Giter VIP home page Giter VIP logo

snowdensb / jpo-ode Goto Github PK

View Code? Open in Web Editor NEW

This project forked from usdot-jpo-ode/jpo-ode

0.0 0.0 0.0 90.9 MB

US Department of Transportation (USDOT) Intelligent Transportation Systems Operational Data Environment (ITS ODE). This is the main repository that integrates and coordinates ODE Submodules.

Shell 0.44% Batchfile 0.07% Java 95.91% HTML 2.60% JavaScript 0.12% CSS 0.06% C 0.18% Dockerfile 0.18% Makefile 0.04% Python 0.40%

jpo-ode's Introduction

Travis Build Status Sonar Code Quality Sonar Code Coverage
Build Status Quality Gate Status Coverage

jpo-ode

US Department of Transportation (USDOT) Intelligent Transportation Systems (ITS) Joint Program Office (JPO) Operational Data Environemnt (ODE)

The ITS ODE is a real-time virtual data router that ingests and processes operational data from various connected devices - including vehicles, infrastructure, and traffic management centers - and distributes it to other devices and subscribing transportation management applications. Using the ITS ODE within intelligent transportation deployments increases data fluidity and interoperability while meeting operational needs and protecting user privacy. The software’s microservices architecture makes it easy to add new capabilities to meet local needs. Check the ITS factsheet for more information: https://www.its.dot.gov/factsheets/pdf/ITSJPO_ODE.pdf.

Figure 1: ODE Dataflows

Figure 1: ODE Dataflows

Documentation:

  1. ODE Architecture
  2. ODE User Guide
  3. ODE Output Schema Reference Guide
  4. ODE REST API Guide
  5. ODE Smoke Tests

All stakeholders are invited to provide input to these documents. To provide feedback, we recommend that you create an "issue" in this repository (https://github.com/usdot-jpo-ode/jpo-ode/issues). You will need a GitHub account to create an issue. If you don’t have an account, a dialog will be presented to you to create one at no cost.


  1. Usage Example
  2. Configuration
  3. Installation
  4. File Manifest
  5. Development Setup
  6. Release History
  7. Contact Information
  8. Contributing
  9. Known Bugs
  10. Credits and Acknowledgement
  11. Code.gov Registration Info
  12. Kubernetes

Once the ODE is deployed and running locally, you may access the ODE's demonstration console by opening your browser and navigating to http://localhost:8080.

  1. Press the Connect button to connect to the ODE WebSocket service.
  2. Press Select File button to select an OBU log file containing BSMs and/or TIM messages as specified by the WYDOT CV Pilot project. See below documents for details:
  3. Press Upload button to upload the file to ODE.

Upload records within the files must be embedding BSM and/or TIM messages wrapped in J2735 MessageFrame and ASN.1 UPER encoded, wrapped in IEEE 1609.2 envelope and ASN.1 COER encoded binary format. Please review the files in the data folder for samples of each supported type. By uploading a valid data file, you will be able to observe the decoded messages contained within the file appear in the web UI page while connected to the WebSocket interface.

Another way data can be uploaded to the ODE is through copying the file to the location specified by the ode.uploadLocationRoot/ode.uploadLocationObuLogproperty. If not specified, Default locations would be uploads/bsmlogsub-directory off of the location where ODE is launched.

The result of uploading and decoding of messages will be displayed on the UI screen.

ODE UI

Figure 2: ODE UI demonstrating message subscription

Notice that the empty fields in the J2735 message are represented by a null value. Also note that ODE output strips the MessageFrame header and returns a pure BSM or TIM in the subscription topic.

With the PPM module running, all filtered BSMs that are uploaded through the web interface will be captured and processed. You will see an output of both submitted BSM and processed data unless the entire record was filtered out.

Back to top

System Requirements

  • Minimum RAM: 16 GB
  • Minimum storage space: 100 GB
  • Supported operating systems:
    • Ubuntu 18.04 Linux (Recommended)
    • Windows 10 Professional (Professional version required for Docker virtualization)
    • OSX 10 Mojave

The ODE software can run on most standard Window, Mac, or Linux based computers with Pentium core processors. Performance of the software will be based on the computing power and available RAM in the system. Larger data flows can require much larger space requirements depending on the amount of data being processed by the software. The ODE software application was developed using the open source programming language Java. If running the ODE outside of Docker, the application requires the Java 8 runtime environment.

Software Prerequisites

The ODE is bundled as a series of submodules running in Docker containers and managed by Docker-Compose. All other required dependencies will automatically be downloaded and installed as part of the Docker build process.

