Sormas uses these vulnerable dependencies
[ERROR] apache-jsp-8.0.9.M3.jar: CVE-2020-8022, CVE-2016-5388, CVE-2016-8735, CVE-2018-8014, CVE-2017-5648, CVE-2017-12617
[ERROR] apache-jsp-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] htmlunit-2.19.jar: CVE-2020-5529
[ERROR] htmlunit-core-js-2.17.jar: CVE-2020-5529
[ERROR] jetty-server-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] jetty-xml-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] tapestry-4.0.2.jar: CVE-2020-17531
[ERROR] websocket-client-9.2.13.v20150730.jar: CVE-2017-7658, CVE-2017-7657
mvn org.owasp:dependency-check-maven:6.0.3:check[ERROR] apache-jsp-8.0.9.M3.jar: CVE-2020-8022, CVE-2016-5388, CVE-2016-8735, CVE-2018-8014, CVE-2017-5648, CVE-2017-12617
[ERROR] apache-jsp-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] htmlunit-2.19.jar: CVE-2020-5529
[ERROR] htmlunit-core-js-2.17.jar: CVE-2020-5529
[ERROR] jetty-server-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] jetty-xml-9.2.14.v20151106.jar: CVE-2017-7658, CVE-2017-7657
[ERROR] tapestry-4.0.2.jar: CVE-2020-17531
[ERROR] websocket-client-9.2.13.v20150730.jar: CVE-2017-7658, CVE-2017-7657
These depencies were not updated in
https://github.com/hzi-braunschweig/SORMAS-Project/issues/3584
Althoug https://github.com/hzi-braunschweig/SORMAS-Project/pull/3626 already listed them as vulnerable.
no vulnerable dependencies in Sormas
As stated already twice, these are no used dependencies in the product (as far as I did track it down), for me this ticket is _invalid_.
Hm, what are "used dependencies"?
mvn org.owasp:dependency-check-maven:6.0.3:check outputs that sormas is depending on vulnerable depenencies like htmlunit.
And mvn dependency:tree -Dverbose shows that e.g. the vulnerable jetty-xml-9.2.14.v20151106.jar is a dependency
[INFO] +- com.vaadin:vaadin-client-compiler:jar:8.12.1:provided
[INFO] | +- (com.vaadin:vaadin-client:jar:8.12.1:provided - omitted for duplicate)
[INFO] | +- com.google.gwt:gwt-dev:jar:2.8.2:provided
[INFO] | | +- com.google.code.findbugs:jsr305:jar:1.3.9:provided
[INFO] | | +- com.google.code.gson:gson:jar:2.6.2:provided
[INFO] | | +- org.ow2.asm:asm:jar:5.0.3:provided
[INFO] | | +- org.ow2.asm:asm-util:jar:5.0.3:provided
[INFO] | | | - org.ow2.asm:asm-tree:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- org.ow2.asm:asm-commons:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm-tree:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- colt:colt:jar:1.2.0:provided
[INFO] | | +- ant:ant:jar:1.6.5:provided
[INFO] | | +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] | | +- commons-io:commons-io:jar:2.8.0:provided (version managed from 2.4)
[INFO] | | +- com.ibm.icu:icu4j:jar:50.1.1:provided
[INFO] | | +- tapestry:tapestry:jar:4.0.2:provided
[INFO] | | +- net.sourceforge.htmlunit:htmlunit:jar:2.19:provided
[INFO] | | | +- xalan:xalan:jar:2.7.2:provided
[INFO] | | | | - xalan:serializer:jar:2.7.2:provided
[INFO] | | | | - (xml-apis:xml-apis:jar:1.3.04:provided - omitted for conflict with 1.4.01)
[INFO] | | | +- (commons-collections:commons-collections:jar:3.2.2:provided - version managed from 3.2.1; omitted for duplicate)
