finos / legend-depot Goto Github PK

Legend Depot component

License: Apache License 2.0

Java 99.84% Dockerfile 0.16%

legend-depot's Introduction

legend-depot

The Legend Depot servers provide a rich REST API allowing users to query metadata fast and reliably which has been authored in Legend Studio and Legend SDLC Legend Depot has two main components:

Depot Server: provides read only metadata query REST API
Depot Store Server: manages internal metadata cache and sources it from maven style repository where models artifacts have been published.

Getting started

Development setup

This application uses Maven 3.6+ and JDK 11 to build. Simply run mvn install to compile. In order to start the Depot Server and Depot Store Server, follow the instructions below.

Setup Gitlab OAuth

Follow the instructions here to set up Gitlab authentication Add following callback url to config: http://127.0.0.1:6201/depot-store/callback

Certain store APIs required elevated permissions, add your Gitlab handle to authorisedIdentities.json

Depot Store Server

Create a JSON configuration: check out the sample config
Configure your Artifacts Repository provider (artifactRepositoryProviderConfiguration) Check out the instructions here
Start an instance of Mongo DB: this is where your metadata will be stored: Add the MongoDB URL and database name to the mongo section of your config file
Start the server:

java -cp $SHADED_JAR_PATH org.finos.legend.depot.store.server.LegendDepotStoreServer server $CONFIG_DIR/config.json

Test by opening http://127.0.0.1:6201/depot-store/api/info or the Swagger page

Depot Server

Create a JSON configuration: Make sure to specify the Mongo DB where store server would cache metadata. Check out the sample config
Start the server:

java -cp $SHADED_JAR_PATH org.finos.legend.depot.server.LegendDepotServer server $CONFIG_DIR/config.json

Test by opening http://127.0.0.1:6200/depot/api/info or the Swagger page

Register metadata projects with Depot Store Server

Metadata projects need to be registered in depot store so that the server can start fetching and caching the models for this project. This is a one off task and can be done:

Manually: using the end point api/projects/{projectId}/{groupId}/{artifactId}
Automatically: more to come on this space

Crucially, key information are the maven coordinates and the modeling project its publishing its artifacts to.

Roadmap

Visit our roadmap to know more about the upcoming features.

Contributing

Visit Legend Contribution Guide to learn how to contribute to Legend.

License

Distributed under the Apache License, Version 2.0.

SPDX-License-Identifier: Apache-2.0

legend-depot's People

Contributors

Stargazers

Watchers

legend-depot's Issues

CVE-2021-27568 (High) detected in json-smart-2.3.jar

CVE-2021-27568 - High Severity Vulnerability

Vulnerable Library - json-smart-2.3.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: http://www.minidev.net/

Path to dependency file: /legend-depot-store-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.3/json-smart-2.3.jar

Dependency Hierarchy:

legend-shared-pac4j-gitlab-0.22.0.jar (Root Library)
- nimbus-jose-jwt-8.0.jar
  - ❌ json-smart-2.3.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

Publish Date: 2021-02-23

URL: CVE-2021-27568

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-23

Fix Resolution: net.minidev:json-smart-mini:1.3.2;net.minidev:json-smart:1.3.2,2.3.1,2.4.2;net.minidev:json-smart-action:2.3.1,2.4.2

test-issue

Flaky test

@elopezcastro Looks to me like this test is quite flaky - https://github.com/finos/legend-depot/runs/3865136402?check_suite_focus=true

I have bumped into this about 30% of the time I run the build CI. Since you have a better context of what this is about, could you do a quick check?

CVE-2021-28169 (Medium) detected in multiple libraries

CVE-2021-28169 - Medium Severity Vulnerability

Vulnerable Libraries - jetty-http-9.4.35.v20201120.jar, jetty-server-9.4.35.v20201120.jar, jetty-servlets-9.4.35.v20201120.jar

jetty-http-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.35.v20201120/jetty-http-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.35.v20201120/jetty-http-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.35.v20201120/jetty-http-9.4.35.v20201120.jar

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-jetty-1.3.29.jar
    - ❌ jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

jetty-server-9.4.35.v20201120.jar

The core jetty server artifact.

