gemnasium-maven-plugin uses known vulnerable libraries
This plugin uses a number of known vulnerable libraries. Issue #209336 was raised THREE years ago asking that updates to this plugin be automated. Dependabot or something like it should be set up for ALL maven projects. managed by gitlab to automated upgrades and report use of known vulnerable libraries.
For this project, I ran two tools on the project and here are the results:
Contrast's CodeSec CLI, by running: contrast audit -f pom.xml
Searching for package manager files from /Users/dwichers/git/gitlab/gemnasium-maven-plugin/...
✔ Contrast audit complete
Found 3 vulnerable libraries containing 5 CVEs
CONTRAST-001 - [CRITICAL] org.apache.maven.shared/maven-shared-utils-3.2.1 introduces 1 vulnerability
Issue : [C]CVE-2022-29599
Advice : Change to version 3.3.3
CONTRAST-002 - [HIGH] com.fasterxml.jackson.core/jackson-databind-2.10.5.1 introduces 3 vulnerabilities
Issue : [H]CVE-2022-42004, [H]CVE-2022-42003, [H]CVE-2020-36518
Advice : Change to version 2.12.7.1
CONTRAST-003 - [MEDIUM] commons-io-2.5 introduces 1 vulnerability
Issue : [M]CVE-2021-29425
Advice : No recommendation is available according to our data. Upgrade to the latest stable is the best
advice we can give.
Found 3 vulnerabilities
1 Critical | 1 High | 1 Medium | 0 Low | 0 Note
And Snyk by running: snyk test
Testing /Users/dwichers/git/gitlab/gemnasium-maven-plugin...
Tested 43 dependencies for known issues, found 7 issues, 7 vulnerable paths.
Issues to fix by upgrading:
Upgrade com.fasterxml.jackson.core:jackson-databind@2.10.5.1 to com.fasterxml.jackson.core:jackson-databind@2.13.4 to fix
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424] in com.fasterxml.jackson.core:jackson-databind@2.10.5.1
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.5.1
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426] in com.fasterxml.jackson.core:jackson-databind@2.10.5.1
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.5.1
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in com.fasterxml.jackson.core:jackson-databind@2.10.5.1
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.5.1
✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244] in com.fasterxml.jackson.core:jackson-databind@2.10.5.1
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.5.1
Upgrade org.apache.maven:maven-core@3.6.2 to org.apache.maven:maven-core@3.8.2 to fix
✗ Command Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEMAVENSHARED-570592] in org.apache.maven.shared:maven-shared-utils@3.2.1
introduced by org.apache.maven:maven-core@3.6.2 > org.apache.maven.shared:maven-shared-utils@3.2.1
Issues with no direct upgrade or patch:
✗ Information Disclosure [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415] in com.google.guava:guava@25.1-android
introduced by org.apache.maven:maven-core@3.6.2 > com.google.inject:guice:no_aop@4.2.1 > com.google.guava:guava@25.1-android
This issue was fixed in versions: 30.0-android, 30.0-jre
✗ Directory Traversal [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMMONSIO-1277109] in commons-io:commons-io@2.5
introduced by org.apache.maven:maven-core@3.6.2 > org.apache.maven.shared:maven-shared-utils@3.2.1 > commons-io:commons-io@2.5
This issue was fixed in versions: 2.7
Organization: davewichers
Package manager: maven
Target file: pom.xml
Project name: com.gemnasium:gemnasium-maven-plugin
Open source: no
Project path: /Users/dwichers/gitlab/gemnasium-maven-plugin
Licenses: enabled
Please:
- Upgrade all the dependencies in this project to their latest available version, which hopefully will eliminate all these known vulns.
- Set up some kind of automated process to notify you when new library versions are available and known vulns are detected
- Update the version deployed in GitLab with this new version (both in SaaS and the free/commercial versions you provide.
Edited by Dave Wichers