Widoco
Widoco copied to clipboard
dgarijo
Add Security check for dependencies.
Running owasp dependency check on pom.xml I get
One or more dependencies were identified with known vulnerabilities in Widoco:
bootstrap.js (pkg:javascript/[email protected]) : CVE-2016-10735, CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331
bootstrap.min.js (pkg:javascript/[email protected]) : CVE-2016-10735, CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331
commons-io-2.5.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.5:*:*:*:*:*:*:*) : CVE-2021-29425
dom4j-1.6.1.jar (pkg:maven/dom4j/[email protected], cpe:2.3:a:dom4j_project:dom4j:1.6.1:*:*:*:*:*:*:*) : CVE-2018-1000632, CVE-2020-10683
fluent-hc-4.5.10.jar (pkg:maven/org.apache.httpcomponents/[email protected], cpe:2.3:a:apache:httpclient:4.5.10:*:*:*:*:*:*:*) : CVE-2020-13956
hibernate-validator-5.3.5.Final.jar (pkg:maven/org.hibernate/[email protected], cpe:2.3:a:redhat:hibernate_validator:5.3.5:*:*:*:*:*:*:*) : CVE-2017-7536, CVE-2019-10219, CVE-2020-10693
httpclient-4.5.10.jar (pkg:maven/org.apache.httpcomponents/[email protected], cpe:2.3:a:apache:httpclient:4.5.10:*:*:*:*:*:*:*) : CVE-2020-13956
httpclient-osgi-4.5.10.jar/META-INF/maven/org.apache.httpcomponents/httpclient-cache/pom.xml (pkg:maven/org.apache.httpcomponents/[email protected], cpe:2.3:a:apache:httpclient:4.5.10:*:*:*:*:*:*:*) : CVE-2020-13956
jackson-databind-2.9.10.7.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.9.10.7:*:*:*:*:*:*:*) : CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2020-36518, CVE-2022-42003, CVE-2022-42004
jackson-mapper-asl-1.9.13.jar (pkg:maven/org.codehaus.jackson/[email protected], cpe:2.3:a:fasterxml:jackson-mapper-asl:1.9.13:*:*:*:*:*:*:*) : CVE-2017-7525, CVE-2019-10172
jdom-1.1.jar (pkg:maven/org.jdom/[email protected], cpe:2.3:a:jdom:jdom:1.1:*:*:*:*:*:*:*) : CVE-2021-33813
jquery-1.11.0.js (pkg:javascript/[email protected]) : CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023
jquery.js (pkg:javascript/[email protected]) : CVE-2011-4969, CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023
log4j-api-2.7.jar (pkg:maven/org.apache.logging.log4j/[email protected], cpe:2.3:a:apache:log4j:2.7:*:*:*:*:*:*:*) : CVE-2017-5645, CVE-2020-9488, CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105
snakeyaml-1.17.jar (pkg:maven/org.yaml/[email protected], cpe:2.3:a:snakeyaml_project:snakeyaml:1.17:*:*:*:*:*:*:*, cpe:2.3:a:yaml_project:yaml:1.17:*:*:*:*:*:*:*) : CVE-2017-18640, CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752
spring-boot-1.5.6.RELEASE.jar (pkg:maven/org.springframework.boot/[email protected], cpe:2.3:a:vmware:spring_boot:1.5.6:release:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:1.5.6:release:*:*:*:*:*:*) : CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2016-1000027, CVE-2017-8046, CVE-2018-11039, CVE-2018-11040, CVE-2018-1196, CVE-2018-1257, CVE-2020-5421, CVE-2022-22950, CVE-2022-22965, CVE-2022-22968, CVE-2022-22970, CVE-2022-27772
spring-core-4.3.10.RELEASE.jar (pkg:maven/org.springframework/[email protected], cpe:2.3:a:pivotal_software:spring_framework:4.3.10:release:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:4.3.10:release:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:4.3.10:release:*:*:*:*:*:*) : CVE-2016-1000027, CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272, CVE-2018-1275, CVE-2018-15756, CVE-2020-5421, CVE-2022-22950, CVE-2022-22965, CVE-2022-22968, CVE-2022-22970
spring-webmvc-4.3.10.RELEASE.jar (pkg:maven/org.springframework/[email protected], cpe:2.3:a:pivotal_software:spring_framework:4.3.10:release:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:4.3.10:release:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:4.3.10:release:*:*:*:*:*:*) : CVE-2016-1000027, CVE-2018-11039, CVE-2018-11040, CVE-2018-1199, CVE-2018-1257, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272, CVE-2018-1275, CVE-2018-15756, CVE-2020-5397, CVE-2020-5421, CVE-2021-22060, CVE-2022-22950, CVE-2022-22965, CVE-2022-22968, CVE-2022-22970
tomcat-embed-core-8.5.16.jar (pkg:maven/org.apache.tomcat.embed/[email protected], cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:8.5.16:*:*:*:*:*:*:*) : CVE-2017-12617, CVE-2017-15706, CVE-2018-11784, CVE-2018-1304, CVE-2018-1305, CVE-2018-1336, CVE-2018-8014, CVE-2018-8034, CVE-2018-8037, CVE-2019-0199, CVE-2019-0221, CVE-2019-0232, CVE-2019-10072, CVE-2019-12418, CVE-2019-17563, CVE-2019-2684, CVE-2020-11996, CVE-2020-13934, CVE-2020-13935, CVE-2020-13943, CVE-2020-17527, CVE-2020-1935, CVE-2020-1938, CVE-2020-8022, CVE-2020-9484, CVE-2021-24122, CVE-2021-25122, CVE-2021-25329, CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-43980, CVE-2022-25762
xalan-2.7.0.jar (pkg:maven/xalan/[email protected], cpe:2.3:a:apache:xalan-java:2.7.0:*:*:*:*:*:*:*) : CVE-2014-0107, CVE-2022-34169
xercesImpl-2.8.0.jar (pkg:maven/xerces/[email protected], cpe:2.3:a:apache:xerces2_java:2.8.0:*:*:*:*:*:*:*) : CVE-2009-2625, CVE-2012-0881, CVE-2013-4002, CVE-2017-10355, CVE-2022-23437
See the dependency-check report for more details.
The pull request on the security dependencies prevents Widoco JARs to be built (see https://github.com/dgarijo/Widoco/actions/runs/3868555038/jobs/6594075050). There is some error when invoking the service, as that commit only introduces changes in the documentation.