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-store-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.35.v20201120/jetty-server-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.35.v20201120/jetty-server-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.35.v20201120/jetty-server-9.4.35.v20201120.jar

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-jersey-1.3.29.jar
    - ❌ jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

jetty-servlets-9.4.35.v20201120.jar

Utility Servlets from Jetty

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-store-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.35.v20201120/jetty-servlets-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.35.v20201120/jetty-servlets-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.35.v20201120/jetty-servlets-9.4.35.v20201120.jar

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-jetty-1.3.29.jar
    - ❌ jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3

CVE-2020-25649 (High) detected in jackson-databind-2.10.5.jar

CVE-2020-25649 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /legend-depot-artifacts-repository-maven-impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/pository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/pository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/pository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/pository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/pository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar,/pository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar

Dependency Hierarchy:

❌ jackson-databind-2.10.5.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Publish Date: 2020-12-03

URL: CVE-2020-25649

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-03

Fix Resolution: 2.10.5.1

Check this box to open an automated fix PR

NullPointer on startup

We seem to have a NPE on startup

Clearly the role is not null. The previous line which uses the role does not throw.
Is there a bug in the principal provider/injection ?

72.25.0.1 - - [11/Feb/2023:16:34:00 +0000] "GET /depot-store/api/queue HTTP/1.1" 500 110 "http://localhost:6201/depot-store/api/swagger" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" 11

127.0.0.1 - - [11/Feb/2023:16:34:03 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

INFO  [2023-02-11 16:34:04,301] org.finos.legend.depot.store.notifications.services.NotificationsQueueManager: waiting in queue 0

INFO  [2023-02-11 16:34:04,303] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished queue-observer_1 

ERROR [2023-02-11 16:34:07,328] io.dropwizard.jersey.errors.LoggingExceptionMapper: Error handling a request: 5c5549426263a1a6

! java.lang.NullPointerException: null

! at org.finos.legend.depot.core.authorisation.services.BasicAuthorisationProvider.lambda$authorise$0(BasicAuthorisationProvider.java:63)

! at java.base/java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)

! at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1632)

! at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)

! at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)

! at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)

! at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)

! at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)

! at java.base/java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)

! at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)

! at java.base/java.util.stream.ReferencePipeline.noneMatch(ReferencePipeline.java:538)

! at org.finos.legend.depot.core.authorisation.services.BasicAuthorisationProvider.authorise(BasicAuthorisationProvider.java:63)

! at org.finos.legend.depot.core.authorisation.resources.BaseAuthorisedResource.validateUser(BaseAuthorisedResource.java:42)

! at org.finos.legend.depot.store.notifications.resources.NotificationsManagerResource.getAllEventsInQueue(NotificationsManagerResource.java:113)

! at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

! at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

! at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

! at java.base/java.lang.reflect.Method.invoke(Method.java:566)

! at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)

! at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144)

! at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161)

! at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205)

! at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99)

! at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)

! at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)

! at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)

! at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326)

! at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)

! at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)

! at org.glassfish.jersey.internal.Errors.process(Errors.java:315)

! at org.glassfish.jersey.internal.Errors.process(Errors.java:297)

! at org.glassfish.jersey.internal.Errors.process(Errors.java:267)

! at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)

! at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305)

! at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)

! at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473)

! at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427)

! at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388)

! at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341)

! at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228)

! at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)

! at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)

! at io.dropwizard.servlets.ThreadNameFilter.doFilter(ThreadNameFilter.java:35)

! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

! at io.dropwizard.jersey.filter.AllowedMethodsFilter.handle(AllowedMethodsFilter.java:45)

! at io.dropwizard.jersey.filter.AllowedMethodsFilter.doFilter(AllowedMethodsFilter.java:39)

! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

! at org.finos.legend.server.shared.bundles.HostnameHeaderBundle$Enricher.doFilter(HostnameHeaderBundle.java:62)

! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

! at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)

! at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)

! at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)

! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

! at org.finos.legend.server.pac4j.internal.UsernameFilter.doFilter(UsernameFilter.java:51)

! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

! at org.pac4j.j2e.filter.SecurityFilter.lambda$internalFilter$0(SecurityFilter.java:95)

! at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:159)

! at org.pac4j.j2e.filter.SecurityFilter.internalFilter(SecurityFilter.java:93)

! at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:81)

! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

! at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:319)

! at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:273)

! at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)

! at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)

! at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)

! at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

! at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)

! at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

! at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)

! at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)

! at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)

! at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)

! at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)

! at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)

