Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

repave dependencies #760

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

repave dependencies #760

wants to merge 1 commit into from

Conversation

gregallen
Copy link

I have read the CLA Document and I hereby sign the CLA

@gregallen gregallen mentioned this pull request Sep 25, 2023
Closed
@yahavi yahavi added the safe to test Approve running integration tests on a pull request label Sep 26, 2023
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 26, 2023
@github-actions
Copy link

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Medium		 Applicable org.jfrog.buildinfo:build-info-extractor:2.41.x-SNAPSHOT
com.fasterxml.jackson.core:jackson-databind:2.15.2
com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.2
org.mock-server:mockserver-netty:5.15.0
com.github.docker-java:docker-java:3.3.3
org.jfrog.buildinfo:build-info-extractor-docker:2.41.x-SNAPSHOT		 com.fasterxml.jackson.core:jackson-databind:2.15.2 - CVE-2023-35116

🔬 Research Details

@github-actions
Copy link 

mapper.writeValueAsString(this)

at build-info-client/src/main/java/org/jfrog/build/client/artifactoryXrayResponse/ArtifactoryXrayResponse.java (line 60)

📦🔍 Contextual Analysis CVE Vulnerability

Severity Impacted Dependency Finding CVE

Medium		 com.fasterxml.jackson.core:jackson-databind:2.15.2 At least one of the vulnerable functions writeValueAsString, writeValueAsBytes, writeValue, serializeValue is called with external input CVE-2023-35116
Description

The scanner checks for calls to the vulnerable functions with external input:

  • ObjectMapper.writeValue()
  • ObjectMapper.writeValueAsString()
  • ObjectMapper.writeValueAsBytes()
  • ObjectWriter.writeValue()
  • ObjectWriter.writeValueAsString()
  • ObjectWriter.writeValueAsBytes()
  • ser.DefaultSerializerProvider.serializeValue()

For determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The input argument to those functions is a cyclic object (e.g. a HashMap object with a reference to itself).

CVE details

An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

@gregallen
Copy link
Author

the jackson-databind vulnerability is rejected by jackson team - see FasterXML/jackson-databind#3972

suggest you need to whitelist this dependency (as has been done at my employer in a similar dep scanning tool)

@yahavi
Copy link
Member

yahavi commented Sep 29, 2023

Thanks for your contribution, @gregallen!

It appears that all Gradle tests are failing. You can check out the details here: https://github.com/jfrog/build-info/actions/runs/6308986191/job/17137306523?pr=760

Would you be able to take a look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gregallen @yahavi