Dependency to com.squareup.wire:wire-runtime:2.2.0 with CVEs

[eaglerainbow]

trafficstars

Dependency Security Scans of our project indicate that through org.cloudfoundry:cloudfoundry-client:5.6.0-RELEASE (most recent version as of writing) the dependency com.squareup.wire:wire-runtime:2.2.0 is declared. This version is known to be subject to (at least) 3 CVEs (evidence):

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237

The most current version of wire-runtime is 4.0.1, dating from December 2021, which apparently has these CVEs fixed.

Is it possible for the project to bump to a newer version to resolve the associated security risks?

[dmikusa]

We'll get this and a few other versions bumped shortly.

For what it's worth, our releases do not bundle these dependencies in them. It's just referenced. You should be able to override the version in your own pom.xml.

For example:

                <dependency>
			<groupId>com.squareup.wire</groupId>
			<artifactId>wire-runtime</artifactId>
			<version>4.0.1</version>
		</dependency>

Let me know if you're hitting problems with that. Thanks

[donacarr]

Just to let you know that latest dep scan found 9 CRITICAL CVEs:

https://nvd.nist.gov/vuln/detail/CVE-2018-8909 https://nvd.nist.gov/vuln/detail/CVE-2020-15258 https://nvd.nist.gov/vuln/detail/CVE-2021-21301 https://nvd.nist.gov/vuln/detail/CVE-2020-27853 https://nvd.nist.gov/vuln/detail/CVE-2021-32665 https://nvd.nist.gov/vuln/detail/CVE-2021-32666 https://nvd.nist.gov/vuln/detail/CVE-2021-32755 https://nvd.nist.gov/vuln/detail/CVE-2021-41093 https://nvd.nist.gov/vuln/detail/CVE-2022-23625

[dmikusa]

https://nvd.nist.gov/vuln/detail/CVE-2018-8909 https://nvd.nist.gov/vuln/detail/CVE-2020-15258 https://nvd.nist.gov/vuln/detail/CVE-2021-21301 https://nvd.nist.gov/vuln/detail/CVE-2020-27853 https://nvd.nist.gov/vuln/detail/CVE-2021-32665 https://nvd.nist.gov/vuln/detail/CVE-2021-32666 https://nvd.nist.gov/vuln/detail/CVE-2021-32755 https://nvd.nist.gov/vuln/detail/CVE-2021-41093 https://nvd.nist.gov/vuln/detail/CVE-2022-23625

@donacarr I don't believe any of these are actually problems with the wire we consume. They all reference "wireos" and seem to be issues with some unrelated mobile (IOS/Android) library.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237

I'm not even sure that the original three issues reported impact cf-java-client. The notes on those issues reference Guava and JUnit. Junit is the only item we actually consume, obviously that only happens during testing.

We did look into upgrading but the problem is that the com.squareup.wire Maven plugin that we're using was discontinued so it's not just a matter of bumping the version. It'll take more effort to evaluate if a switch is possible and to do regression testing to make sure that switching doesn't cause any breaking changes.