Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerabilities in old jars #7

Open
stuzart opened this issue May 24, 2023 · 0 comments
Open

Security vulnerabilities in old jars #7

stuzart opened this issue May 24, 2023 · 0 comments

Comments

@stuzart
Copy link

stuzart commented May 24, 2023

Hi @binfalse , hope you are well.
As you may remember, we make use of Bives in https://github.com/seek4science/seek . We've recently been reviewing our docker containers for security issues with trivy, and some critical issues were shown related to BiVeS; with com.fasterxml.jackson.core:jackson-databind:jar:2.3.3, and log4j:log4j:jar:1.2.17:compile.

Trivy is easy to install, and you can try yourself within the BiVeS directory with

trivy fs --severity CRITICAL .

I've found it is appears easy to fix, and stems back to the jCOMODI jar, and it's dependency on and old version of jena. It's difficult to submit as a pull request, as the fix is spread across several repositories, but I found once I updated jena for that package, it built fine and the tests pass. my change was

-        <dependency>
-            <groupId>org.apache.jena</groupId>
-            <artifactId>apache-jena-libs</artifactId>
-            <type>pom</type>
-            <version>3.0.0</version>
-        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.jena/apache-jena-libs -->
+<dependency>
+    <groupId>org.apache.jena</groupId>
+    <artifactId>apache-jena-libs</artifactId>
+    <version>4.8.0</version>
+    <type>pom</type>
+</dependency>
+

You would then need to update BiVeS-Core to use the new version of jCOMODI, and then next the packages that rely on BiVeS-Core (which is why it's difficult to provide a PR).

The final step was to update BiVeS itself to use logj4 2, which is easy with a little log4j wrapper library. I also found I needed to include log4j-slf4j-impl for the tests to pass - which I didn't entirely understand so you might want to double check. The changes I made to that pom.xml was

-         <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>1.2.17</version>
-        </dependency>
+                   <groupId>org.apache.logging.log4j</groupId>
+                   <artifactId>log4j-1.2-api</artifactId>
+                   <version>2.20.0</version>
+               </dependency>
+               <dependency>
+                   <groupId>org.apache.logging.log4j</groupId>
+                   <artifactId>log4j-core</artifactId>
+                   <version>2.20.0</version>
+               </dependency>
+        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl -->
+               <dependency>
+                   <groupId>org.apache.logging.log4j</groupId>
+                   <artifactId>log4j-slf4j-impl</artifactId>
+                   <version>2.20.0</version>
+                   <scope>test</scope>
+               </dependency>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant