jqa-core-framework icon indicating copy to clipboard operation
jqa-core-framework copied to clipboard

Published 20 hours ago verified publisher icon jqassistant-archive

Many alerts from OWASP dependency checker

Open lathspell opened this issue 4 years ago • 2 comments

Bug Description

I use the OWASP Dependency Check Gradle Plugin (org.owasp.dependencycheck:6.2.2, https://owasp.org/www-project-dependency-check/) to scan all my dependencies for known security issues.

Usually it reports none but after applying the following ones in version 1.10.0,

com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv3
com.buschmais.jqassistant.plugin:common
com.buschmais.jqassistant.plugin:java
com.buschmais.jqassistant.plugin:junit

I get a ton of security issues reported:

asciidoctorj-diagram-2.1.2.jar: batik-all-1.13.jar (cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*) : CVE-2020-11987
commons-beanutils-1.9.3.jar (pkg:maven/commons-beanutils/[email protected], cpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*) : CVE-2019-10086
commons-io-2.6.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*) : CVE-2021-29425
dirgra-0.3.jar (pkg:maven/org.jruby/[email protected], cpe:2.3:a:jruby:jruby:0.3:*:*:*:*:*:*:*) : CVE-2010-1330, CVE-2011-4838
guava-28.1-jre.jar (pkg:maven/com.google.guava/[email protected], cpe:2.3:a:google:guava:28.1:*:*:*:*:*:*:*) : CVE-2020-8908
jruby-stdlib-9.2.17.0.jar: bcprov-jdk15on-1.65.jar (cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.65:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*) : CVE-2020-28052
jruby-stdlib-9.2.17.0.jar: jopenssl.jar/META-INF/maven/rubygems/jruby-openssl/pom.xml (pkg:maven/rubygems/[email protected], cpe:2.3:a:jruby:jruby:0.10.5:*:*:*:*:*:*:*, cpe:2.3:a:openssl:openssl:0.10.5:*:*:*:*:*:*:*) : CVE-2009-1387, CVE-2010-1330, CVE-2010-4252, CVE-2010-5298, CVE-2011-1945, CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-4838, CVE-2012-0027, CVE-2013-6449, CVE-2014-0076, CVE-2015-4000, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-7056
jruby-stdlib-9.2.17.0.jar: readline.jar/META-INF/maven/rubygems/jruby-readline/pom.xml (pkg:maven/rubygems/[email protected], cpe:2.3:a:jruby:jruby:1.3.7:*:*:*:*:*:*:*) : CVE-2010-1330, CVE-2011-4838
neo4j-browser-4.2.5.jar: app-b776cfaa3af4c1e870e9.js (pkg:javascript/[email protected]) : CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331
tika-core-1.22.jar (pkg:maven/org.apache.tika/[email protected], cpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*) : CVE-2020-1950, CVE-2020-1951, CVE-2021-28657

I don't know if false positives are among them but maybe you care enough to check the dependency tree for old versions.

Expected Behaviour

No reported CVE

Your Environment

  • JDK: 11
  • OS: MacOS

How can we reproduce the bug?

Add this and then run ./gradlew dependencyCheckAnalyze

plugins {
     id 'org.owasp.dependencycheck' version '6.2.2'
}

lathspell avatar Jul 07 '21 19:07 lathspell