! at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

! at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

! at com.codahale.metrics.jetty9.InstrumentedHandler.handle(InstrumentedHandler.java:313)

! at io.dropwizard.jetty.ContextRoutingHandler.handle(ContextRoutingHandler.java:37)

! at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:766)

! at io.dropwizard.jetty.BiDiGzipHandler.handle(BiDiGzipHandler.java:67)

! at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:54)

! at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179)

! at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

! at org.eclipse.jetty.server.Server.handle(Server.java:516)

! at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)

! at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)

! at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)

! at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)

! at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

! at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)

! at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)

! at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)

! at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)

! at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)

! at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)

! at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)

! at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)

! at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)

! at java.base/java.lang.Thread.run(Thread.java:829)

172.25.0.1 - - [11/Feb/2023:16:34:07 +0000] "GET /depot-store/api/queue HTTP/1.1" 500 110 "http://localhost:6201/depot-store/api/swagger" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" 3

127.0.0.1 - - [11/Feb/2023:16:34:08 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:34:13 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

127.0.0.1 - - [11/Feb/2023:16:34:18 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 4

127.0.0.1 - - [11/Feb/2023:16:34:24 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

INFO  [2023-02-11 16:34:24,122] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished storage-metrics 

INFO  [2023-02-11 16:34:24,305] org.finos.legend.depot.store.notifications.services.NotificationsQueueManager: waiting in queue 0

INFO  [2023-02-11 16:34:24,310] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished queue-observer_1 

127.0.0.1 - - [11/Feb/2023:16:34:29 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

127.0.0.1 - - [11/Feb/2023:16:34:34 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

127.0.0.1 - - [11/Feb/2023:16:34:39 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

INFO  [2023-02-11 16:34:44,300] org.finos.legend.depot.store.notifications.services.NotificationsQueueManager: waiting in queue 0

127.0.0.1 - - [11/Feb/2023:16:34:44 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

INFO  [2023-02-11 16:34:44,304] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished queue-observer_1 

127.0.0.1 - - [11/Feb/2023:16:34:49 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

127.0.0.1 - - [11/Feb/2023:16:34:54 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:34:59 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

INFO  [2023-02-11 16:35:04,299] org.finos.legend.depot.store.notifications.services.NotificationsQueueManager: waiting in queue 0

INFO  [2023-02-11 16:35:04,301] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished queue-observer_1 

127.0.0.1 - - [11/Feb/2023:16:35:04 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:35:09 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

127.0.0.1 - - [11/Feb/2023:16:35:14 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:35:19 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

INFO  [2023-02-11 16:35:24,123] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished storage-metrics 

INFO  [2023-02-11 16:35:24,298] org.finos.legend.depot.store.notifications.services.NotificationsQueueManager: waiting in queue 0

INFO  [2023-02-11 16:35:24,301] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished queue-observer_1 

127.0.0.1 - - [11/Feb/2023:16:35:24 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:35:29 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:35:34 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:35:39 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

INFO  [2023-02-11 16:35:44,298] org.finos.legend.depot.store.notifications.services.NotificationsQueueManager: waiting in queue 0

INFO  [2023-02-11 16:35:44,300] org.finos.legend.depot.schedules.services.SchedulesFactory: Finished queue-observer_1 

127.0.0.1 - - [11/Feb/2023:16:35:44 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

127.0.0.1 - - [11/Feb/2023:16:35:49 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 3

127.0.0.1 - - [11/Feb/2023:16:35:55 +0000] "GET /depot-store/api/info HTTP/1.1" 200 218 "-" "curl/7.81.0" 2

CVE-2021-28165 (High) detected in jetty-io-9.4.35.v20201120.jar

CVE-2021-28165 - High Severity Vulnerability

Vulnerable Library - jetty-io-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-core-http/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.35.v20201120/jetty-io-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.35.v20201120/jetty-io-9.4.35.v20201120.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.35.v20201120/jetty-io-9.4.35.v20201120.jar

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-jersey-1.3.29.jar
    - jetty-server-9.4.35.v20201120.jar
      - ❌ jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2

CVE-2021-44878 (High) detected in pac4j-oidc-3.8.3.jar

CVE-2021-44878 - High Severity Vulnerability

Vulnerable Library - pac4j-oidc-3.8.3.jar

Profile & Authentication Client for Java

Library home page: https://github.com/pac4j/pac4j

Path to dependency file: /legend-depot-store-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-oidc/3.8.3/pac4j-oidc-3.8.3.jar

Dependency Hierarchy:

legend-shared-pac4j-gitlab-0.22.0.jar (Root Library)
- ❌ pac4j-oidc-3.8.3.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.