Tips and Advice

Read the following guides to familiarize yourself with ODE's Docker and Kafka modules.

Installation and Deployment:

  • Docker builds may fail if you are on a corporate network due to DNS resolution errors. See here for instructions to fix this.
  • Additionally git commands may fail for similar reasons, you can fix this by running export GIT_SSL_NO_VERIFY=1.
  • Windows users may find more information on installing and using Docker here.
  • Users interested in Kafka may find more guidance and configuration options here.

Configuration:

If you wish to change the application properties, such as change the location of the upload service via ode.uploadLocation.* properties or set the ode.kafkaBrokers to something other than the $DOCKER_HOST_IP:9092, or wish to change the log file upload folder, etc. instead of setting the environment variables, modify jpo-ode-svcs\src\main\resources\application.properties file as desired.

ODE configuration can be customized for every deployment environment using environment variables. These variables can either be set locally or using the sample.env file. Instructions for how to use this file can be found here.

Important! You must rename sample.env to .env for Docker to automatically read the file. This file will contain AWS access keys and other private information. Do not push this file to source control.

Back to top

The following instructions describe the minimal procedure to fetch, build, and run the main ODE application. If you want to use the privacy protection module and/or S3 depositors, see the User Guide for more detailed information. Additionally, different build processes are covered at the bottom of this section.

Step 0 - For Windows Users Only

If running on Windows, please make sure that your global git config is set up to not convert end-of-line characters during checkout.

Disable git core.autocrlf (One Time Only)

git config --global core.autocrlf false

Step 1 - Download the Source Code

The ODE software system consists of the following modules hosted in separate Github repositories:

Name Visibility Description
jpo-ode public Contains the public components of the application code.
jpo-cvdp public Privacy Protection Module
jpo-s3-deposit public S3 depositor service. Optional, comment out of docker-compose.yml file if not used.
asn1_codec public ASN.1 Encoder/Decoder module
jpo-security-svcs public Provides cryptographic services.
jpo-sdw-depositor public SDW depositor service. Optional, comment out of docker-compose.yml file if not used.

You may download the stable, default branch for ALL of these dependencies by using the following recursive git clone command:

git clone --recurse-submodules https://github.com/usdot-jpo-ode/jpo-ode.git

Once you have these repositories obtained, you are ready to build and deploy the application.

Downloading the source code from a non-default branch
(Advanced) Downloading the source code from a non-default branch

The above steps to pull the code from GitHub repository pulls it from the default branch which is the stable branch. If you wish to pull the source code from a branch that is still under development or beta testing, you will need to specify the branch to pull from. The following commands aid you in that action.

Note: These commands can also be performed using the provided script update_branch.

# Backup user provided source or configuration files used by submodules
cp asn1_codec/asn1c_combined/J2735_201603DA.ASN .

# Run the following commands to reset existing branch
git reset --hard
git submodule foreach --recursive git reset --hard

# Pull from the non-default branch
git checkout <branch_name>
git pull origin <branch_name>

# The next command wipes out all of the submodules and re-initializes them.
git submodule deinit -f . && git submodule update --recursive --init

# Restore user provided source or configuration files used by submodules
cp ./J2735_201603DA.ASN asn1_codec/asn1c_combined/

Step 2 - Build and run the application

Notes:

  • Docker builds may fail if you are on a corporate network due to DNS resolution errors. See here for instructions to fix this.
  • In order for Docker to automatically read the environment variable file, you must rename it from sample.env to .env. This file will contain private keys, do not put add it to version control.

Copy the following files from jpo-ode directory into your DOCKER_SHARED_VOLUME directory.

  • Copy jpo-ode/ppm.properties to ${DOCKER_SHARED_VOLUME}/config.properties. Open the newly copied config.properties file in a text editor and update the metadata.broker.list=your.docker.host.ip:9092 line with your system's DOCKER_HOST_IP in place of the dummy your.docker.host.ip string.
  • Copy jpo-ode/adm.properties to ${DOCKER_SHARED_VOLUME}/adm.properties
  • Copy jpo-ode/aem.properties to ${DOCKER_SHARED_VOLUME}/aem.properties

Navigate to the root directory of the jpo-ode project and run the following command:

docker-compose up --build -d
docker-compose ps

To bring down the services and remove the running containers run the following command:

docker-compose down

For a fresh restart, run:

docker-compose down
docker-compose up --build -d
docker-compose ps

To completely rebuild from scratch, run:

docker-compose down
docker-compose rm -fvs
docker-compose up --build -d
docker-compose ps

Check the deployment by running docker-compose ps. You can start and stop containers using docker-compose start and docker-compose stop commands. If using the multi-broker docker-compose file, you can change the scaling by running docker-compose scale <container>=n where container is the container you would like to scale and n is the number of instances. For example, docker-compose scale kafka=3.

asn1_codec Module (ASN.1 Encoder and Decoder)

ODE requires the deployment of asn1_codec module. ODE's docker-compose.yml file is set up to build and deploy the module in a Docker container. If you wish to run asn1_codec module outside Docker (i.e. directly on the host machine), please refer to the documentation of asn1_codec module.

