prabhu
commented
4 years ago This workaround is now supported. Latest scan results
INFO [2020-06-11 21:41:04,773] Scanning /app using plugins ['depscan']
INFO [2020-06-11 21:41:04,774] ================================================================================
INFO [2020-06-11 21:41:05,206] ================================================================================
INFO [2020-06-11 21:41:21,233] No license violation detected ✅
INFO [2020-06-11 21:42:15,369] Performing regular scan for /app using plugin java
INFO [2020-06-11 21:42:15,369] Scanning 14 oss dependencies for issues
===Dependency scan results===
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Id | Package | Version | Severity | Score | Description |
+================+==================================+================+============+=========+====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+
| CVE-2013-7285 | com.thoughtworks.xstream:xstream | <1.4.6 | CRITICAL | 9 | Critical severity vulnerability that affects com.thoughtworks.xstream:xstream |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2018-11776 | apache:struts | 2.3.1-2.3.34 | HIGH | 8.1 | Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2018-1327 | apache:struts | 2.1.1-2.5.14.1 | HIGH | 7.5 | The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2017-12611 | apache:struts | 2.3.15.3 | CRITICAL | 9.8 | In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2017-5638 | apache:struts | 2.3.15.3 | CRITICAL | 10 | The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2017-9787 | apache:struts | 2.3.15.3 | HIGH | 7.5 | When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2017-9791 | apache:struts | 2.3.15.3 | CRITICAL | 9.8 | The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2017-9793 | apache:struts | 2.3.15.3 | HIGH | 7.5 | The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2017-9804 | apache:struts | 2.3.15.3 | HIGH | 7.5 | In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2017-9805 | apache:struts | 2.3.15.3 | HIGH | 8.1 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-0785 | apache:struts | 2.0.0-2.3.20.3 | HIGH | 8.8 | Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-2162 | apache:struts | 2.3.15.3 | MEDIUM | 6.1 | Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-3081 | apache:struts | 2.3.15.3 | HIGH | 8.1 | Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-3082 | apache:struts | 2.3.15.3 | CRITICAL | 9.8 | XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-3090 | apache:struts | 2.3.15.3 | HIGH | 8.8 | The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-3093 | apache:struts | 2.3.15.3 | MEDIUM | 5.3 | Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-4003 | apache:struts | 2.0.0-2.3.24.1 | MEDIUM | 6.1 | Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-4436 | apache:struts | 2.3.15.3 | CRITICAL | 9.8 | Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CVE-2016-4461 | apache:struts | 2.0.0-2.3.29 | HIGH | 8.8 | Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. |
+----------------+----------------------------------+----------------+------------+---------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
===Dependency scan summary===
Severity Count Status
----------- ------- --------
UNSPECIFIED 0 ✅
LOW 0 ✅
MEDIUM 3 ✅
HIGH 10 ❌
CRITICAL 6 ❌
Hi,
I came across this repo after a web search. Thank you for trying scan. I noticed that you were trying to test dependency scanning with a vulnerable pom.xml. Firstly, to trigger dependency and license scan, scan requires GitHub PAT token with
read:packagesscope as described here.https://slscan.io/en/latest/getting-started/#language-specific-scans
Output
Secondly, the struts vulnerability is a bit ancient requiring an aliasing workaround. It was flagged under "apache:struts" in 2014 whereas the package is referred as "struts2-core". I will see if I can bring this workaround to the open-source version.