Skip to content

jenngile/fixme-transitive-java

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.devcontainer
.devcontainer
 
 
.github/workflows
.github/workflows
 
 
src
src
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Fixing Transitive Dependencies in Java

This project demonstrates how to fix vulnerable transitive dependencies in a Java Maven project, specifically focusing on log4j vulnerabilities.

Your task is to update log4j-core to get rid of the vulnerabilities in this packages bill of materials. First review the vulnerabilities, then update the package.

Quick Start

  1. Fork and clone the repository:
git clone https://github.com/endorlabs/fixme-transitive-java.git
cd fixme-transitive-java
  1. Build the project:
mvn clean install

Identifying the Problem

  1. View the dependency tree:
mvn dependency:tree

Key findings:

  • anteros-core is a direct dependency
  • It brings in potentially vulnerable log4j versions as transitive dependencies

Scan for Vulnerabilities

We'll use endorctl to scan the project for known vulnerabilities.

Step-by-step:

  1. Initialize Endor Labs
    Run the following command to authenticate with Endor Labs and set up your environment:

    ./endorctl init --auth-mode <mode> --headless-mode

    Replace <mode> with your preferred authentication mode (e.g., google, github, etc.).

  2. Authenticate via Portal
    The command will output a URL. You can command-click (⌘+click) the link in your terminal to open the authentication portal.
    Log in and copy the generated token.

  3. Complete Setup
    Paste the token back into your terminal.
    You'll then be prompted to select a tenant—choose the one you just created.

  4. Run the Vulnerability Scan
    Once authenticated and configured, scan your codebase:

    ./endorctl scan

    This will analyze your project for security vulnerabilities.

Fixing the Issue

Option 1: Upgrade Direct Dependency

  1. Update anteros-core version in pom.xml:
<dependency>
    <groupId>com.anteros</groupId>
    <artifactId>anteros-core</artifactId>
    <version>INSERT_LATEST_VERSION</version>
</dependency>
  1. Rebuild and verify:
mvn clean install
mvn dependency:tree

Option 2: Override Transitive Dependency

If Option 1 doesn't resolve the issue, add this to your pom.xml inside of the <dependencies> section:

        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.17.2</version>
        </dependency>

Verify the Fix

  1. Rebuild the project:
mvn clean install
  1. Check the dependency tree again:
mvn dependency:tree
  1. Run vulnerability scan:
./endorctl scan

Ensure that log4j now appears with the safe version you specified.

About

Workshop to show fixing transitive dependencies

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Java 100.0%