High severity issues in security dependency check

[drcabral]

Hi everyone,

I'm working with ktlint and i checked for dependency security issues in my project. In the latest version, ktlint presents 7 high severity issues, what i think that is a lot.

Is there any work going on to take a look and solve these problems? Thanks!

Analysis made with owasp dependency check

[shashachu]

Hi! It looks like this is all due to a dependency? Does that dependency have an updated version without whatever security issues?

[drcabral]

I'm using ktlint directly in my project, and i updated to the 0.33.0 what i'm thinking that is the last version available and stable. So, Ktlint does not have a new version without security issues i guess.

[shashachu]

Sorry, yes I'm one of the maintainers of the project. I was just wondering if you'd looked into solutions at all. We will be releasing 0.34.0 soon and we can aim to include a fix for this.

[drcabral]

Thank you!

[Tapchicoma]

@drcabral are this security issues raised only for latest release or releases before? And could you provide more details about this issues, like what exactly dependencies have security issues?

[drcabral]

Hi @Tapchicoma, I was using the version 0.29.0 and I updated to 0.33.0 thinking that the issues could be solved, but all the same issues still remained.

I can share with you the messages about the issues that the dependency check identified:

-> Ktlint-core-0.33.0.jar

Published Vulnerabilities
CVE-2019-1010260  suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC - https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0


-> ktlint-reporter-checkstyle-0.33.0

CVE-2019-1010260  suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC - https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

CVE-2019-9658  suppress

Checkstyle before 8.18 loads external DTDs by default.
CVSSv2:
* Base Score: MEDIUM (5.0)
* Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
* Base Score: MEDIUM (5.3)
* Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:
* FEDORA - FEDORA-2019-4696630d6f
* FEDORA - FEDORA-2019-a3f67e2364
* FEDORA - FEDORA-2019-e4405b4c9f
* MISC - https://checkstyle.org/releasenotes.html#Release_8.18
* MISC - https://github.com/checkstyle/checkstyle/issues/6474
* MISC - https://github.com/checkstyle/checkstyle/issues/6478
* MISC - https://github.com/checkstyle/checkstyle/pull/6476
* MLIST - [accumulo-notifications] 20190612 [GitHub] [accumulo-testing] milleruntime opened a new pull request #80: Update checkstyle
* MLIST - [debian-lts-announce] 20190428 [SECURITY] [DLA 1768-1] checkstyle security update
* MLIST - [james-server-dev] 20190318 [james-project] 01/03: JAMES-2693 Update com.puppycrawl.tools:checkstyle to respond to CVE-2019-9658

Vulnerable Software & Versions:
* cpe:2.3:a:checkstyle:checkstyle:*:*:*:*:*:*:*:* versions up to (excluding) 8.18

-> ktlint-reporter-json-0.33.0

Published Vulnerabilities
CVE-2019-1010260  suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC - https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-reporter-plain-0.33.0

Published Vulnerabilities
CVE-2019-1010260  suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC - https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-ruleset-experimental-0.33.0

Published Vulnerabilities
CVE-2019-1010260  suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC - https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-ruleset-standard-0.33.0

Published Vulnerabilities
CVE-2019-1010260  suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC - https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-test-0.33.0

Published Vulnerabilities
CVE-2019-1010260  suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC - https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

[shashachu]

Ah ok I remember this issue. I believe the vulnerability has actually been fixed, but the process to mark it has such hasn't been resolved. @JLLeitschuh did it ever get resubmitted?

[Tapchicoma]

Also should be not a problem if #451 will be resolved.

[shashachu]

I'm pretty unfamiliar with the process, but it does look like our assigned CVE number (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010260) does say it should be fixed in 0.30.0 and later; so not sure what's missing as far as the reporting.

[Fleshgrinder]

The vulnerabilities from dependencies remain. I think the easiest solution for ktlint would be to simply upgrade as much as possible to the latest version.

[shashachu]

The vulnerabilities from dependencies remain. I think the easiest solution for ktlint would be to simply upgrade as much as possible to the latest version.

Ah, I didn't see this one:

Checkstyle before 8.18 loads external DTDs by default.

This is a bit confusing because I don't believe we actually include checkstyle as a dependency, we just output a checkstyle-formatted report. Does it just want us to require a higher checkstyle version?

override fun afterAll() {
        out.println("""<?xml version="1.0" encoding="utf-8"?>""")
        out.println("""<checkstyle version="8.0">""")
        for ((file, errList) in acc.entries.sortedBy { it.key }) {
            out.println("""	<file name="${file.escapeXMLAttrValue()}">""")
            for ((line, col, ruleId, detail) in errList) {
                out.println(
                    """		<error line="$line" column="$col" severity="error" message="${
                    detail.escapeXMLAttrValue()
                    }" source="$ruleId" />"""
                )
            }
            out.println("""	</file>""")
        }
        out.println("""</checkstyle>""")
    }

[JLLeitschuh]

Heh.
That checkstyle vulnerability was also discovered by me.

_{Sent with GitHawk}

[JLLeitschuh]

The vulnerability in ktlint itself should be resolved as of 0.30.0.

That finding actually spawned this bit of research that's now public:

Want to take over the Java ecosystem? All you need is a MITM!

[shashachu]

@JLLeitschuh do you know why we're getting flagged for the checkstyle vulnerability? We don't actually bring it in as a dependency. Is it just the checkstyle version we're writing out in the checkstyle reporter?

[Fleshgrinder]

I added the OWASP Dependency Check plugin to the project in #514 and running it directly against the project doesn‘t trigger the checkstyle vulnerability. However, there are others:

• Guava https://nvd.nist.gov/vuln/detail/CVE-2018-10237
• AssertJ https://ossindex.sonatype.org/vuln/206ca2c3-5cae-41e0-9c8a-c696212b9956
• HttpClient https://nvd.nist.gov/vuln/detail/CVE-2015-5262
• Plexus Utils https://ossindex.sonatype.org/vuln/a2f46413-d41e-46e3-9864-d89d15b433be + https://ossindex.sonatype.org/vuln/53d58c08-d32b-4d21-92f4-d0930e6b3210

[shashachu]

When we remove the MavenDependencyResolver the Guava, HttpClient and Plexus Utils dependencies will go away. #451

[hosamaly]

Hi. It looks like this ticket is ready to be resolved, now that #566 has been merged. Could we expect v0.35.0 soon?