[INFO] | | | +- org.apache.commons:commons-lang3:jar:3.11:provided (version managed from 3.4)
[INFO] | | | +- org.apache.httpcomponents:httpclient:jar:4.5.13:provided (version managed from 4.5.1)
[INFO] | | | | +- org.apache.httpcomponents:httpcore:jar:4.4.14:provided (version managed from 4.4.13)
[INFO] | | | | +- (commons-logging:commons-logging:jar:1.2:provided - omitted for duplicate)
[INFO] | | | | - (commons-codec:commons-codec:jar:1.15:provided - version managed from 1.10; omitted for duplicate)
[INFO] | | | +- org.apache.httpcomponents:httpmime:jar:4.5.1:provided
[INFO] | | | | - (org.apache.httpcomponents:httpclient:jar:4.5.13:provided - version managed from 4.5.1; omitted for duplicate)
[INFO] | | | +- commons-codec:commons-codec:jar:1.15:provided
[INFO] | | | +- net.sourceforge.htmlunit:htmlunit-core-js:jar:2.17:provided
[INFO] | | | +- xerces:xercesImpl:jar:2.11.0:provided
[INFO] | | | | - xml-apis:xml-apis:jar:1.4.01:provided
[INFO] | | | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.22:provided
[INFO] | | | +- net.sourceforge.cssparser:cssparser:jar:0.9.18:provided
[INFO] | | | | - (org.w3c.css:sac:jar:1.3:provided - omitted for duplicate)
[INFO] | | | +- (commons-io:commons-io:jar:2.8.0:provided - version managed from 2.4; omitted for duplicate)
[INFO] | | | +- commons-logging:commons-logging:jar:1.2:provided
[INFO] | | | - org.eclipse.jetty.websocket:websocket-client:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | +- (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | - org.eclipse.jetty.websocket:websocket-common:jar:9.2.13.v20150730:provided
[INFO] | | | +- org.eclipse.jetty.websocket:websocket-api:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | | - (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | +- org.eclipse.jetty:jetty-webapp:jar:9.2.14.v20151106:provided
[INFO] | | | +- org.eclipse.jetty:jetty-xml:jar:9.2.14.v20151106:provided
I trust the owasp plugin and would update all dependencies that are marked as vulnerable. Do you use a different tool?
Especially because Sormas is handling health data.
As a privacy officer and/or security officer of an organization intending to use Sormas I would not allow it to be used. At least there needs to be a detailed security concept explaining why using a vulnerable dependencies are not a problem.
vaadin-client-compiler is not deployed on a running system and that is what I meant. But as you pointed out, some dependencies might be used at compile time. Not sure yet if there are vulnerabilities that apply for the use at compile time, but worth the look.
Independently of this specific dependency and from a security perspective, I think that the project's security should not rely on manually tracking down if packages in the dependency tree are (directly or indirectly) called/used in the code of Sormas.
In general, vulnerable code does not need to be called to cause potential harm. If an attacker manages to manipulate the control flow of a program, she could be able to call a vulnerable code piece that is "not used".
It would be great to add checks for vulnerable dependencies to the CI (#3819) to automate the process for finding them.
Most helpful comment
Hm, what are "used dependencies"?
