twist lock catches it. Spring boot needs to fix their library, but if you find a good solution please post it ok? I think we are in the same boat as you.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zalando/zalenium/issues/1200#issuecomment-698590622, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJAOAWVJGRFP4NBCW4VKL6TSHOYYXANCNFSM4QNAH6MQ .
llinmd
commented
4 years ago @Montti37 We are in the same boat as you so I want to follow up on the fix. Are you able to get approval to share it? Thanks.
Montti37
commented
4 years ago @llinmd I am still waiting for approval, it may take some time to actually share the repo, but we ended up just updating the pom file and rebuilding the app. I will warn you once you get past this step, the underlying elgalu/selenium image that is used has the same vulnerabilities. it too will need a similar fix. the underlying jar that causes that issue is the browsermob-dist.jar to save you some time finding it, it is held in maven and will need a similar fix for its pom file
llinmd
commented
4 years ago @Montti37 that's good to know. i will give it a shot. thanks.
rajesh9383
commented
3 years ago @Montti37 I am having similar vulnerabilities. Can you please share the repo ?
I tried emailing the security address but it was un-deliverable
As part of our corporate security scans with twistlock we have found some vulnerabilities in Zalenium. I was hoping it would be possible to address the critical ones so we can continue using Zalenium. There are a lot of other low level issues but the criticals that must be address for me would be:
com.fasterxml.jackson.core_jackson-databind current 2.8.5 fixed in 2.9.7
io.netty_netty-all current 4.1.6.Final fixed in 4.1.46 org.eclipse.jetty_jetty-io current 7.3.0.v20110203 fixed in 9.4.11, 9.3.24 org.apache.logging.log4j_log4j-api current 2.7 fixed in 2.8.2
Thank you
twistlock-zalenium.txt