postgresql-embedded icon indicating copy to clipboard operation
postgresql-embedded copied to clipboard

Published 20 hours ago verified publisher icon yandex-qatools

security vulnerabilities in jar

Open vikeshpandey opened this issue 6 years ago • 7 comments

Hi Team,

I am using this jar in one of the projects in my organization. When i run the static code security analysis, it screams lot of vulnerabilities. [ERROR] postgresql-embedded-2.6.jar: CVE-2014-0061, CVE-2016-0766, CVE-2014-0060, CVE-2014-0063, CVE-2014-0062, CVE-2014-0065, CVE-2014-0064, CVE-2014-0067, CVE-2016-0768, CVE-2014-0066, CVE-2015-5288, CVE-2007-4772, CVE-2015-5289, CVE-2007-2138, CVE-2010-0733, CVE-2017-7484, CVE-2015-3165, CVE-2016-5424, CVE-2016-5423, CVE-2017-8806, CVE-2016-0773

Can you please check these and comment on it.

Thanks Vikesh

vikeshpandey avatar Dec 21 '17 08:12 vikeshpandey

a gentle reminder.

vikeshpandey avatar Dec 22 '17 17:12 vikeshpandey

Hi @pandey-vikesh, can you please be more specific? What are you using for the static code security analysis? Why is this important to you? In any case this project is usually used for testing only, where security is not playing the key role.

smecsia avatar Jan 03 '18 04:01 smecsia

we are using org.owasp maven plugin to run the static code security analysis. We are working for an organization where security vulnerabilities are taken very seriously and we cannot release our code having vulnerabilities in it. Yes you are correct by saying this project is used for tests only. I have created a separate maven module for bootstrapping the code with embedded postgres. Doing this way, it is not part of test for that maven module. in any case, why does the code has so many security vulnerabilities. If they are false positives, they should be suppressed or else be fixed.

vikeshpandey avatar Jan 04 '18 08:01 vikeshpandey

OWASP DependencyCheck probably misdetects postgresql-embedded as Postgres. @pandey-vikesh Could you please post the complete report from OWASP, especially the CPE that it assigns to the postgresql-embedded JAR.

tazle avatar Feb 26 '18 12:02 tazle

owasp-dependency-check.zip

PFA the OWASP report. i am using it against 2.6 version of this JAR. i am using postgres version 9.6 with it.

Hope this helps. And apologies for the delay in response.

Thanks Vikesh

vikeshpandey avatar Mar 05 '18 06:03 vikeshpandey

The matching CPE for postgresql-embedded-2.6.jar is cpe:/a:postgresql:postgresql:2.6 which means that DependencyCheck thinks postgresql-embedded-2.6.jar is PostgreSQL version 2.6 when it comes to matching against CVEs. You can imagine that there are many CVEs that are applicable to something like "PostgreSQL versions 9.2 and earlier", and 2.6 is certainly earlier than 9.2, so DependencyCheck gets confused and produces (false positive) reports for those CVEs against postgresql-embedded-2.6.jar.

This project is actually notable in that it in a way does include Postgres. Usually similar issues come up with e.g. client modules for databases, which don't include the database itself. However, postgresql-embedded does not include any specific version of Postgres, so it's not really possible to use DependencyCheck to produce meaningful CVE reports for it. I would suppress any reports for postgresq-embedded locally, and maybe open an issue with DependencyCheck to see if the author thinks there's any reasonable way to get around this.

tazle avatar Mar 05 '18 07:03 tazle

thanks for comments. yes, i have suppressed those for the same reason that it is directly dependent on postgressql dependency. I will try to follow up with depdendency check. for now, we can resolve this ticket.

vikeshpandey avatar Mar 08 '18 05:03 vikeshpandey