Upgrade vulnerable dependencies

[feffi]

In the current development master, some of the dependencies (direct and transitive) are prone to several (and high) vulnerabilities. Those dependencies have to be replaced (direct) or version pinned (transitive).

✗ Medium severity vulnerability found on com.google.guava:guava@21.0
- desc: Deserialization of Untrusted Data
- info: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236

✗ High severity vulnerability found on commons-beanutils:commons-beanutils@1.8.3
- desc: Arbitrary Code Execution
- info: https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077

✗ Medium severity vulnerability found on io.undertow:undertow-core@1.4.25.Final
- desc: Directory Traversal
- info: https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-32074

✗ High severity vulnerability found on org.apache.commons:commons-email@1.4
- desc: SMTP Header Injection
- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-31458

✗ Medium severity vulnerability found on org.apache.commons:commons-compress@1.12
- desc: Denial of Service (DoS)
- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-32122

✗ High severity vulnerability found on org.apache.lucene:lucene-queryparser@5.5.0
- desc: XML External Entity (XXE) Injection
- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELUCENE-31569

✗ Medium severity vulnerability found on org.apache.xmlgraphics:batik-dom@1.9.1
- desc: Information Exposure
- info: https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEXMLGRAPHICS-32304

✗ High severity vulnerability found on org.bouncycastle:bcprov-jdk15on@1.53
- desc: Insufficient Validation
- info: https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340

✗ Medium severity vulnerability found on org.codehaus.plexus:plexus-utils@3.0.20
- desc: Directory Traversal
- info: https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31521

✗ High severity vulnerability found on org.jasig.cas.client:cas-client-core@3.4.1
- desc: XML External Entity (XXE) Injection
- info: https://snyk.io/vuln/SNYK-JAVA-ORGJASIGCASCLIENT-31192

✗ Medium severity vulnerability found on org.slf4j:slf4j-ext@1.6.3
- desc: Deserialization of Untrusted Data
- info: https://snyk.io/vuln/SNYK-JAVA-ORGSLF4J-32138

✗ High severity vulnerability found on xerces:xercesImpl@2.8.1
- desc: Denial of Service (DoS)
- info: https://snyk.io/vuln/SNYK-JAVA-XERCES-31497

[jknack]

How did you get this output?

Also, can you please clear a bit and just add one report per library/jar? Guava for example is listed in every child project.

Also, I think some of these don't directly apply to Jooby. Some examples:

• undertow directory traversal. I don't think this affect to Jooby, the last time I checked here we were good across all the server implementations (netty, jetty and undertow)

• some others are only required by the coverage-report module (test only)

[feffi]

Hi, I did some analysis with snyk, nexus-iq and blackduck. Next step will be a taint-analysis of the jooby code itself, not only the OWASP A9.

For the vulnerabilities themselves: I'm currently looking into every issue closely, figuring out, if we can/must mitigate it. Regarding your traversal, you may be right, I would try to write a test for that, verifying it. Regardless of "test-only" dependencies those should be mitigated, if possible. Even "test-vulnerabilities" can be attacked (in the build pipeline for example).

And yes, thanks for the hint, I "uniqued" the list above.

[feffi]

I will split this into several items, it's more granular for fixing-branches

[jknack]

We can close this one, right? Already done in separated pulls.

[feffi]

yes, the rest is handled in separate issues/PRs