You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openwebbeans.apache.org by "CVEDetect (via GitHub)" <gi...@apache.org> on 2023/03/22 11:30:36 UTC
[GitHub] [openwebbeans-meecrowave] CVEDetect opened a new pull request, #19: Fix CVE dependency issue(Dependency org.apache.commons:commons-compress, leading to CVE problem)
CVEDetect opened a new pull request, #19:
URL: https://github.com/apache/openwebbeans-meecrowave/pull/19
Hi, In **/meecrowave-maven-plugin**,there is a dependency **org.apache.commons:commons-compress:1.18** that calls the risk method.
[CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402)
The scope of this CVE affected version is **[1.15,1.19)**
After further analysis, in this project, the main Api called is **org.apache.commons.compress.archivers.zip.NioZipEncoding: encode(java.lang.String)Ljava.nio.ByteBuffer**
Risk method repair link : [GitHub](https://github.com/apache/commons-compress/commit/4ad5d80a6272e007f64a6ac66829ca189a8093b9)
**CVE Bug Invocation Path--**
**Path Length : 5**
```
CVE Bug Invocation Path :
org.apache.meecrowave.maven.MeecrowaveBundleMojo: execute()V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar
org.apache.meecrowave.maven.MeecrowaveBundleMojo: tarGz(org.apache.commons.compress.archivers.tar.TarArchiveOutputStream,java.io.File,java.nio.file.Path)V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar
org.apache.commons.compress.archivers.tar.TarArchiveOutputStream: putArchiveEntry(org.apache.commons.compress.archivers.ArchiveEntry)V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
org.apache.commons.compress.archivers.tar.TarArchiveOutputStream: handleLongName(org.apache.commons.compress.archivers.tar.TarArchiveEntry,java.lang.String,java.util.Map,java.lang.String,byte,java.lang.String)Z /ho.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
org.apache.commons.compress.archivers.zip.NioZipEncoding: encode(java.lang.String)Ljava.nio.ByteBuffer;
```
[CVE-2021-36090](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090)
The scope of this CVE affected version is **[0,1.31)**
After further analysis, in this project, the main Api called is **org.apache.commons.compress.archivers.zip.AsiExtraField: parseFromLocalFileData(byte[],int,int)V**
Risk method repair link : [GitHub](https://github.com/apache/commons-compress/commit/ef5d70b625000e38404194aaab311b771c44efda)
**CVE Bug Invocation Path--**
**Path Length : 8**
```
CVE Bug Invocation Path :
org.apache.meecrowave.maven.MeecrowaveBundleMojo: execute()V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar
org.apache.meecrowave.maven.MeecrowaveBundleMojo: zip(org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream,java.io.File,java.nio.file.Path)V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar
org.apache.commons.compress.archivers.jar.JarArchiveOutputStream: putArchiveEntry(org.apache.commons.compress.archivers.ArchiveEntry)V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
org.apache.commons.compress.archivers.zip.ZipArchiveEntry: addAsFirstExtraField(org.apache.commons.compress.archivers.zip.ZipExtraField)V /.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
org.apache.commons.compress.archivers.zip.ZipArchiveEntry: setExtra()V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
org.apache.commons.compress.archivers.zip.ZipArchiveEntry: setExtra(byte[])V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
org.apache.commons.compress.archivers.zip.ExtraFieldUtils: parse(byte[],boolean,org.apache.commons.compress.archivers.zip.ExtraFieldUtils$UnparseableExtraField)[Lorg.apache.commons.compress.archivers.zip.ZipExtraField; .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
org.apache.commons.compress.archivers.zip.AsiExtraField: parseFromLocalFileData(byte[],int,int)V
```
**Dependency tree--**
```
[INFO] org.apache.meecrowave:meecrowave-maven-plugin:maven-plugin:1.2.16-SNAPSHOT
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-model:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-artifact:jar:3.6.3:compile
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:compile
[INFO] | +- org.codehaus.plexus:plexus-utils:jar:3.2.1:compile
[INFO] | \- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[INFO] +- org.apache.maven:maven-core:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-settings:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-settings-builder:jar:3.6.3:compile
