Skip to content

repave dependencies#760

Open
gregallen wants to merge 1 commit intojfrog:masterfrom
gregallen:commons-compress-upgrade
Open

repave dependencies#760
gregallen wants to merge 1 commit intojfrog:masterfrom
gregallen:commons-compress-upgrade

Conversation

@gregallen
Copy link
Copy Markdown

@gregallen gregallen commented Sep 25, 2023

I have read the CLA Document and I hereby sign the CLA

@gregallen gregallen mentioned this pull request Sep 25, 2023
Closed
@yahavi yahavi added the safe to test Approve running integration tests on a pull request label Sep 26, 2023
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 26, 2023
@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 26, 2023

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Medium		 Applicable org.jfrog.buildinfo:build-info-extractor:2.41.x-SNAPSHOT
com.fasterxml.jackson.core:jackson-databind:2.15.2
com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.2
org.mock-server:mockserver-netty:5.15.0
com.github.docker-java:docker-java:3.3.3
org.jfrog.buildinfo:build-info-extractor-docker:2.41.x-SNAPSHOT		 com.fasterxml.jackson.core:jackson-databind:2.15.2 - CVE-2023-35116

🔬 Research Details

@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 26, 2023 

mapper.writeValueAsString(this)

at build-info-client/src/main/java/org/jfrog/build/client/artifactoryXrayResponse/ArtifactoryXrayResponse.java (line 60)

📦🔍 Contextual Analysis CVE Vulnerability

Severity Impacted Dependency Finding CVE

Medium		 com.fasterxml.jackson.core:jackson-databind:2.15.2 At least one of the vulnerable functions writeValueAsString, writeValueAsBytes, writeValue, serializeValue is called with external input CVE-2023-35116
Description

The scanner checks for calls to the vulnerable functions with external input:

  • ObjectMapper.writeValue()
  • ObjectMapper.writeValueAsString()
  • ObjectMapper.writeValueAsBytes()
  • ObjectWriter.writeValue()
  • ObjectWriter.writeValueAsString()
  • ObjectWriter.writeValueAsBytes()
  • ser.DefaultSerializerProvider.serializeValue()

For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The input argument to those functions is a cyclic object (e.g. a HashMap object with a reference to itself).

CVE details

An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

@gregallen
Copy link
Copy Markdown
Author

gregallen commented Sep 26, 2023

the jackson-databind vulnerability is rejected by jackson team - see FasterXML/jackson-databind#3972

suggest you need to whitelist this dependency (as has been done at my employer in a similar dep scanning tool)

@yahavi
Copy link
Copy Markdown
Member

yahavi commented Sep 29, 2023

Thanks for your contribution, @gregallen!

It appears that all Gradle tests are failing. You can check out the details here: https://github.com/jfrog/build-info/actions/runs/6308986191/job/17137306523?pr=760

Would you be able to take a look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gregallen @yahavi