The only requirement for deploying asn1_codec module on Docker is the setup of two environment variables DOCKER_HOST_IP and DOCKER_SHARED_VOLUME.

PPM Module (Geofencing and Filtering)

To run the ODE with PPM module, you must install and start the PPM service. PPM service communicates with other services through Kafka Topics. PPM will read from the specified "Raw BSM" topic and publish the result to the specified "Filtered Bsm" topic. These topic names are specified by the following ODE and PPM properties:

  • ODE properties for communications with PPM (set in application.properties)
    • ode.kafkaTopicOdeBsmJson (default = topic.OdeBsmJson)
    • ode.kafkaTopicFilteredOdeBsmJson (default = topic.FilteredOdeBsmJson)
  • PPM properties for communications with ODE (set in yourconfig.properties)
    • privacy.topic.consumer (default = j2735BsmRawJson)
    • privacy.topic.producer (default = j2735BsmFilteredJson)

Follow the instructions here to install and build the PPM service.

During the build process, edit the sample config file located in config/example.properties and point the property metadata.broker.list towards the host of your docker machine or wherever the kafka brokers are hosted. You may use the command docker-machine ls to find the kafka service.

After a successful build, use the following commands to configure and run the PPM

cd $BASE_PPM_DIR/jpo-cvdp/build
$ ./bsmjson_privacy -c ../config/ppm.properties

Back to top

This section outlines the software technology stacks of the ODE.

Containerization and Management

Messaging

Code Quality

Continuous Integration

ODE Code

Web UI

Back to top

Integrated Development Environment (IDE)

Install the IDE of your choice:

Continuous Integration

Back to top

Release Notes

Back to top

Contact the developers of the ODE application by submitting a Github issue.

Contact the ODE management representative using the information in the Code.gov Registration Info section.

License information

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for the specific language governing permissions and limitations under the License.

Back to top

Please read our contributing guide to learn about our development process, how to propose pull requests and improvements, and how to build and test your changes to this project.

Source Repositories - GitHub

Agile Project Management - Jira

https://usdotjpoode.atlassian.net/secure/RapidBoard.jspa?projectKey=ODE

Wiki - Confluence

https://usdotjpoode.atlassian.net/wiki/

Continuous Integration and Delivery

https://travis-ci.org/usdot-jpo-ode/jpo-ode

Using Travis for your build

To allow Travis run your build when you push your changes to your public fork of the jpo-ode repository, you must define the following secure environment variable using Travis CLI (https://github.com/travis-ci/travis.rb).

Run:

travis login --org

Enter personal github account credentials.

In order to allow Sonar to run, personal key must be added with this command: (Key can be obtained from the JPO-ODE development team)

travis env set SONAR_SECURITY_TOKEN <key> -pr <user-account>/<repo-name>

Static Code Analysis

https://sonarcloud.io/organizations/usdot-jpo-ode/projects

Back to top

Quality Assurance

Code quality assurance is reported through the usdot-jpo-ode SonarCloud organization. Code quality reports are generated by the JaCoCo plugin for Maven during the ODE's webhook-triggered TravisCI build. After a successful build, the SonarQube scanner plugin for Maven creates and uploads a code quality report to SonarCloud.

For regression and user acceptance testing, ODE provides an automated test harness. The test harness is pprovided in the qa/test-harness directory under jpo-ode root folder. The test harness uses the ODE Validator Library repository as a submodule.

For more information, please see: https://github.com/usdot-jpo-ode/jpo-ode/wiki/Using-the-ODE-test-harness

Date: 07/2017

In its current state, the ODE has been developed to accomplish the goals of data transfer, security, and modularity working with the J2735 and 1609.2 security. The system has been designed to support multiple services orchestrated through the Apache Kafka streaming data pipelines, services built and supported as separate applications and described with each service's repository. As a modular system, each component has been built for functionality first, and additional performance testing is needed to understand the limits of the system with large volumes of data.

