DependencyCheck
DependencyCheck copied to clipboard
jeremylong
[FP]: various dependencies flagged on transitive Swagger dependencies of `ktor-server-openapi`
Package URl
pkg:maven/io.ktor/[email protected]
CPE
Multiple (see description)
CVE
Multiple (see description)
ODC Integration
{"label"=>"Gradle Plugin"}
ODC Version
8.4.0
Description
One or more dependencies were identified with known vulnerabilities in [PROJECT NAME]:
swagger-codegen-2.4.30.jar: gradle-wrapper.jar (cpe:2.3:a:gradle:gradle:2.12:*:*:*:*:*:*:*) : CVE-2016-6199, CVE-2019-15052, CVE-2023-35947, CVE-2021-29428, CVE-2020-11979, CVE-2021-32751, CVE-2023-44387, CVE-2019-11065, CVE-2019-16370, CVE-2021-29429, CVE-2023-35946, CVE-2023-42445
swagger-codegen-2.4.30.jar: jquery-1.8.3.min.js (pkg:javascript/[email protected]) : CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, CVE-2020-23064, CVE-2020-7656, jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
Seems similar to #4382, but for the io.ktor:ktor-server-openapi dependency (and its Swagger-related transitive dependencies). Strangely enough, this is not an issue when only including the io.ktor:ktor-server-swagger dependency.
Maven Coordinates
<dependency>
<groupId>io.ktor</groupId>
<artifactId>ktor-server-openapi</artifactId>
<version>2.3.5</version>
</dependency>
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #5997
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-openapi@.*$</packageUrl>
<cpe>cpe:/a:undefined:undefined</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/6547126774
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@volkert-fastned DependencyCheck is correct: (the vulnerable versions of) these libraries are transitive dependencies of ktor-server-openapi, but not of ktor-server-swagger
Run a gradle dependencies on both and compare the outputs
Need to see whether all the reported issues are proper, but the noticed difference between the two is completely logical as they indeed have a significantly differing runtime dependency tree
Whether or not the various reported vulnerabilities are applicable to the wrapper part of Gradle remains to be seen, but the packaged gradle-wrapper.jar inside the swagger-codegen is positively a component of Gradle 2.12. So with the policies of DependencyCheck to not differentiate between different components of the same CPE I think this one counts as an unfortunate side-effect of the lack of maintenance by the swagger-codegen team on their repository-committed gradle-wrapper.jar resource for the java client project code-generator.
https://github.com/swagger-api/swagger-codegen/blob/v2.4.30/modules/swagger-codegen/src/main/resources/Java/gradle-wrapper.jar
https://github.com/swagger-api/swagger-codegen/blob/master/modules/swagger-codegen/src/main/resources/Java/gradle-wrapper.jar
And similar for
https://github.com/swagger-api/swagger-codegen/tree/master/modules/swagger-codegen/src/main/resources/swagger-static/assets/js
appears to be completely unmaintained parts of the swagger-codegen library