Publish Date: 2022-01-06

URL: CVE-2021-44878

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44878

Release Date: 2022-01-06

Fix Resolution: org.pac4j:pac4j-oidc:5.2.0

Setup using Gitlab OAuth

Hey, as discussed offline, just want to post my config

  "pac4j": {
    "callbackPrefix": "/depot-store",
    "bypassPaths": [
      "/depot-store/api/info"
    ],
    "clients": [
      {
        "org.finos.legend.server.pac4j.gitlab.GitlabClient": {
          "name": "gitlab",
          "clientId": "...",
          "secret": "...",
          "discoveryUri": "https://gitlab.com/.well-known/openid-configuration",
          "scope": "openid profile api"
        }
      }
    ],
    "mongoAuthorizer": {
      "enabled": false,
      "collection": "allowedUsers"
    },
    "mongoSession": {
      "enabled": false,
      "collection": "userSessions"
    }
  },

<!-- pom.xml for legend-depot-store-server-->

        <dependency>
            <groupId>org.finos.legend.shared</groupId>
            <artifactId>legend-shared-pac4j</artifactId>
        </dependency>
        <dependency>
            <groupId>org.finos.legend.shared</groupId>
            <artifactId>legend-shared-pac4j-gitlab</artifactId>
            <version>${legend.shared.version}</version>
            <scope>runtime</scope>
            <exclusions>
                <exclusion>
                    <groupId>javax.activation</groupId>
                    <artifactId>activation</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>
            <groupId>org.finos.legend.depot</groupId>
            <artifactId>legend-depot-artifacts-repository-api</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
        <dependency>
            <groupId>org.finos.legend.depot</groupId>
            <artifactId>legend-depot-artifacts-repository-one-unsecured</artifactId>
            <version>${project.parent.version}</version>
            <scope>runtime</scope>
        </dependency>

And I need to add these 2 lines in my Gitlab OAuth application's Redirect URI (NOTE: your ports might differ)

http://localhost:8076/depot-store/callback
http://localhost:8075/depot/callback

Local development setup

@elopezcastro As discussed before, we are looking for a way to publish entities JARs to a Maven package registry for local development. We picked Gitlab Package Registry for this purpose as it's out of the box solution. I will spare everyone of the details as to how I configure SDLC to achieve this for now, but I have produced and published the artifacts. This is the link to my registry

https://gitlab.com/api/v4/projects/25339854/packages/maven

And you can see the published JARs here

https://gitlab.com/blacksteed232/myProject/-/packages

I also added you as maintainer of that project so you can tinker around with the project settings - https://gitlab.com/blacksteed232/myProject

I have tried to point to this repo in my repository-settings.xml file, but I don't seem to be able to trigger the push from store-server to fetch this project metadata. Could you kindly do a test on your end?

<settings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                          https://maven.apache.org/xsd/settings-1.0.0.xsd">
    <localRepository>target/.m2/repository</localRepository>
    <interactiveMode>false</interactiveMode>
    <offline>false</offline>
    <profiles>
        <profile>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <repositories>
                <repository>
                    <id>gitlab-maven</id>
                    <url>https://gitlab.com/api/v4/projects/25339854/packages/maven</url>
                    <layout>default</layout>
                    <releases>
                        <enabled>true</enabled>
                        <updatePolicy>never</updatePolicy>
                    </releases>
                    <snapshots>
                        <enabled>true</enabled>
                        <updatePolicy>always</updatePolicy>
                    </snapshots>
                </repository>
            </repositories>
        </profile>
    </profiles>
</settings>

CVE-2020-10693 (Medium) detected in hibernate-validator-5.4.2.Final.jar

CVE-2020-10693 - Medium Severity Vulnerability

Vulnerable Library - hibernate-validator-5.4.2.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /legend-depot-store-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.2.Final/hibernate-validator-5.4.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.2.Final/hibernate-validator-5.4.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.2.Final/hibernate-validator-5.4.2.Final.jar

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-validation-1.3.29.jar
    - ❌ hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: 2020-05-06