Troubleshooting

Please read our Wiki for more information, or check the User Guide.

Application Support for the ODE currently managed via GitHub's native issue tracker: https://github.com/usdot-jpo-ode/jpo-ode/issues.

Back to top

Attribution

Back to top

Agency: DOT

Short Description: The ITS ODE is a real-time virtual data router that ingests and processes operational data from various connected devices – including vehicles, infrastructure, and traffic management centers – and distributes it to other devices and subscribing transportation management applications. Using the ITS ODE within intelligent transportation deployments increases data fluidity and interoperability while meeting operational needs and protecting user privacy. The software’s microservices architecture makes it easy to add new capabilities to meet local needs.

Status: Beta

Tags: transportation, connected vehicles, intelligent transportation systems, java

Labor hours: 200

Contact Name: James Lieu

Contact Phone: (202) 366-3000

12. Kubernetes

The ODE can be run in a k8s environment. See this document for more details about this.

Back to top

jpo-ode's People

Contributors

0111sandesh avatar abey-yoseph avatar alexsobledotgov avatar bbrotsos avatar dan-du-car avatar danrasband avatar dmccoystephenson avatar drewjj avatar hmusavi avatar jtbaird avatar mend-for-github-com[bot] avatar mgarramo avatar mvs5465 avatar paynebrandon avatar saikrishnabairamoni avatar schwartz-matthew-bah avatar snallamothu avatar snowdensb avatar southernsun avatar tonychen091 avatar tonyenglish avatar toryb1 avatar trevor-trou avatar

jpo-ode's Issues

CVE-2014-0193 (Medium) detected in netty-3.7.0.Final.jar - autoclosed

CVE-2014-0193 - Medium Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.

Publish Date: 2014-05-06

URL: CVE-2014-0193

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0193

Release Date: 2014-05-06

Fix Resolution: io.netty:netty-all:4.0.19.Final,io.netty:netty-codec-http:4.0.19.Final,io.netty:netty:3.6.9.Final,io.netty:netty:3.7.1.Final,io.netty:netty:3.8.2.Final,io.netty:netty:3.9.1.Final

CVE-2019-0201 (Medium) detected in zookeeper-3.4.8.jar - autoclosed

CVE-2019-0201 - Medium Severity Vulnerability

Vulnerable Library - zookeeper-3.4.8.jar

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Publish Date: 2019-05-23

URL: CVE-2019-0201

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://zookeeper.apache.org/security.html

Release Date: 2019-05-23

Fix Resolution: 3.4.14, 3.5.5

CVE-2021-42550 (Medium) detected in logback-core-1.2.3.jar, logback-classic-1.2.3.jar - autoclosed

CVE-2021-42550 - Medium Severity Vulnerability

Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar

logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • logback-core-1.2.3.jar (Vulnerable Library)
logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-starter-logging-2.5.0.jar
      • logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-classic): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in rocksdbjni-5.18.4.jar

License Policy Violation detected in rocksdbjni-5.18.4.jar

Library - rocksdbjni-5.18.4.jar

RocksDB fat jar that contains .so files for linux32 and linux64, jnilib files for Mac OSX, and a .dll for Windows x64.

Library home page: http://rocksdb.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to library: /home/wss-scanner/.m2/repository/org/rocksdb/rocksdbjni/5.18.4/rocksdbjni-5.18.4.jar,/home/wss-scanner/.m2/repository/org/rocksdb/rocksdbjni/5.18.4/rocksdbjni-5.18.4.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka-streams-2.7.1.jar
      • rocksdbjni-5.18.4.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

Apache 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/cf34de58-3656-4437-bf31-f093eb647c9e

GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/1f4ed4ce-48af-4a60-9368-bb38dbb3c74f

    ⛔ License Policy Violation - No GPL

CVE-2014-3488 (High) detected in netty-3.7.0.Final.jar - autoclosed

CVE-2014-3488 - High Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

Publish Date: 2014-07-31

URL: CVE-2014-3488

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488

Release Date: 2014-07-31

Fix Resolution: 3.9.2.Final

CVE-2022-23307 (High) detected in log4j-1.2.17.jar - autoclosed

CVE-2022-23307 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23305 (Critical) detected in log4j-1.2.17.jar - autoclosed

CVE-2022-23305 - Critical Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-33037 (Medium) detected in tomcat-embed-core-9.0.46.jar - autoclosed

CVE-2021-33037 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-boot-starter-tomcat-2.5.0.jar
      • tomcat-embed-core-9.0.46.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Publish Date: 2021-07-12

URL: CVE-2021-33037

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-07-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.48

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.2


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-20444 (Critical) detected in netty-3.7.0.Final.jar - autoclosed

CVE-2019-20444 - Critical Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-all:4.1.44.Final

WS-2021-0419 (High) detected in gson-2.8.6.jar - autoclosed

WS-2021-0419 - High Severity Vulnerability

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • gson-2.8.6.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: 2.8.9


⛑️ Automatic Remediation will be attempted for this issue.

