Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

repave dependencies #760

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gregallen
Copy link

I have read the CLA Document and I hereby sign the CLA

@yahavi yahavi added the safe to test Approve running integration tests on a pull request label Sep 26, 2023
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 26, 2023
@github-actions
Copy link

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Medium
Applicable org.jfrog.buildinfo:build-info-extractor:2.41.x-SNAPSHOT
com.fasterxml.jackson.core:jackson-databind:2.15.2
com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.2
org.mock-server:mockserver-netty:5.15.0
com.github.docker-java:docker-java:3.3.3
org.jfrog.buildinfo:build-info-extractor-docker:2.41.x-SNAPSHOT
com.fasterxml.jackson.core:jackson-databind:2.15.2 - CVE-2023-35116

🔬 Research Details


@github-actions
Copy link

mapper.writeValueAsString(this)

at build-info-client/src/main/java/org/jfrog/build/client/artifactoryXrayResponse/ArtifactoryXrayResponse.java (line 60)

📦🔍 Contextual Analysis CVE Vulnerability

Severity Impacted Dependency Finding CVE

Medium
com.fasterxml.jackson.core:jackson-databind:2.15.2 At least one of the vulnerable functions writeValueAsString, writeValueAsBytes, writeValue, serializeValue is called with external input CVE-2023-35116
Description

The scanner checks for calls to the vulnerable functions with external input:

  • ObjectMapper.writeValue()
  • ObjectMapper.writeValueAsString()
  • ObjectMapper.writeValueAsBytes()
  • ObjectWriter.writeValue()
  • ObjectWriter.writeValueAsString()
  • ObjectWriter.writeValueAsBytes()
  • ser.DefaultSerializerProvider.serializeValue()

For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The input argument to those functions is a cyclic object (e.g. a HashMap object with a reference to itself).

CVE details

An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.


@gregallen
Copy link
Author

the jackson-databind vulnerability is rejected by jackson team - see FasterXML/jackson-databind#3972

suggest you need to whitelist this dependency (as has been done at my employer in a similar dep scanning tool)

@yahavi
Copy link
Member

yahavi commented Sep 29, 2023

Thanks for your contribution, @gregallen!

It appears that all Gradle tests are failing. You can check out the details here: https://github.com/jfrog/build-info/actions/runs/6308986191/job/17137306523?pr=760

Would you be able to take a look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants