[Security] Upgrade dependencies to fix severity

[ilovechai]

Existing/related issue?

No response

Current Behavior

Security Analysis of quay.io/odpi/egeria:latest image:

Image	Package	Version	Path	Type	CVE	CVSS	Severity	Status	HasFix	Exploit	Scanners
egeria	bash	5.1	/usr/bin/bash		CVE-2022-3715	7.8	high		N		aqua-
egeria	glibc	2.34	/usr/bin/gencat; /usr/bin/getconf; /usr/bin/getent; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2021-38604	7.5	high		N		aqua-
egeria	glibc	2.34	/usr/bin/gencat; /usr/bin/getconf; /usr/bin/getent; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2021-3998	7.5	high		N		aqua-
egeria	glibc	2.34	/usr/bin/gencat; /usr/bin/getconf; /usr/bin/getent; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2021-43396	7.5	high		N		aqua-
egeria	glibc	2.34	/usr/bin/gencat; /usr/bin/getconf; /usr/bin/getent; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2022-23218	9.8	critical		N		aqua-
egeria	glibc	2.34	/usr/bin/gencat; /usr/bin/getconf; /usr/bin/getent; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2022-23219	9.8	critical		N		aqua-
egeria	gnupg	2.3.3	/usr/bin/gpg-connect-agent; /usr/bin/gpgsplit; /usr/bin/gpgconf; /usr/bin/gpg-agent		CVE-2022-34903	6.5	medium		N		aqua-
egeria	gnupg	2.3.3	/usr/bin/gpg-connect-agent; /usr/bin/gpgsplit; /usr/bin/gpgconf; /usr/bin/gpg-agent		CVE-2022-3515	9.8	critical		N		aqua-
egeria	jquery	3.1.1	/deployments/server/lib/graph-repository-connector-jar-with-dependencies-4.0-SNAPSHOT.jar:js/jquery-3.1.1.min.js	javascript	CVE-2019-11358	6.1	medium	Upgrade package jquery to version 3.4.0 or above.	Y		aqua-
egeria	jquery	3.1.1	/deployments/server/lib/graph-repository-connector-jar-with-dependencies-4.0-SNAPSHOT.jar:js/jquery-3.1.1.min.js	javascript	CVE-2020-11022	6.1	critical	Upgrade package jquery to version 3.5.0 or above. (critical because known exploit)	Y	49766;	aqua-
egeria	jquery	3.1.1	/deployments/server/lib/graph-repository-connector-jar-with-dependencies-4.0-SNAPSHOT.jar:js/jquery-3.1.1.min.js	javascript	CVE-2020-11023	6.1	critical	Upgrade package jquery to version 3.5.0 or above. (critical because known exploit)	Y	49767;	aqua-
egeria	snakeyaml	1.33	/deployments/server/lib/graph-repository-connector-jar-with-dependencies-4.0-SNAPSHOT.jar	java	CVE-2022-1471	9.8	critical	Upgrade package snakeyaml to version 2.0 or above.	Y		aqua-
egeria	snakeyaml	1.33	/deployments/server/server-chassis-spring-4.0-SNAPSHOT.jar:BOOT-INF/lib/snakeyaml-1.33.jar	java	CVE-2022-1471	9.8	critical	Upgrade package snakeyaml to version 2.0 or above.	Y		aqua-
egeria	snakeyaml	1.33	/deployments/user-interface/ui-chassis-spring-4.0-SNAPSHOT.jar:BOOT-INF/lib/snakeyaml-1.33.jar	java	CVE-2022-1471	9.8	critical	Upgrade package snakeyaml to version 2.0 or above.	Y		aqua-
egeria	spring-web	5.3.25	/deployments/server/server-chassis-spring-4.0-SNAPSHOT.jar:BOOT-INF/lib/spring-web-5.3.25.jar	java	CVE-2016-1000027	9.8	critical	Upgrade package spring-web to version 6.0.0 or above.	Y		aqua-
egeria	spring-web	5.3.25	/deployments/user-interface/ui-chassis-spring-4.0-SNAPSHOT.jar:BOOT-INF/lib/spring-web-5.3.25.jar	java	CVE-2016-1000027	9.8	critical	Upgrade package spring-web to version 6.0.0 or above.	Y		aqua-
egeria	util-linux	1.1	/usr/lib64/libblkid.so.1.1.0; /usr/lib64/libmount.so.1.1.0		CVE-2011-1675	3.3	low		N		aqua-
egeria	util-linux	1.1	/usr/lib64/libblkid.so.1.1.0; /usr/lib64/libmount.so.1.1.0		CVE-2011-1676	3.3	low		N		aqua-
egeria	util-linux	1.1	/usr/lib64/libblkid.so.1.1.0; /usr/lib64/libmount.so.1.1.0		CVE-2011-1677	4.6	medium		N		aqua-

Expected Behavior

Dependencies need to be upgraded to fix severity

@planetf1

Steps To Reproduce

No response

Environment

- Egeria: latest
- Image: quay.io/odpi/egeria:latest

Any Further Information?

No response

[planetf1]

egeria:latest is now building of our 4.0-SNAPSHOT code, and is using registry.access.redhat.com/ubi9/openjdk-17-runtime as the base image.

First, in terms of the base image content ...

We use these redhat UBI images precisely to maintain as good a security posture as we can efficiently. As an open source project we err on continual updates of latest, and reuse of other team's assets (like redhat). The images tend to have fixes fairly quickly. They are the best base images we have found from a security perspective

If there are better base images publicly available that are better than that is certainly something we could look at, but we won't be able to keep up maintaining our own core image

We don't refer to a specific build tag and intentionally pull the latest for each and every build (including when we get to release -- which we run extra tests against)

The quay.io scan is currently showing very few vulnarabilities from the scanner they host

If there are extra vulnerabilities they would need to be raised against redhat for consideration (and we can work together to figure out the best way to do that)

Were these results from a different scan tool?

In terms of the egeria content,

• jquery 3.1.1
  --
  from a jar dependency perspective, we use 3.6.1 - a much newer version (I've not checked CVEs on that one yet)

It's possible there is a jar deeply embedded within a different package. I'll unpack to look.

Further, this is in the graph connector which you will not need, or use. The intent is to move this connector out into a different repository

Whilst it is placed in the assembly, you can remove from server/lib until we have revisited how we assemble components together

• snakeyaml 1.3.3
  --
  See referenced PR -- this is blocked with spring5, but we expect to merge spring6 in the coming days, and had intended to update this. Will leave your PR open for inclusion

• spring-web 5.3.25
  --
  As above, spring update expected imminently, we should review after this. Some of the past spring vulnerabilities have been in code not used by egeria. We have a draft notification but not released. Let's see how v6 is

[planetf1]

Spring is now updated, and the snakeyaml PR has gone in.

As such I think all the issues mentioned here are actioned -- or in the case of jquery, not seen
This is for main/release 4

[planetf1]

Please reopen if there are additional issues noted

[ilovechai]

Security Scans from latest from main(813a5e09) egeria image. Springweb and snakeyaml issues resolved.

Image	Package	Version	Path	Type	CVE	CVSS	Severity	Status	HasFix	Exploit	Scanners
egeria	bash	5.1	/usr/bin/bash		CVE-2022-3715	7.8	high		N		aqua-
egeria	glibc	2.34	/usr/bin/getconf; /usr/bin/getent; /usr/bin/gencat; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2021-38604	7.5	high		N		aqua-
egeria	glibc	2.34	/usr/bin/getconf; /usr/bin/getent; /usr/bin/gencat; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2021-3998	7.5	high		N		aqua-
egeria	glibc	2.34	/usr/bin/getconf; /usr/bin/getent; /usr/bin/gencat; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2021-43396	7.5	high		N		aqua-
egeria	glibc	2.34	/usr/bin/getconf; /usr/bin/getent; /usr/bin/gencat; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2022-23218	9.8	critical		N		aqua-
egeria	glibc	2.34	/usr/bin/getconf; /usr/bin/getent; /usr/bin/gencat; /usr/bin/iconv; /usr/bin/locale; /usr/bin/localedef; /usr/bin/sprof; /usr/sbin/iconvconfig; /usr/sbin/ldconfig		CVE-2022-23219	9.8	critical		N		aqua-
egeria	gnupg	2.3.3	/usr/bin/gpg-connect-agent; /usr/bin/gpg-agent; /usr/bin/gpgconf; /usr/bin/gpgsplit		CVE-2022-34903	6.5	medium		N		aqua-
egeria	gnupg	2.3.3	/usr/bin/gpg-connect-agent; /usr/bin/gpg-agent; /usr/bin/gpgconf; /usr/bin/gpgsplit		CVE-2022-3515	9.8	critical		N		aqua-
egeria	jquery	3.1.1	/deployments/server/lib/graph-repository-connector-jar-with-dependencies-4.0-SNAPSHOT.jar:js/jquery-3.1.1.min.js	javascript	CVE-2019-11358	6.1	medium	Upgrade package jquery to version 3.4.0 or above.	Y		aqua-
egeria	jquery	3.1.1	/deployments/server/lib/graph-repository-connector-jar-with-dependencies-4.0-SNAPSHOT.jar:js/jquery-3.1.1.min.js	javascript	CVE-2020-11022	6.1	critical	Upgrade package jquery to version 3.5.0 or above. (critical because known exploit)	Y	49766;	aqua-
egeria	jquery	3.1.1	/deployments/server/lib/graph-repository-connector-jar-with-dependencies-4.0-SNAPSHOT.jar:js/jquery-3.1.1.min.js	javascript	CVE-2020-11023	6.1	critical	Upgrade package jquery to version 3.5.0 or above. (critical because known exploit)	Y	49767;	aqua-
egeria	util-linux	1.1	/usr/lib64/libblkid.so.1.1.0; /usr/lib64/libmount.so.1.1.0		CVE-2011-1675	3.3	low		N		aqua-
egeria	util-linux	1.1	/usr/lib64/libblkid.so.1.1.0; /usr/lib64/libmount.so.1.1.0		CVE-2011-1676	3.3	low		N		aqua-
egeria	util-linux	1.1	/usr/lib64/libblkid.so.1.1.0; /usr/lib64/libmount.so.1.1.0		CVE-2011-1677	4.6	medium		N		aqua-