WS-2021-0616 (Medium) detected in jackson-databind-2.12.3.jar - autoclosed

WS-2021-0616 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.12.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar

Dependency Hierarchy:

  • jackson-databind-2.12.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution: 2.12.4


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22060 (Medium) detected in spring-web-5.3.7.jar, spring-core-5.3.7.jar - autoclosed

CVE-2021-22060 - Medium Severity Vulnerability

Vulnerable Libraries - spring-web-5.3.7.jar, spring-core-5.3.7.jar

spring-web-5.3.7.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-web-5.3.7.jar (Vulnerable Library)
spring-core-5.3.7.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-core-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-10

Fix Resolution (org.springframework:spring-web): 5.3.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.8

Fix Resolution (org.springframework:spring-core): 5.3.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22965 (Critical) detected in spring-beans-5.3.7.jar - autoclosed

CVE-2022-22965 - Critical Severity Vulnerability

Vulnerable Library - spring-beans-5.3.7.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar

Dependency Hierarchy:

  • spring-messaging-5.3.7.jar (Root Library)
    • spring-beans-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.3.18

Direct dependency fix Resolution (org.springframework:spring-messaging): 5.3.18


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in javax.activation-api-1.2.0.jar

License Policy Violation detected in javax.activation-api-1.2.0.jar

Library - javax.activation-api-1.2.0.jar

JavaBeans Activation Framework API jar

Library home page: http://java.net/all/javax.activation-api/

Path to dependency file: /jpo-ode-plugins/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar,/home/wss-scanner/.m2/repository/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.jar

Dependency Hierarchy:

  • jpo-ode-common-1.0.10-SNAPSHOT.jar (Root Library)
    • jaxb-api-2.3.1.jar
      • javax.activation-api-1.2.0.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://repo.maven.apache.org/maven2/javax/activation/javax.activation-api/1.2.0/javax.activation-api-1.2.0.pom

GPL 2.0 Classpath
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/e96c8fbd-cb83-4584-9141-6ce6630e023b

    ⛔ License Policy Violation - No GPL

CVE-2017-5637 (High) detected in zookeeper-3.4.8.jar - autoclosed

CVE-2017-5637 - High Severity Vulnerability

Vulnerable Library - zookeeper-3.4.8.jar

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Publish Date: 2017-10-10

URL: CVE-2017-5637

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637

Release Date: 2017-10-09

Fix Resolution: org.apache.zookeeper:zookeeper - 3.4.10,3.5.3-beta

WS-2021-0491 (Medium) detected in logback-classic-1.2.3.jar - autoclosed

WS-2021-0491 - Medium Severity Vulnerability

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: jpo-ode/jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-starter-logging-2.5.0.jar
      • logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

LOGBack before 1.2.8 is vulnerable to Remote-Code-Execution (RCE) when the write access to 'logback.xml' and JNDI lookup are enabled.

Publish Date: 2021-12-13

URL: WS-2021-0491

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://logback.qos.ch/news.html

Release Date: 2021-12-13

Fix Resolution: ch.qos.logback:logback-classic:1.2.8

CVE-2015-2156 (High) detected in netty-3.7.0.Final.jar - autoclosed

CVE-2015-2156 - High Severity Vulnerability

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar
        • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Publish Date: 2017-10-18

URL: CVE-2015-2156

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156

Release Date: 2017-10-18

Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5

CVE-2022-23302 (High) detected in log4j-1.2.17.jar - autoclosed

CVE-2022-23302 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-36374 (Medium) detected in ant-1.10.9.jar - autoclosed

CVE-2021-36374 - Medium Severity Vulnerability

Vulnerable Library - ant-1.10.9.jar

Library home page: https://ant.apache.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar

Dependency Hierarchy:

  • groovy-all-3.0.8-groovydoc.jar (Root Library)
    • groovy-ant-3.0.8.jar
      • ant-1.10.9.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36374

