[WIP] Install deps before the scan #572
Conversation
flor-master
changed the title
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| org.jetbrains.intellij.deps:trove4j:1.0.20200330=detekt,kotlinCompilerClasspath,kotlinCompilerPluginClasspathDebug,kotlinCompilerPluginClasspathDebugAndroidTest,kotlinCompilerPluginClasspathDebugUnitTest,kotlinCompilerPluginClasspathRelease,kotlinCompilerPluginClasspathReleaseUnitTest,kotlinKlibCommonizerClasspath | ||
| org.jetbrains.kotlin:kotlin-android-extensions-runtime:1.8.22=debugAndroidTestCompileClasspath,debugAndroidTestRuntimeClasspath,debugCompileClasspath,debugRuntimeClasspath,debugUnitTestCompileClasspath,debugUnitTestRuntimeClasspath,releaseCompileClasspath,releaseRuntimeClasspath,releaseUnitTestCompileClasspath,releaseUnitTestRuntimeClasspath |
There was a problem hiding this comment.
Legal Risk:
org.jetbrains.intellij.deps:trove4j 1.0.20200330 was released under the LGPL-2.1 license, a license that has been flagged by your organization for consideration
Recommendation:
While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.
| net.java.dev.jna:jna:5.6.0=detekt,kotlinCompilerClasspath,kotlinCompilerPluginClasspathDebug,kotlinCompilerPluginClasspathDebugAndroidTest,kotlinCompilerPluginClasspathDebugUnitTest,kotlinCompilerPluginClasspathRelease,kotlinCompilerPluginClasspathReleaseUnitTest,kotlinKlibCommonizerClasspath | ||
| org.bouncycastle:bcprov-jdk18on:1.72=debugUnitTestCompileClasspath,debugUnitTestRuntimeClasspath,releaseUnitTestCompileClasspath,releaseUnitTestRuntimeClasspath,testImplementationDependenciesMetadata |
There was a problem hiding this comment.
Legal Risk:
net.java.dev.jna:jna 5.6.0 was released under the LGPL-2.1 license, a license that has been flagged by your organization for consideration
Recommendation:
While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.
| com.fasterxml.woodstox:woodstox-core:6.2.4=dokkaGfmPartialRuntime,dokkaGfmRuntime,dokkaHtmlPartialRuntime,dokkaHtmlRuntime,dokkaJavadocPartialRuntime,dokkaJavadocRuntime,dokkaJekyllPartialRuntime,dokkaJekyllRuntime | ||
| com.google.android.material:material:1.9.0=apiDependenciesMetadata,debugAndroidTestCompileClasspath,debugAndroidTestRuntimeClasspath,debugCompileClasspath,debugRuntimeClasspath,debugUnitTestCompileClasspath,debugUnitTestRuntimeClasspath,implementationDependenciesMetadata,releaseCompileClasspath,releaseRuntimeClasspath,releaseUnitTestCompileClasspath,releaseUnitTestRuntimeClasspath |
There was a problem hiding this comment.
Risk: woodstox-core 5.x before 5.4.0 and woodstox-core 6.x before 6.4.0 are vulnerable to Denial of Service (DOS) attacks through the DTD parsing functionality, which is used when serializing XML with FasterXML/woodstox. This happens because xstream, a dependency of woodstox, is vulnerable. This can be partially worked around by setting a stack size limit, but it's not guaranteed to prevent the issue, as per x-stream/xstream#316 (comment). Upgrade 5.x versions to 5.4.0 or 6.x versions to 6.4.0.
Fix: Upgrade this library to at least version 6.4.0 at vgs-collect-android/vgscollect/gradle.lockfile:85.
Reference(s): GHSA-fv22-xp26-mm9w, CVE-2022-40153
Ignore this finding from ssc-3f20a370-e458-4c69-a647-50011ca01c97.
| net.java.dev.jna:jna:5.6.0=detekt,kotlinCompilerClasspath,kotlinCompilerPluginClasspathDebug,kotlinCompilerPluginClasspathDebugAndroidTest,kotlinCompilerPluginClasspathDebugUnitTest,kotlinCompilerPluginClasspathRelease,kotlinCompilerPluginClasspathReleaseUnitTest,kotlinKlibCommonizerClasspath | ||
| org.bouncycastle:bcprov-jdk18on:1.72=debugUnitTestCompileClasspath,debugUnitTestRuntimeClasspath,releaseUnitTestCompileClasspath,releaseUnitTestRuntimeClasspath,testImplementationDependenciesMetadata |
There was a problem hiding this comment.
Legal Risk:
net.java.dev.jna:jna 5.6.0 was released under the LGPL-2.1 license, a license that has been flagged by your organization for consideration
Recommendation:
While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.
| org.jetbrains.intellij.deps:trove4j:1.0.20200330=detekt,kotlinCompilerClasspath,kotlinCompilerPluginClasspathDebug,kotlinCompilerPluginClasspathDebugAndroidTest,kotlinCompilerPluginClasspathDebugUnitTest,kotlinCompilerPluginClasspathRelease,kotlinCompilerPluginClasspathReleaseUnitTest,kotlinKlibCommonizerClasspath | ||
| org.jetbrains.kotlin:kotlin-android-extensions-runtime:1.8.22=debugAndroidTestCompileClasspath,debugAndroidTestRuntimeClasspath,debugCompileClasspath,debugRuntimeClasspath,debugUnitTestCompileClasspath,debugUnitTestRuntimeClasspath,releaseCompileClasspath,releaseRuntimeClasspath,releaseUnitTestCompileClasspath,releaseUnitTestRuntimeClasspath |
There was a problem hiding this comment.
Legal Risk:
org.jetbrains.intellij.deps:trove4j 1.0.20200330 was released under the LGPL-2.1 license, a license that has been flagged by your organization for consideration
Recommendation:
While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.
|
Semgrep found 1
Risk: woodstox-core 5.x before 5.4.0 and woodstox-core 6.x before 6.4.0 are vulnerable to Denial of Service (DOS) attacks through the DTD parsing functionality, which is used when serializing XML with FasterXML/woodstox. This happens because xstream, a dependency of woodstox, is vulnerable. This can be partially worked around by setting a stack size limit, but it's not guaranteed to prevent the issue, as per x-stream/xstream#316 (comment). Upgrade 5.x versions to 5.4.0 or 6.x versions to 6.4.0. Fix: Upgrade this library to at least version 6.4.0 at vgs-collect-android/gradle.lockfile:85. Reference(s): GHSA-fv22-xp26-mm9w, CVE-2022-40153 Ignore this finding from ssc-3f20a370-e458-4c69-a647-50011ca01c97. |
Install Dependencies Before Security Scan
Install dependencies before the Semgrep scanning project