geowave
geowave copied to clipboard
Dependency org.apache.commons:commons-compress, leading to CVE problem
Hi, In geowave/extensions/cli/accumulo-embed,there is a dependency org.apache.commons:commons-compress:1.4.1 that calls the risk method.
The scope of this CVE affected version is [,1.18-RC1)
After further analysis, in this project, the main Api called is <org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int readStored(byte[],int,int)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 4
<org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int readStored(byte[],int,int)>
at <org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int read(byte[],int,int)> (org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.java:[321]) in /.m2/repository/org/apache/commons/commons-compress/1.4.1/commons-compress-1.4.1.jar
at <org.apache.commons.compress.archivers.ArchiveInputStream: int read()> (org.apache.commons.compress.archivers.ArchiveInputStream.java:[81]) in /.m2/repository/org/apache/commons/commons-compress/1.4.1/commons-compress-1.4.1.jar
at <org.locationtech.geowave.datastore.accumulo.cli.AccumuloMiniCluster: void main(java.lang.String[])> (org.locationtech.geowave.datastore.accumulo.cli.AccumuloMiniCluster.java:[82]) in /detect/unzip/geowave-1.2.0/extensions/cli/accumulo-embed/target/classes
Dependency tree--
[INFO] org.fusesource.hawtjni:hawtjni-maven-plugin:maven-plugin:1.19-SNAPSHOT
[INFO] +- org.fusesource.hawtjni:hawtjni-generator:jar:1.19-SNAPSHOT:compile
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-model:jar:3.6.3:compile
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:compile
[INFO] | | +- javax.enterprise:cdi-api:jar:1.0:compile
[INFO] | | | +- javax.annotation:jsr250-api:jar:1.0:compile
[INFO] | | | \- javax.inject:javax.inject:jar:1:compile
[INFO] | | +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.4:compile
[INFO] | | \- org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[INFO] | \- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[INFO] +- org.apache.maven:maven-project:jar:2.0.11:compile
[INFO] | +- org.apache.maven:maven-settings:jar:2.0.11:compile
[INFO] | +- org.apache.maven:maven-profile:jar:2.0.11:compile
[INFO] | +- org.apache.maven:maven-plugin-registry:jar:2.0.11:compile
[INFO] | \- org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile
[INFO] | +- junit:junit:jar:3.8.1:compile
[INFO] | \- classworlds:classworlds:jar:1.1-alpha-2:compile
[INFO] +- org.codehaus.plexus:plexus-utils:jar:3.3.0:compile
[INFO] +- org.codehaus.plexus:plexus-interpolation:jar:1.26:compile
[INFO] +- org.apache.maven:maven-artifact-manager:jar:2.0.11:compile
[INFO] | +- org.apache.maven:maven-repository-metadata:jar:2.0.11:compile
[INFO] | \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:compile
[INFO] +- org.apache.maven:maven-artifact:jar:2.0.11:compile
[INFO] +- org.apache.maven:maven-archiver:jar:2.4:compile
[INFO] +- org.codehaus.plexus:plexus-archiver:jar:4.2.2:compile
[INFO] | +- org.apache.commons:commons-compress:jar:1.20:compile
[INFO] | +- org.iq80.snappy:snappy:jar:0.4:compile
[INFO] | \- org.tukaani:xz:jar:1.8:runtime
[INFO] +- org.codehaus.plexus:plexus-io:jar:3.2.0:compile
[INFO] | \- commons-io:commons-io:jar:2.6:compile
[INFO] \- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.6.0:provided
Suggested solutions:
Update dependency version
Thank you very much.
@rfecher Could please help me check this issue? May I pull a request to fix it? Thanks again.