Address vulns #1415

metametadata · 2024-10-11T21:54:10Z

cdxgen is installed via npm install -g @cyclonedx/cdxgen@10.10.4

Vulns detected by Grype:

NAME                                                  INSTALLED                FIXED-IN  TYPE          VULNERABILITY        SEVERITY
commons-io                                            2.7                      2.14.0    java-archive  GHSA-78wr-2p64-hpwj  High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/commons-io.commons-io-2.7.jar
org.eclipse.platform.org.eclipse.equinox.app          1.7.100                            java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.app-1.7.100.jar
org.eclipse.platform.org.eclipse.equinox.common       3.19.100                           java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.common-3.19.100.jar
org.eclipse.platform.org.eclipse.equinox.preferences  3.11.100                           java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.preferences-3.11.100.jar
org.eclipse.platform.org.eclipse.equinox.registry     3.12.100                           java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.registry-3.12.100.jar
protobuf-java                                         3.21.7                   3.25.5    java-archive  GHSA-735f-pc8j-v9w8  High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/com.google.protobuf.protobuf-java-3.21.7.jar
protobuf-java                                         3.21.7                             java-archive  CVE-2024-7254        Unknown
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/com.google.protobuf.protobuf-java-3.21.7.jar

The paths after * are the locations of the reported vulns.

The text was updated successfully, but these errors were encountered:

prabhu · 2024-10-12T09:21:31Z

Probably must be filled under the atom or chen repo. Needs triaging since I doubt many of the CVEs reported especially the eclipse ones are even valid.

prabhu · 2024-11-17T20:35:59Z

commons-io and protobuf-java CVEs needs to be fixed. List of repos and PRs involved.

prabhu · 2024-11-17T22:03:39Z

Thanks @metametadata for flagging the issues. All the eclipse ones are false positives. commons-io is not used by atom, so added exclusion rule to remove them from the target. Upgraded protobuf-java, although the impact of the CVE is quite low.

This will be released in cdxgen 11.0.2

metametadata changed the title ~~Address vulns detected in the binary~~ Address vulns Oct 11, 2024

prabhu added this to cdxgen top issues Oct 26, 2024

prabhu moved this to Seeking sponsors in cdxgen top issues Oct 26, 2024

prabhu moved this from Seeking sponsors to In Progress in cdxgen top issues Nov 17, 2024

prabhu added the security label Nov 17, 2024

prabhu closed this as completed Nov 17, 2024

github-project-automation bot moved this from In Progress to Ready for QA in cdxgen top issues Nov 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Address vulns #1415

Address vulns #1415

metametadata commented Oct 11, 2024

prabhu commented Oct 12, 2024

prabhu commented Nov 17, 2024 •

edited

Loading

prabhu commented Nov 17, 2024

Address vulns #1415

Address vulns #1415

Comments

metametadata commented Oct 11, 2024

prabhu commented Oct 12, 2024

prabhu commented Nov 17, 2024 • edited Loading

prabhu commented Nov 17, 2024

prabhu commented Nov 17, 2024 •

edited

Loading