Vulnerable dependency: guava-16.0.1

[joshuanapoli]

dependency-check-3.3.4 depends on guava-16.0.1. DependencyCheck reports this as having a vulnerability:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10237

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

[jeremylong]

The joy of transitive dependencies and maintaining support for older JVMs. The 3.x branch of dependency-check still maintains Java 7 support. The 4x branch (under development now) moves to Java 8. I'm sorting through the options...

[albuch]

@jeremylong I don't think this is fixed. dependency-check-core v4.0.1 is still reported to being vulnerable as guava v16.0.1 is still included.

[INFO] test:test:jar:1.0-SNAPSHOT
[INFO] \- org.owasp:dependency-check-core:jar:4.0.1:compile
[INFO]    +- com.vdurmont:semver4j:jar:2.2.0:compile
[INFO]    +- joda-time:joda-time:jar:1.6:compile
[INFO]    +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO]    +- org.owasp:dependency-check-utils:jar:4.0.1:compile
[INFO]    +- org.apache.commons:commons-compress:jar:1.18:compile
[INFO]    +- commons-io:commons-io:jar:2.6:compile
[INFO]    +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO]    +- org.apache.commons:commons-text:jar:1.3:compile
[INFO]    +- org.apache.lucene:lucene-core:jar:7.6.0:compile
[INFO]    +- org.apache.lucene:lucene-analyzers-common:jar:7.6.0:compile
[INFO]    +- org.apache.lucene:lucene-queryparser:jar:7.6.0:compile
[INFO]    |  +- org.apache.lucene:lucene-queries:jar:7.6.0:compile
[INFO]    |  \- org.apache.lucene:lucene-sandbox:jar:7.6.0:compile
[INFO]    +- org.apache.velocity:velocity:jar:1.7:compile
[INFO]    |  +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO]    |  \- commons-lang:commons-lang:jar:2.4:compile
[INFO]    +- com.h2database:h2:jar:1.4.196:runtime
[INFO]    +- org.glassfish:javax.json:jar:1.0.4:compile
[INFO]    +- org.jsoup:jsoup:jar:1.11.3:compile
[INFO]    +- com.sun.mail:mailapi:jar:1.6.3:compile
[INFO]    +- com.google.code.gson:gson:jar:2.8.5:compile
[INFO]    \- com.h3xstream.retirejs:retirejs-core:jar:3.0.1:compile
[INFO]       +- org.json:json:jar:20140107:compile
[INFO]       +- com.esotericsoftware:minlog:jar:1.3:compile
[INFO]       \- com.github.spullara.mustache.java:compiler:jar:0.8.17:compile
[INFO]          \- com.google.guava:guava:jar:16.0.1:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5.981 s
[INFO] Finished at: 2018-12-27T10:10:06+01:00
[INFO] Final Memory: 17M/165M

[jeremylong]

This is fixed in dependency-check-core/maven/cli/ant. However, it appears that dependency-check-gradle may still have an issue due to not explicitly over-riding guava. If I run mvn dependency:tree on the core project I get:

25665-[INFO] |  \- com.h3xstream.retirejs:retirejs-core:jar:3.0.1:compile
25733-[INFO] |     +- org.json:json:jar:20140107:compile
25784-[INFO] |     +- com.esotericsoftware:minlog:jar:1.3:compile
25844-[INFO] |     \- com.github.spullara.mustache.java:compiler:jar:0.8.17:compile
25922:[INFO] |        \- com.google.guava:guava:jar:27.0.1-jre:compile

However, it was not fixed correctly for other projects that utilize core. This is now properly fixed with bfd472f. I'll try to fix a few more minor items and push a new release shortly.

[albuch]

Than the dependency resolution behaves differently in your project compared to the published jar.
If dependency-check-core is used as a dependency in an empty maven project you get the tree from my previous post (which is basically the use case for sbt-dependency-check).

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>test</groupId>
    <artifactId>test</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
            <version>4.0.1</version>
        </dependency>
    </dependencies>

</project>

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.