mvn org.owasp:dependency-check-maven:6.0.3:checkoutputs that sormas is depending on vulnerable depenencies like htmlunit.And
mvn dependency:tree -Dverboseshows that e.g. the vulnerablejetty-xml-9.2.14.v20151106.jaris a dependency[INFO] +- com.vaadin:vaadin-client-compiler:jar:8.12.1:provided
[INFO] | +- (com.vaadin:vaadin-client:jar:8.12.1:provided - omitted for duplicate)
[INFO] | +- com.google.gwt:gwt-dev:jar:2.8.2:provided
[INFO] | | +- com.google.code.findbugs:jsr305:jar:1.3.9:provided
[INFO] | | +- com.google.code.gson:gson:jar:2.6.2:provided
[INFO] | | +- org.ow2.asm:asm:jar:5.0.3:provided
[INFO] | | +- org.ow2.asm:asm-util:jar:5.0.3:provided
[INFO] | | | - org.ow2.asm:asm-tree:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- org.ow2.asm:asm-commons:jar:5.0.3:provided
[INFO] | | | - (org.ow2.asm:asm-tree:jar:5.0.3:provided - omitted for duplicate)
[INFO] | | +- colt:colt:jar:1.2.0:provided
[INFO] | | +- ant:ant:jar:1.6.5:provided
[INFO] | | +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] | | +- commons-io:commons-io:jar:2.8.0:provided (version managed from 2.4)
[INFO] | | +- com.ibm.icu:icu4j:jar:50.1.1:provided
[INFO] | | +- tapestry:tapestry:jar:4.0.2:provided
[INFO] | | +- net.sourceforge.htmlunit:htmlunit:jar:2.19:provided
[INFO] | | | +- xalan:xalan:jar:2.7.2:provided
[INFO] | | | | - xalan:serializer:jar:2.7.2:provided
[INFO] | | | | - (xml-apis:xml-apis:jar:1.3.04:provided - omitted for conflict with 1.4.01)
[INFO] | | | +- (commons-collections:commons-collections:jar:3.2.2:provided - version managed from 3.2.1; omitted for duplicate)
[INFO] | | | +- org.apache.commons:commons-lang3:jar:3.11:provided (version managed from 3.4)
[INFO] | | | +- org.apache.httpcomponents:httpclient:jar:4.5.13:provided (version managed from 4.5.1)
[INFO] | | | | +- org.apache.httpcomponents:httpcore:jar:4.4.14:provided (version managed from 4.4.13)
[INFO] | | | | +- (commons-logging:commons-logging:jar:1.2:provided - omitted for duplicate)
[INFO] | | | | - (commons-codec:commons-codec:jar:1.15:provided - version managed from 1.10; omitted for duplicate)
[INFO] | | | +- org.apache.httpcomponents:httpmime:jar:4.5.1:provided
[INFO] | | | | - (org.apache.httpcomponents:httpclient:jar:4.5.13:provided - version managed from 4.5.1; omitted for duplicate)
[INFO] | | | +- commons-codec:commons-codec:jar:1.15:provided
[INFO] | | | +- net.sourceforge.htmlunit:htmlunit-core-js:jar:2.17:provided
[INFO] | | | +- xerces:xercesImpl:jar:2.11.0:provided
[INFO] | | | | - xml-apis:xml-apis:jar:1.4.01:provided
[INFO] | | | +- net.sourceforge.nekohtml:nekohtml:jar:1.9.22:provided
[INFO] | | | +- net.sourceforge.cssparser:cssparser:jar:0.9.18:provided
[INFO] | | | | - (org.w3c.css:sac:jar:1.3:provided - omitted for duplicate)
[INFO] | | | +- (commons-io:commons-io:jar:2.8.0:provided - version managed from 2.4; omitted for duplicate)
[INFO] | | | +- commons-logging:commons-logging:jar:1.2:provided
[INFO] | | | - org.eclipse.jetty.websocket:websocket-client:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | +- (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for conflict with 9.2.14.v20151106)
[INFO] | | | - org.eclipse.jetty.websocket:websocket-common:jar:9.2.13.v20150730:provided
[INFO] | | | +- org.eclipse.jetty.websocket:websocket-api:jar:9.2.13.v20150730:provided
[INFO] | | | +- (org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | | - (org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:provided - omitted for duplicate)
[INFO] | | +- org.eclipse.jetty:jetty-webapp:jar:9.2.14.v20151106:provided
[INFO] | | | +- org.eclipse.jetty:jetty-xml:jar:9.2.14.v20151106:provided
I trust the owasp plugin and would update all dependencies that are marked as vulnerable. Do you use a different tool?
Especially because Sormas is handling health data.
As a privacy officer and/or security officer of an organization intending to use Sormas I would not allow it to be used. At least there needs to be a detailed security concept explaining why using a vulnerable dependencies are not a problem.