Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVEs] Critical and High CEVs reported on PMD and PMD dependencies #4691

Closed
eugenepugach opened this issue Sep 27, 2023 · 2 comments · Fixed by #4695 or #4696
Closed

[CVEs] Critical and High CEVs reported on PMD and PMD dependencies #4691

eugenepugach opened this issue Sep 27, 2023 · 2 comments · Fixed by #4695 or #4696
Labels
a:bug PMD crashes or fails to analyse a file.
Milestone
7.0.0

Comments

@eugenepugach
Copy link

Affects PMD Version:
7.0.0-rc3

Description:
Hello PMD team. We scanned PMD source code with Snyk and another system it reported 2 critical and 1 high CVEs.
Also this vulnerabilities block deployment and creating Docker image and another servers:

Vulnerable Library: scala-reflect-2.13.3.jar (/dist/pmd-bin/lib/scala-reflect-2.13.3.jar)

Dependency Hierarchy:

Directly - ⚠️ scala-reflect-2.13.3.jar (Vulnerability Library)

Severity:
🚫 CRITICAL
CVE-2022-36944

Fixed Version:
♻️ scala-reflect-2.13.9.jar

Vulnerable Library: scala-reflect-2.13.3.jar (/dist/pmd-bin/lib/scala-reflect-2.13.3.jar)

Dependency Hierarchy:

Directly - ⚠️ scala-reflect-2.13.3.jar (Vulnerability Library)

Severity:
🚫 CRITICAL
VULNDB-298991

Fixed Version:
♻️ scala-reflect-2.13.9.jar

Vulnerable Library: commons-io (/dist/pmd-bin/lib/pmd-ui-7.0.0-rc1.jar:commons-io)

Dependency Hierarchy:

  • ⚠️ pmd-ui-7.0.0-rc1.jar (Root Library)
  • ⚠️ commons-io (Vulnerability Library)

Severity:
🚫 HIGH
VULNDB-239195

Fixed Version:
♻️ commons-io-2.8.0.jar
@eugenepugach eugenepugach added the a:bug PMD crashes or fails to analyse a file. label Sep 27, 2023
@adangel
Copy link
Member

adangel commented Sep 28, 2023

Thanks for reporting.

Updating scala from 2.13.3 to 2.13.9 should be simple.
the common-io dependency seems to stem from https://github.com/pmd/pmd-designer ...

@adangel adangel mentioned this issue Sep 28, 2023
Closed
@adangel
Copy link
Member

adangel commented Sep 28, 2023

@eugenepugach Can you provide details what "VULNDB-298991" is? VulnDb seems to be behind a paywall (https://vulndb.cyberriskanalytics.com/).

VULNDB-239195 I found being mentioned at https://issues.apache.org/jira/browse/FLINK-22747

This was referenced Sep 29, 2023
Merged
Merged
@adangel adangel added this to the 7.0.0 milestone Sep 29, 2023
adangel added a commit to adangel/pmd that referenced this issue Sep 29, 2023
@adangel
[doc] Update release notes (pmd#4691)
c21bf43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a:bug PMD crashes or fails to analyse a file.
Projects
None yet
Milestone
7.0.0
2 participants
@adangel @eugenepugach