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2021-07-14

Fix Resolution (org.apache.ant:ant): 1.10.11

Direct dependency fix Resolution (org.codehaus.groovy:groovy-all): 3.0.9


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22968 (Medium) detected in spring-context-5.3.7.jar - autoclosed

CVE-2022-22968 - Medium Severity Vulnerability

Vulnerable Library - spring-context-5.3.7.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.7/spring-context-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-2.5.0.jar
      • spring-context-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.3.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.13


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22096 (Medium) detected in multiple libraries - autoclosed

CVE-2021-22096 - Medium Severity Vulnerability

Vulnerable Libraries - spring-web-5.3.7.jar, spring-webmvc-5.3.7.jar, spring-core-5.3.7.jar

spring-web-5.3.7.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.7/spring-web-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-web-5.3.7.jar (Vulnerable Library)
spring-webmvc-5.3.7.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.7/spring-webmvc-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-webmvc-5.3.7.jar (Vulnerable Library)
spring-core-5.3.7.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.7/spring-core-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-core-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-web): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.6

Fix Resolution (org.springframework:spring-webmvc): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.6

Fix Resolution (org.springframework:spring-core): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.6


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-8012 (High) detected in zookeeper-3.4.8.jar - autoclosed

CVE-2018-8012 - High Severity Vulnerability

Vulnerable Library - zookeeper-3.4.8.jar

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar,/home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.8/zookeeper-3.4.8.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • kafka_2.11-0.10.1.0.jar
      • zookeeper-3.4.8.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Publish Date: 2018-05-21

URL: CVE-2018-8012

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012

Release Date: 2018-05-21

Fix Resolution: 3.4.10,3.5.4-beta

CVE-2020-11023 (Medium) detected in jquery-2.1.1.jar - autoclosed

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: 3.5.0


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22950 (Medium) detected in spring-expression-5.3.7.jar - autoclosed

CVE-2022-22950 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-5.3.7.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.7/spring-expression-5.3.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.0.jar (Root Library)
    • spring-webmvc-5.3.7.jar
      • spring-expression-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.3.17

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.11


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-36373 (Medium) detected in ant-1.10.9.jar - autoclosed

CVE-2021-36373 - Medium Severity Vulnerability

Vulnerable Library - ant-1.10.9.jar

Library home page: https://ant.apache.org/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.9/ant-1.10.9.jar

Dependency Hierarchy:

  • groovy-all-3.0.8-groovydoc.jar (Root Library)
    • groovy-ant-3.0.8.jar
      • ant-1.10.9.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36373

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373

Release Date: 2021-07-14

Fix Resolution (org.apache.ant:ant): 1.10.11

Direct dependency fix Resolution (org.codehaus.groovy:groovy-all): 3.0.9


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22047 (Medium) detected in spring-data-rest-webmvc-3.5.1.jar - autoclosed

CVE-2021-22047 - Medium Severity Vulnerability

Vulnerable Library - spring-data-rest-webmvc-3.5.1.jar

Spring Data REST - WebMVC

Library home page: https://www.spring.io/spring-data

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-rest-webmvc/3.5.1/spring-data-rest-webmvc-3.5.1.jar

Dependency Hierarchy:

  • spring-boot-starter-data-rest-2.5.0.jar (Root Library)
    • spring-data-rest-webmvc-3.5.1.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.

Publish Date: 2021-10-28

URL: CVE-2021-22047

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22047

Release Date: 2021-10-28

Fix Resolution (org.springframework.data:spring-data-rest-webmvc): 3.5.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-rest): 2.5.6


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in jsr311-api-1.1.1.jar

License Policy Violation detected in jsr311-api-1.1.1.jar

Library - jsr311-api-1.1.1.jar

Library home page: https://jsr311.dev.java.net

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar,/home/wss-scanner/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar

Dependency Hierarchy:

  • jersey-core-1.19.1.jar (Root Library)
    • jsr311-api-1.1.1.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/4536c631-af26-4900-bd7a-696040f4766c

    ⛔ License Policy Violation - No GPL

License Policy Violation detected in amqp-client-5.12.0.jar

License Policy Violation detected in amqp-client-5.12.0.jar

Library - amqp-client-5.12.0.jar

The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.

