Skip to content

Fix CVE errors#16147

Merged
abhishekagarwal87 merged 9 commits intoapache:masterfrom
gargvishesh:fix-cve-errors-apache-18032024
Apr 5, 2024
Merged

Fix CVE errors#16147
abhishekagarwal87 merged 9 commits intoapache:masterfrom
gargvishesh:fix-cve-errors-apache-18032024

Conversation

@gargvishesh
Copy link
Copy Markdown
Contributor

@gargvishesh gargvishesh commented Mar 18, 2024
edited
Loading

Suppress the following CVE errors:

[ERROR] nimbus-jose-jwt-8.22.1.jar: CVE-2023-52428(7.5)
[ERROR] nimbus-jose-jwt-9.30.2.jar: CVE-2023-52428(7.5)
[ERROR] solr-solrj-8.11.2.jar: CVE-2023-50291(7.5), CVE-2023-50298(7.5), CVE-2023-50386(8.8), CVE-2023-50292(7.5)

abhishekagarwal87
abhishekagarwal87 reviewed Mar 18, 2024
View reviewed changes
Comment thread extensions-core/druid-pac4j/pom.xml Outdated
<!-- Following must be updated along with any updates to pac4j version. One can find the compatible version of nimbus libraries in org.pac4j:pac4j-oidc dependencies-->
<nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>
<nimbus.jose.jwt.version>8.22.1</nimbus.jose.jwt.version>
<nimbus.jose.jwt.version>9.37.2</nimbus.jose.jwt.version>
Copy link
Copy Markdown
Contributor

@abhishekagarwal87 abhishekagarwal87 Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it compatible with pac4j-oidc dependency currently in use?

Copy link
Copy Markdown
Contributor Author

@gargvishesh gargvishesh Mar 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot infer compatibility as the maven page just lists the dependency for a specified version -- which was the earlier version. I've updated pac4j-oidc also to 5.7.3 which lists 9.37.2 as its dependency, and the version of oauth2.oidc.sdk.version corresponding to it as well.

Copy link
Copy Markdown
Contributor Author

@gargvishesh gargvishesh Mar 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried multiple versions of pac4j (6.0.1, 5.7.3, 5.3.1) but all are failing compilation, so reverting it to the original version.

Comment thread owasp-dependency-check-suppressions.xml Outdated
Comment on lines +668 to +669
<!-- Covers DOS on identity server by triggering high resource consumption. Used in Azure as a client.
Current latest version of Azure BOM (1.2.21) still uses 9.30.2, whereas bug resolved in 9.37.3 -->
Copy link
Copy Markdown
Contributor

@abhishekagarwal87 abhishekagarwal87 Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reasoning is a bit cryptic. Do you mean to say that CVE only impacts the server but not the client?

Copy link
Copy Markdown
Contributor Author

@gargvishesh gargvishesh Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not clear about that. Simplified the comment to just say that the latest version of BOM still uses vulnerable dependency.

@abhishekagarwal87 abhishekagarwal87 merged commit af24cc8 into apache:master Apr 5, 2024
@adarshsanjeev adarshsanjeev added this to the 30.0.0 milestone May 6, 2024
@adarshsanjeev adarshsanjeev mentioned this pull request May 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhishekagarwal87 abhishekagarwal87 abhishekagarwal87 approved these changes

Assignees

No one assigned

Labels

Area - Dependencies

Projects

None yet

Milestone

30.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@gargvishesh @abhishekagarwal87 @adarshsanjeev