Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lots of vulnerabilities in dependencies #13000

Closed
markAtAthena opened this issue Jan 6, 2025 · 5 comments · Fixed by #13007
Closed

Lots of vulnerabilities in dependencies #13000

markAtAthena opened this issue Jan 6, 2025 · 5 comments · Fixed by #13007

Comments

@markAtAthena
Copy link

Describe the bug

Scan Results: fe56677a-a9df-4370-bce6-d2cfe71debba

Scan Results for Scan ID: fe56677a-a9df-4370-bce6-d2cfe71debba

CRITICAL Findings: 1

Maven-org.simpleframework:simple-xml-2.7.1
CVE: CVE-2017-1000190
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-org.linguafranca.pwdb:KeePassJava2-2.1.4, Maven-org.linguafranca.pwdb:KeePassJava2-simple-2.1.4, Maven-org.simpleframework:simple-xml-2.7.1

HIGH Findings: 24

Maven-io.netty:netty-resolver-dns-4.1.63.Final
CVE: CVE-2024-47535
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.projectreactor.netty:reactor-netty-1.0.7, Maven-io.projectreactor.netty:reactor-netty-core-1.0.7, Maven-io.netty:netty-resolver-dns-4.1.63.Final

Maven-io.netty:netty-common-4.1.65.Final
CVE: CVE-2024-47535
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-handler-4.1.65.Final, Maven-io.netty:netty-common-4.1.65.Final

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2020-36518
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-net.minidev:json-smart-2.4.2
CVE: CVE-2021-31684
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-com.microsoft.azure:msal4j-1.10.0, Maven-com.nimbusds:oauth2-oidc-sdk-9.4, Maven-net.minidev:json-smart-2.4.2

Maven-io.netty:netty-codec-4.1.65.Final
CVE: CVE-2021-37136
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-handler-4.1.65.Final, Maven-io.netty:netty-codec-4.1.65.Final

Maven-io.netty:netty-codec-4.1.65.Final
CVE: CVE-2021-37137
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-handler-4.1.65.Final, Maven-io.netty:netty-codec-4.1.65.Final

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2021-46877
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-com.google.code.gson:gson-2.8.6
CVE: CVE-2022-25647
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-util-3.14.0, Maven-com.google.code.gson:gson-2.8.6

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2022-3171
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2022-3509
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2022-3510
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-com.fasterxml.woodstox:woodstox-core-6.2.4
CVE: CVE-2022-40152
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.dataformat:jackson-dataformat-xml-2.12.3, Maven-com.fasterxml.woodstox:woodstox-core-6.2.4
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.dataformat:jackson-dataformat-xml-2.12.3, Maven-com.fasterxml.woodstox:woodstox-core-6.2.4

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2022-42003
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2022-42004
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-net.minidev:json-smart-2.4.2
CVE: CVE-2023-1370
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-com.microsoft.azure:msal4j-1.10.0, Maven-com.nimbusds:oauth2-oidc-sdk-9.4, Maven-net.minidev:json-smart-2.4.2

Maven-io.projectreactor.netty:reactor-netty-core-1.0.7
CVE: CVE-2023-34054
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.projectreactor.netty:reactor-netty-1.0.7, Maven-io.projectreactor.netty:reactor-netty-core-1.0.7

Maven-io.projectreactor.netty:reactor-netty-http-1.0.7
CVE: CVE-2023-34062
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.projectreactor.netty:reactor-netty-1.0.7, Maven-io.projectreactor.netty:reactor-netty-http-1.0.7

Maven-io.netty:netty-codec-http2-4.1.65.Final
CVE: CVE-2023-44487
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-codec-http2-4.1.65.Final

Maven-com.nimbusds:nimbus-jose-jwt-9.8.1
CVE: CVE-2023-52428
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-com.microsoft.azure:msal4j-1.10.0, Maven-com.nimbusds:oauth2-oidc-sdk-9.4, Maven-com.nimbusds:nimbus-jose-jwt-9.8.1

Maven-org.springframework:spring-webmvc-6.1.13
CVE: CVE-2024-38819
Locations: pom.xml
Dependency Paths: Maven-org.springframework:spring-webmvc-6.1.13

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2024-7254
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-commons-collections:commons-collections-3.2.2
CVE: Cx78f40514-81ff
Locations: pom.xml
Dependency Paths: Maven-org.apache.maven.plugins:maven-site-plugin-4.0.0-M15, Maven-org.apache.maven.doxia:doxia-site-renderer-2.0.0-M19, Maven-org.apache.velocity.tools:velocity-tools-generic-3.1, Maven-commons-beanutils:commons-beanutils-1.9.4, Maven-commons-collections:commons-collections-3.2.2

Maven-com.google.guava:guava-31.1-jre
CVE: CVE-2023-2976
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml, lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/org.jctools/jctools-core/pom.xml
Dependency Paths: Maven-com.google.guava:guava-testlib-31.1-jre, Maven-com.google.guava:guava-31.1-jre

Maven-com.google.guava:guava-30.0-android
CVE: CVE-2023-2976
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-io.grpc:grpc-api-1.35.0, Maven-com.google.guava:guava-30.0-android

MEDIUM Findings: 11

LOW Findings: 10

Steps to reproduce

Run vulnerability scanner

Expected behavior

Ideally few if any issues

Actual behavior

a lot of high and one critical issue

Javaagent or library instrumentation version

2.11.0

Environment

JDK:
OS:

Additional context

No response
@markAtAthena markAtAthena added bug Something isn't working needs triage New issue that requires triage labels Jan 6, 2025
@trask
Copy link
Member

trask commented Jan 6, 2025

hi @markAtAthena, it looks like you may be running the scanner against the entire repo (including test dependencies)?

this repo intentionally runs tests against many old dependency versions in order to ensure instrumentation compatibility with old versions of libraries

however, if you run your scanner against published artifacts, you should not see those old versions

@trask trask added needs author feedback Waiting for additional feedback from the author and removed needs triage New issue that requires triage bug Something isn't working labels Jan 6, 2025
@markAtAthena
Copy link
Author

markAtAthena commented Jan 6, 2025 via email

@github-actions github-actions bot removed the needs author feedback Waiting for additional feedback from the author label Jan 6, 2025
@trask
Copy link
Member

trask commented Jan 6, 2025

I can find them bundled into the 2.11.0 jar if I expand the jar.

which jar? e.g. the Java agent jar doesn't include netty at all (let alone the old version you mention above)

@markAtAthena
Copy link
Author

io.opentelemetry.javaagent:opentelemetry-javaagent

is pulling it in from

inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml

@markAtAthena
Copy link
Author

markAtAthena commented Jan 6, 2025
edited
Loading

Though, they are scoped to test, so I wonder if this is a bug in CxOne (checkmarx one)?

@laurit laurit mentioned this issue Jan 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Exclude META-INF/maven from shaded libraries laurit/opentelemetry-java-instrumentation
2 participants
@trask @markAtAthena