URL: CVE-2020-10693

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/

Release Date: 2020-05-06

Fix Resolution: org.hibernate:hibernate-validator:6.0.20.Final,6.1.5.Final

WS-2021-0616 (Medium) detected in jackson-databind-2.10.5.jar

WS-2021-0616 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /legend-depot-artifacts-repository-maven-impl/pom.xml

Dependency Hierarchy:

❌ jackson-databind-2.10.5.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution: 2.11.0

Check this box to open an automated fix PR

CVE-2020-36518 (High) detected in jackson-databind-2.10.5.jar

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /legend-depot-artifacts-repository-maven-impl/pom.xml

Dependency Hierarchy:

❌ jackson-databind-2.10.5.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution: 2.12.6.1

Check this box to open an automated fix PR

Feature Request: Add an endpoint to query for metadata

The intent is to allow querying for DataSpace by path (see finos/legend-studio#469). But we want to keep this as generic as possible because this is a general problem: running queries on the graph of metadata. That's a complicated problem, but to make this work for this particular case, we should do the followings:

Finalize the shape of the API:
- Method: POST
- Name: Query - Pure Model Conext Data - 😕 ??
- Path: /query/PureModelContextData? - 😕 ??
- Input: an execution context (DataSpace?) and a query
- Output: is this execution result or Pure Model Context Data for now?
For the implementation:
- Make assertion to only allow query of form DataSpace.all()->filter(s|$s.path->contains(<string>))->take(<limit>)
- Filter by classifier path, path, and limit

CVE-2021-42550 (Medium) detected in logback-classic-1.2.3.jar, logback-core-1.2.3.jar

CVE-2021-42550 - Medium Severity Vulnerability

Vulnerable Libraries - logback-classic-1.2.3.jar, logback-core-1.2.3.jar

logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /legend-depot-store-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-logging-1.3.29.jar
    - ❌ logback-classic-1.2.3.jar (Vulnerable Library)

logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /legend-depot-store-server/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-logging-1.3.29.jar
    - ❌ logback-core-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9

CVE-2021-34428 (Low) detected in jetty-server-9.4.35.v20201120.jar

CVE-2021-34428 - Low Severity Vulnerability

Vulnerable Library - jetty-server-9.4.35.v20201120.jar

The core jetty server artifact.

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-store-server/pom.xml

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-jersey-1.3.29.jar
    - ❌ jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: 2021-06-22

URL: CVE-2021-34428

CVSS 3 Score Details (3.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Physical
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6cp-vxjx-65j6

Release Date: 2021-06-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3

CVE-2020-27223 (Medium) detected in jetty-http-9.4.35.v20201120.jar

CVE-2020-27223 - Medium Severity Vulnerability

Vulnerable Library - jetty-http-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-server/pom.xml

Dependency Hierarchy:

legend-depot-core-http-0.1.0-SNAPSHOT.jar (Root Library)
- dropwizard-core-1.3.29.jar
  - dropwizard-jetty-1.3.29.jar
    - ❌ jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

Found in HEAD commit: 20adda0a734b6a26a97e2d9ad9daaf99650b742f

Found in base branch: master

Vulnerability Details

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Publish Date: 2021-02-26

URL: CVE-2020-27223

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m394-8rww-3jr7

Release Date: 2021-02-26

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.37.v20210219, org.eclipse.jetty:jetty-http:10.0.1, org.eclipse.jetty:jetty-http:11.0.1

finos / legend-depot Goto Github PK

legend-depot's Introduction

legend-depot

Getting started

Development setup

Setup Gitlab OAuth

Depot Store Server

Depot Server

Register metadata projects with Depot Store Server

Roadmap

Contributing

License

legend-depot's People

Contributors

Stargazers

Watchers

Forkers

legend-depot's Issues

CVE-2021-27568 - High Severity Vulnerability

CVE-2021-28169 - Medium Severity Vulnerability

CVE-2020-25649 - High Severity Vulnerability

CVE-2021-28165 - High Severity Vulnerability

CVE-2021-44878 - High Severity Vulnerability

CVE-2020-10693 - Medium Severity Vulnerability

WS-2021-0616 - Medium Severity Vulnerability

CVE-2020-36518 - High Severity Vulnerability

CVE-2021-42550 - Medium Severity Vulnerability

CVE-2021-34428 - Low Severity Vulnerability

CVE-2020-27223 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org