Chronicle-Logger icon indicating copy to clipboard operation
Chronicle-Logger copied to clipboard
verified publisher icon OpenHFT

OWASP giving security error on Chronicle-Logger

Open eix128 opened this issue 3 years ago • 1 comments

hi i tried owasp security on your library but i got error as shown below:

MAVEN DEPENDENCY <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> 6.5.3 <skipProvidedScope>true</skipProvidedScope> <skipRuntimeScope>true</skipRuntimeScope>

ERROR:

One or more dependencies were identified with known vulnerabilities in LabiysWebService: chronicle-wire-2.22ea11.jar (pkg:maven/net.openhft/[email protected], cpe:2.3:a:wire:wire:2.22.ea11:::::::*) : CVE-2018-8909, CVE-2020-15258, CVE-2020-27853, CVE-2021-21301, CVE-2021-32665, CVE-2021-32666, CVE-2021-32755, CVE-2021-41093`

kotlin-stdlib-1.4.10.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.10:*:*:*:*:*:*:*) : CVE-2020-29582 kotlin-stdlib-common-1.4.0.jar (pkg:maven/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.4.0:*:*:*:*:*:*:*) : CVE-2020-15824, CVE-2020-29582 log4j-slf4j-impl-2.17.0.jar (pkg:maven/org.apache.logging.log4j/[email protected], cpe:2.3:a:apache:log4j:2.17.0:*:*:*:*:*:*:*) : CVE-2021-44832

See the dependency-check report for more details. `

eix128 avatar Feb 10 '22 13:02 eix128

I tried latest chronicle wire but problem still appears chronicle-wire-2.22ea15-SNAPSHOT.jar (pkg:maven/net.openhft/[email protected], cpe:2.3:a:wire:wire:2.22.ea15:snapshot:*:*:*:*:*:*) : CVE-2018-8909, CVE-2020-15258, CVE-2020-27853, CVE-2021-21301, CVE-2021-32665, CVE-2021-32666, CVE-2021-32755, CVE-2021-41093

eix128 avatar Feb 10 '22 14:02 eix128

@eix128 I don't understand what the problem is - can you advise what the security vulnerabilities are please?

JerryShea avatar Oct 31 '22 01:10 JerryShea

you can checkout the problem yourself for latest version https://jeremylong.github.io/DependencyCheck/dependency-check-maven/

eix128 avatar Nov 04 '22 08:11 eix128

@eix128 this is a false positive - https://github.com/jeremylong/DependencyCheck/issues/5024

JerryShea avatar Nov 05 '22 07:11 JerryShea

@JerryShea intelij gives alert on dependency

    <!-- https://mvnrepository.com/artifact/net.openhft/chronicle-logger-log4j-2 -->
    <dependency>
        <groupId>net.openhft</groupId>
        <artifactId>chronicle-logger-log4j-2</artifactId>
        <version>4.22ea3-SNAPSHOT</version>
    </dependency>

https://devhub.checkmarx.com/cve-details/CVE-2021-44832/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea

eix128 avatar Nov 09 '22 15:11 eix128

I don't think you will see this in the latest chronicle-logger (2.24ea2) - when I check dependencies on that I see that log4j2 is at 2.17.1

JerryShea avatar Nov 11 '22 03:11 JerryShea