SentimentAnalysisParser
SentimentAnalysisParser copied to clipboard
USCDataScience
Log4j dependency update and OSSF Scorecard
Hello! My security scanner has detected a number of vulnerabilities in your project that are introduced by log4j 1.x, which has been end of life since 2015:
` ✗ Man-in-the-Middle (MitM) [Low Severity][CVE-2020-9488] in log4j:[email protected] introduced by edu.usc.ir:[email protected] > log4j:[email protected]
✗ Arbitrary Code Execution [Medium Severity][CVE-2021-4104] in log4j:[email protected] introduced by edu.usc.ir:[email protected] > log4j:[email protected]
✗ SQL Injection [High Severity][CVE-2022-23305] in log4j:[email protected] introduced by edu.usc.ir:[email protected] > log4j:[email protected]
✗ Deserialization of Untrusted Data [High Severity][CVE-2022-23307] in log4j:[email protected] introduced by edu.usc.ir:[email protected] > log4j:[email protected]
✗ Deserialization of Untrusted Data [High Severity][CVE-2022-23302] in log4j:[email protected] introduced by edu.usc.ir:[email protected] > log4j:[email protected]
✗ Denial of Service (DoS) [Medium Severity][CVE-2023-26464] in log4j:[email protected] introduced by edu.usc.ir:[email protected] > log4j:[email protected]
✗ Deserialization of Untrusted Data [Critical Severity][CVE-2019-17571] in log4j:[email protected] introduced by edu.usc.ir:[email protected] > log4j:[email protected]`
I have made the following changes to your project in order to remediate these vulnerabilities:
-Updated log4j 1.x to log4j 2.x, the namespace has changed from log4j:log4j to org.apache.logging.log4j:log4j-core -Also updated sl4j-sl4j12 to slf4j-reload4j, which is a drop in replacement for log4j 1.x, and updated all other slf4j packages to the same version for compatability
I also ran your repository through OSSF Scorecard, which does a number of security configuration checks. Currently branch protection is not optimized and anyone can force push code, merge branches, or force delete branches. I recommend optimizing your branch protection settings on dev/release branches to prevent force push and force delete. This will keep people downstream of your project safe from unauthorized changes to your project.
OSSF Scorecard Results:
`Aggregate score: 3.9 / 10
Check scores: |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---|---|---|---|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#binary-artifacts |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | Branch-Protection | branch protection not enabled | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#branch-protection |
| on development/release | |||
| branches | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | CI-Tests | 0 out of 3 merged PRs | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#ci-tests |
| checked by a CI test -- score | |||
| normalized to 0 | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | CII-Best-Practices | no badge detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#cii-best-practices |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 1 / 10 | Code-Review | 3 out of last 23 changesets | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#code-review |
| reviewed before merge -- score | |||
| normalized to 1 | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 10 / 10 | Contributors | 8 different organizations | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#contributors |
| found -- score normalized to | |||
| 10 | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dangerous-workflow |
| detected | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | Dependency-Update-Tool | no update tool detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dependency-update-tool |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | Fuzzing | project is not fuzzed | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#fuzzing |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 10 / 10 | License | license file detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#license |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | Maintained | 0 commit(s) out of 30 and 0 | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#maintained |
| issue activity out of 2 found | |||
| in the last 90 days -- score | |||
| normalized to 0 | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| ? | Packaging | no published package detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#packaging |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 10 / 10 | Pinned-Dependencies | all dependencies are pinned | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#pinned-dependencies |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | SAST | SAST tool is not run on all | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#sast |
| commits -- score normalized to | |||
| 0 | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | Security-Policy | security policy file not | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#security-policy |
| detected | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#signed-releases |
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 10 / 10 | Token-Permissions | tokens are read-only in GitHub | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#token-permissions |
| workflows | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| 0 / 10 | Vulnerabilities | 14 existing vulnerabilities | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#vulnerabilities |
| detected | |||
| --------- | ------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| ` |