[INFO] | | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile
[INFO] | | \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] | +- org.apache.maven:maven-builder-support:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-repository-metadata:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-model-builder:jar:3.6.3:compile
[INFO] | +- org.apache.maven:maven-resolver-provider:jar:3.6.3:compile
[INFO] | +- org.apache.maven.resolver:maven-resolver-impl:jar:1.4.1:compile
[INFO] | +- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile
[INFO] | +- org.apache.maven.resolver:maven-resolver-spi:jar:1.4.1:compile
[INFO] | +- org.apache.maven.resolver:maven-resolver-util:jar:1.4.1:compile
[INFO] | +- org.apache.maven.shared:maven-shared-utils:jar:3.2.1:compile
[INFO] | +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.4:compile
[INFO] | +- com.google.inject:guice:jar:no_aop:4.2.1:compile
[INFO] | | +- aopalliance:aopalliance:jar:1.0:compile
[INFO] | | \- com.google.guava:guava:jar:25.1-android:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] | +- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:compile
[INFO] | \- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] +- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.3:compile
[INFO] +- org.apache.maven.shared:maven-dependency-tree:jar:3.0.1:compile
[INFO] | \- org.eclipse.aether:aether-util:jar:0.9.0.M2:compile
[INFO] +- org.apache.meecrowave:meecrowave-core:jar:1.2.16-SNAPSHOT:compile
[INFO] | +- org.apache.meecrowave:meecrowave-specs-api:jar:1.2.16-SNAPSHOT:compile
[INFO] | +- org.apache.tomcat:tomcat-jaspic-api:jar:9.0.70:compile
[INFO] | +- org.apache.xbean:xbean-finder-shaded:jar:4.20:compile
[INFO] | +- org.apache.xbean:xbean-asm9-shaded:jar:4.20:compile
[INFO] | +- org.apache.xbean:xbean-reflect:jar:4.20:compile
[INFO] | +- org.apache.openwebbeans:openwebbeans-spi:jar:2.0.27:compile
[INFO] | +- org.apache.openwebbeans:openwebbeans-web:jar:2.0.27:compile
[INFO] | | +- org.apache.openwebbeans:openwebbeans-impl:jar:2.0.27:compile
[INFO] | | \- org.apache.openwebbeans:openwebbeans-el22:jar:2.0.27:compile
[INFO] | +- org.apache.tomcat:tomcat-catalina:jar:9.0.70:compile
[INFO] | | +- org.apache.tomcat:tomcat-juli:jar:9.0.70:compile
[INFO] | | +- org.apache.tomcat:tomcat-api:jar:9.0.70:compile
[INFO] | | +- org.apache.tomcat:tomcat-jni:jar:9.0.70:compile
[INFO] | | +- org.apache.tomcat:tomcat-coyote:jar:9.0.70:compile
[INFO] | | +- org.apache.tomcat:tomcat-util:jar:9.0.70:compile
[INFO] | | \- org.apache.tomcat:tomcat-util-scan:jar:9.0.70:compile
[INFO] | +- org.apache.cxf:cxf-rt-frontend-jaxrs:jar:3.5.5:compile
[INFO] | | +- org.apache.cxf:cxf-core:jar:3.5.5:compile
[INFO] | | +- org.apache.cxf:cxf-rt-transports-http:jar:3.5.5:compile
[INFO] | | \- org.apache.cxf:cxf-rt-security:jar:3.5.5:compile
[INFO] | +- org.apache.cxf:cxf-integration-cdi:jar:3.5.5:compile
[INFO] | +- org.apache.cxf:cxf-rt-rs-client:jar:3.5.5:compile
[INFO] | +- org.apache.johnzon:johnzon-jsonb:jar:1.2.19:compile
[INFO] | | \- org.apache.johnzon:johnzon-mapper:jar:1.2.19:compile
[INFO] | | \- org.apache.johnzon:johnzon-core:jar:1.2.19:compile
[INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.19.0:compile
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.19.0:compile
[INFO] | \- org.apache.logging.log4j:log4j-jul:jar:2.19.0:compile
[INFO] +- org.apache.commons:commons-compress:jar:1.18:compile
[INFO] +- org.apache.maven.plugin-testing:maven-plugin-testing-harness:jar:3.3.0:test
[INFO] | \- commons-io:commons-io:jar:2.2:compile
[INFO] +- org.codehaus.plexus:plexus-archiver:jar:4.2.3:test
[INFO] | +- org.codehaus.plexus:plexus-io:jar:3.2.0:test
[INFO] | +- org.iq80.snappy:snappy:jar:0.4:test
[INFO] | \- org.tukaani:xz:jar:1.8:test
[INFO] +- org.apache.maven:maven-compat:jar:3.6.3:test
[INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile
[INFO] | \- org.apache.maven.wagon:wagon-provider-api:jar:3.3.4:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.apache.tomee:ziplock:jar:7.0.3:test
[INFO] \- org.slf4j:slf4j-simple:jar:1.7.32:test
[INFO] \- org.slf4j:slf4j-api:jar:1.7.32:compile
```
**_Suggested solutions:_**
Update dependency version
Thank you very much.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@openwebbeans.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org