Library home page: https://www.rabbitmq.com

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to library: /home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.12.0/amqp-client-5.12.0.jar,/home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.12.0/amqp-client-5.12.0.jar

Dependency Hierarchy:

  • jpo-ode-core-1.0.10-SNAPSHOT.jar (Root Library)
    • metrics-graphite-4.1.21.jar
      • amqp-client-5.12.0.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

Apache 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/cf34de58-3656-4437-bf31-f093eb647c9e

GPL 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/1f4ed4ce-48af-4a60-9368-bb38dbb3c74f

Mozilla 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/f2638f89-5648-4e18-b8b9-7c88bc5811b4

    ⛔ License Policy Violation - No GPL

CVE-2019-11358 (Medium) detected in jquery-2.1.1.jar - autoclosed

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2015-9251 (Medium) detected in jquery-2.1.1.jar - autoclosed

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0-alpha1


⛑️ Automatic Remediation will be attempted for this issue.

License Policy Violation detected in javax.websocket-client-api-1.1.jar

License Policy Violation detected in javax.websocket-client-api-1.1.jar

Library - javax.websocket-client-api-1.1.jar

JSR 356: Java API for WebSocket

Library home page: http://websocket-spec.java.net

Path to dependency file: /jpo-ode-plugins/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar,/home/wss-scanner/.m2/repository/javax/websocket/javax.websocket-client-api/1.1/javax.websocket-client-api-1.1.jar

Dependency Hierarchy:

  • javax.websocket-client-api-1.1.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://glassfish.java.net/public/CDDL+GPL_1_1.html

GPL 2.0 Classpath
License Reference File: https://glassfish.java.net/public/CDDL+GPL_1_1.html

    ⛔ License Policy Violation - No GPL

CVE-2022-25647 (High) detected in gson-2.8.6.jar - autoclosed

CVE-2022-25647 - High Severity Vulnerability

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • gson-2.8.6.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: 2.8.9


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-1288 (Medium) detected in kafka_2.11-0.10.1.0.jar - autoclosed

CVE-2018-1288 - Medium Severity Vulnerability

Vulnerable Library - kafka_2.11-0.10.1.0.jar

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /m2/repository/org/apache/kafka/kafka_2.11/0.10.1.0/kafka_2.11-0.10.1.0.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka_2.11/0.10.1.0/kafka_2.11-0.10.1.0.jar

Dependency Hierarchy:

  • kafka_2.11-0.10.1.0.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

Publish Date: 2018-07-26

URL: CVE-2018-1288

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288

Release Date: 2018-07-26

Fix Resolution: 0.10.2.2


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9493 (Critical) detected in log4j-1.2.17.jar - autoclosed

CVE-2020-9493 - Critical Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-43466 (Critical) detected in thymeleaf-spring5-3.0.12.RELEASE.jar - autoclosed

CVE-2021-43466 - Critical Severity Vulnerability

Vulnerable Library - thymeleaf-spring5-3.0.12.RELEASE.jar

Modern server-side Java template engine for both web and standalone environments

Library home page: http://www.thymeleaf.org

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf-spring5/3.0.12.RELEASE/thymeleaf-spring5-3.0.12.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-thymeleaf-2.5.0.jar (Root Library)
    • thymeleaf-spring5-3.0.12.RELEASE.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

Publish Date: 2021-11-09

URL: CVE-2021-43466

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.thymeleaf.org/releasenotes.html#thymeleaf-3.0.13

Release Date: 2021-11-09

Fix Resolution (org.thymeleaf:thymeleaf-spring5): 3.0.13.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.5.8


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-17571 (Critical) detected in log4j-1.2.17.jar - autoclosed

CVE-2019-17571 - Critical Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-4104 (High) detected in log4j-1.2.17.jar - autoclosed

CVE-2021-4104 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-38153 (Medium) detected in kafka-clients-2.7.1.jar - autoclosed

CVE-2021-38153 - Medium Severity Vulnerability

Vulnerable Library - kafka-clients-2.7.1.jar

Library home page: https://kafka.apache.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /m2/repository/org/apache/kafka/kafka-clients/2.7.1/kafka-clients-2.7.1.jar,/home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.7.1/kafka-clients-2.7.1.jar

Dependency Hierarchy:

  • kafka-clients-2.7.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Publish Date: 2021-09-22

URL: CVE-2021-38153

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153

Release Date: 2021-09-22

Fix Resolution: 2.7.2


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-11022 (Medium) detected in jquery-2.1.1.jar - autoclosed

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-2.1.1.jar

WebJar for jQuery

Library home page: http://webjars.org

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar,/home/wss-scanner/.m2/repository/org/webjars/jquery/2.1.1/jquery-2.1.1.jar

Dependency Hierarchy:

  • jquery-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: 3.5.0


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9488 (Low) detected in log4j-1.2.17.jar - autoclosed

