Ktlint: High severity issues in security dependency check

Created on 4 Jul 2019  路  17Comments  路  Source: pinterest/ktlint

Hi everyone,

I'm working with ktlint and i checked for dependency security issues in my project. In the latest version, ktlint presents 7 high severity issues, what i think that is a lot.

Is there any work going on to take a look and solve these problems? Thanks!

Screen Shot 2019-07-04 at 18 24 42

Analysis made with owasp dependency check

Most helpful comment

Also should be not a problem if #451 will be resolved.

All 17 comments

Hi! It looks like this is all due to a dependency? Does that dependency have an updated version without whatever security issues?

I'm using ktlint directly in my project, and i updated to the 0.33.0 what i'm thinking that is the last version available and stable. So, Ktlint does not have a new version without security issues i guess.

Sorry, yes I'm one of the maintainers of the project. I was just wondering if you'd looked into solutions at all. We will be releasing 0.34.0 soon and we can aim to include a fix for this.

Thank you!

@drcabral are this security issues raised only for latest release or releases before? And could you provide more details about this issues, like what exactly dependencies have security issues?

Hi @Tapchicoma, I was using the version 0.29.0 and I updated to 0.33.0 thinking that the issues could be solved, but all the same issues still remained.

I can share with you the messages about the issues that the dependency check identified:

-> Ktlint-core-0.33.0.jar

Published Vulnerabilities
CVE-2019-1010260聽聽suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC -聽https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0


-> ktlint-reporter-checkstyle-0.33.0

CVE-2019-1010260聽聽suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC -聽https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

CVE-2019-9658聽聽suppress

Checkstyle before 8.18 loads external DTDs by default.
CVSSv2:
* Base Score: MEDIUM (5.0)
* Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
* Base Score: MEDIUM (5.3)
* Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:
* FEDORA -聽FEDORA-2019-4696630d6f
* FEDORA -聽FEDORA-2019-a3f67e2364
* FEDORA -聽FEDORA-2019-e4405b4c9f
* MISC -聽https://checkstyle.org/releasenotes.html#Release_8.18
* MISC -聽https://github.com/checkstyle/checkstyle/issues/6474
* MISC -聽https://github.com/checkstyle/checkstyle/issues/6478
* MISC -聽https://github.com/checkstyle/checkstyle/pull/6476
* MLIST -聽[accumulo-notifications] 20190612 [GitHub] [accumulo-testing] milleruntime opened a new pull request #80: Update checkstyle
* MLIST -聽[debian-lts-announce] 20190428 [SECURITY] [DLA 1768-1] checkstyle security update
* MLIST -聽[james-server-dev] 20190318 [james-project] 01/03: JAMES-2693 Update com.puppycrawl.tools:checkstyle to respond to CVE-2019-9658

Vulnerable Software & Versions:
* cpe:2.3:a:checkstyle:checkstyle:*:*:*:*:*:*:*:* versions up to (excluding) 8.18

-> ktlint-reporter-json-0.33.0

Published Vulnerabilities
CVE-2019-1010260聽聽suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC -聽https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-reporter-plain-0.33.0

Published Vulnerabilities
CVE-2019-1010260聽聽suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC -聽https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-ruleset-experimental-0.33.0

Published Vulnerabilities
CVE-2019-1010260聽聽suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC -聽https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-ruleset-standard-0.33.0

Published Vulnerabilities
CVE-2019-1010260聽聽suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC -聽https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

-> ktlint-test-0.33.0

Published Vulnerabilities
CVE-2019-1010260聽聽suppress

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
CVSSv2:
* Base Score: HIGH (9.3)
* Vector: /AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSv3:
* Base Score: HIGH (8.1)
* Vector: /AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:
* MISC -聽https://github.com/shyiko/ktlint/pull/332

Vulnerable Software & Versions:
* cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:* versions up to (excluding) 0.30.0

Ah ok I remember this issue. I believe the vulnerability has actually been fixed, but the process to mark it has such hasn't been resolved. @JLLeitschuh did it ever get resubmitted?

Also should be not a problem if #451 will be resolved.

I'm pretty unfamiliar with the process, but it does look like our assigned CVE number (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010260) does say it should be fixed in 0.30.0 and later; so not sure what's missing as far as the reporting.

The vulnerabilities from dependencies remain. I think the easiest solution for ktlint would be to simply upgrade as much as possible to the latest version.

The vulnerabilities from dependencies remain. I think the easiest solution for ktlint would be to simply upgrade as much as possible to the latest version.

Ah, I didn't see this one:
```CVE-2019-9658 suppress

Checkstyle before 8.18 loads external DTDs by default.

This is a bit confusing because I don't believe we actually include checkstyle as a dependency, we just output a checkstyle-formatted report. Does it just want us to require a higher checkstyle version?

override fun afterAll() {
out.println("""""")
out.println("""""")
for ((file, errList) in acc.entries.sortedBy { it.key }) {
out.println(""" """)
for ((line, col, ruleId, detail) in errList) {
out.println(
""" """
)
}
out.println("""
""")
}
out.println("""
""")
}
```

Heh.
That checkstyle vulnerability was also discovered by me.

Sent with GitHawk

The vulnerability in ktlint itself should be resolved as of 0.30.0.

That finding actually spawned this bit of research that's now public:

mitm_build
Want to take over the Java ecosystem? All you need is a MITM!

@JLLeitschuh do you know why we're getting flagged for the checkstyle vulnerability? We don't actually bring it in as a dependency. Is it just the checkstyle version we're writing out in the checkstyle reporter?

I added the OWASP Dependency Check plugin to the project in #514 and running it directly against the project doesn鈥榯 trigger the checkstyle vulnerability. However, there are others:

When we remove the MavenDependencyResolver the Guava, HttpClient and Plexus Utils dependencies will go away. https://github.com/pinterest/ktlint/issues/451

Hi. It looks like this ticket is ready to be resolved, now that #566 has been merged. Could we expect v0.35.0 soon?

Was this page helpful?
0 / 5 - 0 ratings