CVE-2020-9488 - Low Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

  • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3


  • Check this box to open an automated fix PR

CVE-2020-36518 (High) detected in jackson-databind-2.12.3.jar - autoclosed

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.12.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /jpo-ode-common/pom.xml

Path to vulnerable library: /m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar

Dependency Hierarchy:

  • jackson-databind-2.12.3.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution: 2.12.6.1


⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44228 (High) detected in log4j-api-2.14.1.jar - autoclosed

CVE-2021-44228 - High Severity Vulnerability

Vulnerable Library - log4j-api-2.14.1.jar

The Apache Log4j API

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: jpo-ode/jpo-ode-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • spring-boot-starter-logging-2.5.0.jar
      • log4j-to-slf4j-2.14.1.jar
        • log4j-api-2.14.1.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.

Publish Date: 2021-11-27

URL: CVE-2021-44228

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jfh8-c2jp-5v3q

Release Date: 2021-12-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.15.0

License Policy Violation detected in jaxb-api-2.3.1.jar

License Policy Violation detected in jaxb-api-2.3.1.jar

Library - jaxb-api-2.3.1.jar

JAXB (JSR 222) API

Path to dependency file: /jpo-ode-plugins/pom.xml

Path to library: /home/wss-scanner/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/home/wss-scanner/.m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar,/m2/repository/javax/xml/bind/jaxb-api/2.3.1/jaxb-api-2.3.1.jar

Dependency Hierarchy:

  • jaxb-api-2.3.1.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

CDDL 1.1
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/4536c631-af26-4900-bd7a-696040f4766c

GPL 2.0 Classpath
License Reference File: https://github.com/javaee/jaxb-spec/blob/master/LICENSE.txt

    ⛔ License Policy Violation - No GPL

CVE-2021-29425 (Medium) detected in commons-io-2.4.jar - autoclosed

CVE-2021-29425 - Medium Severity Vulnerability

Vulnerable Library - commons-io-2.4.jar

The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/io/

Path to dependency file: /jpo-ode-core/pom.xml

Path to vulnerable library: /m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar

Dependency Hierarchy:

  • commons-io-2.4.jar (Vulnerable Library)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: 2.7


⛑️ Automatic Remediation will be attempted for this issue.

WS-2022-0107 (High) detected in spring-beans-5.3.7.jar - autoclosed

WS-2022-0107 - High Severity Vulnerability

Vulnerable Library - spring-beans-5.3.7.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /jpo-ode-svcs/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.7/spring-beans-5.3.7.jar

Dependency Hierarchy:

  • spring-messaging-5.3.7.jar (Root Library)
    • spring-beans-5.3.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Spring Framework before 5.2.20 and 5.3.x before 5.3.18 are vulnerable due to a vulnerability in Spring-beans which allows attackers under certain circumstances to achieve remote code execution, this vulnerability is also known as ״Spring4Shell״ or ״SpringShell״.

The current POC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE (Remote Code Execution).
Please note that the ease of exploitation may diverge by the code implementation.

Currently, the exploit requires JDK 9 or higher, Apache Tomcat as the Servlet container, the application Packaged as WAR, and dependency on spring-webmvc or spring-webflux.
Spring Framework 5.3.18 and 5.2.20 have already been released.

WhiteSource’s research team is carefully observing developments and researching the case. We will keep updating this page and our WhiteSource resources with updates.
This is a temporary WhiteSource ID until an official CVE ID will be released.

Publish Date: 2022-03-30

URL: WS-2022-0107

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-03-30

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

License Policy Violation detected in jakarta.annotation-api-1.3.5.jar

License Policy Violation detected in jakarta.annotation-api-1.3.5.jar

Library - jakarta.annotation-api-1.3.5.jar

Jakarta Annotations API

Library home page: https://projects.eclipse.org/projects/ee4j.ca

Path to dependency file: /jpo-ode-common/pom.xml

Path to library: /home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar

Dependency Hierarchy:

  • spring-boot-starter-2.5.0.jar (Root Library)
    • jakarta.annotation-api-1.3.5.jar (Library containing License Policy Violation)

Found in HEAD commit: b1b93d98c7ec02a197c74276c4808779b43a5745

Found in base branch: dev

📃 License Details

Eclipse 2.0
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/67cc8d70-b680-4b02-9ebd-12aedc62fdcb

GPL 2.0 Classpath
License Reference File: https://index.whitesourcesoftware.com/gri/app/reader/resource/content/asString/e96c8fbd-cb83-4584-9141-6ce6630e023b

    ⛔ License Policy Violation - No GPL

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.