How to read the results 📖
Dirty-waters has analyzed your project dependencies and found different categories for each of them:
-
⚠️ ⚠️ ⚠️ : high severity -
⚠️ ⚠️ : medium severity -
⚠️ : low severity
🔒 Packages with signature changes (
❗ Downgraded packages (
👽 Commits made by both New Authors and Reviewers (
🙈 Commits approved by New Reviewers (
😐 Commits made by New Authors (
🐬 For further information about software supply chain smells in your project, take a look at the following tables.
❗ Downgraded packages (⚠️ ⚠️ ) (1)
| package_name | repo_link | category | old_version | new_version |
|---|---|---|---|---|
com.thoughtworks.qdox:qdox |
https://github.com/paul-hammant/qdox | Downgraded package | 2.2.0 | 2.1.0 |
🙈 Commits approved by New Reviewers (⚠️ ⚠️ ) (3)
| sha | package_name | repo_name | old_version | new_version | author_first | merger | prr_first | reviewer | reviewer_type | package_number | repo_link | category | signature_changes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 69c1b46d85e77dc25a8639fc20d9ae596917e8ce | ['org.apache.maven.surefire:maven-surefire-common', 'org.apache.maven.surefire:surefire-extensions-api', 'org.apache.maven.surefire:surefire-booter', 'org.apache.maven.plugins:maven-surefire-plugin', 'org.apache.maven.surefire:surefire-api', 'org.apache.maven.surefire:surefire-extensions-spi', 'org.apache.maven.surefire:surefire-logger-api', 'org.apache.maven.surefire:surefire-shared-utils'] | apache/maven-surefire | 3.4.0 | 3.5.1 | False | asfgit | True | mikiTesf | User | 8 | |||
| 245a5f8364b179673acda6c896b0d4aa7381cb31 | ['org.apache.maven.doxia:doxia-module-fml', 'org.apache.maven.doxia:doxia-module-markdown'] | apache/maven-doxia | 1.11.1 | 2.0.0-M12 | False | kwin | True | michael-o | User | 2 | |||
| da21b8abf85db106ac2f9660155652a479296796 | ['org.apache.maven.doxia:doxia-module-fml', 'org.apache.maven.doxia:doxia-module-markdown'] | apache/maven-doxia | 1.11.1 | 2.0.0-M12 | CrazyHZM | True | CrazyHZM | User | 2 |
😐 Commits made by New Authors (⚠️ ) (42)
| sha | package_name | repo_name | old_version | new_version | author_first | merger | prr_first | reviewer | reviewer_type | package_number | repo_link | category | signature_changes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| d630d6a4dd53ee73518886b6c40ce3850a9f3fe8 | ['com.vladsch.flexmark:flexmark-ext-escaped-character', 'com.vladsch.flexmark:flexmark-ext-tables', 'com.vladsch.flexmark:flexmark-ext-typographic', 'com.vladsch.flexmark:flexmark-util', 'com.vladsch.flexmark:flexmark-ext-definition', 'com.vladsch.flexmark:flexmark-ext-yaml-front-matter', 'com.vladsch.flexmark:flexmark-ext-abbreviation', 'com.vladsch.flexmark:flexmark-ext-gfm-strikethrough', 'com.vladsch.flexmark:flexmark-ext-wikilink', 'com.vladsch.flexmark:flexmark-ext-autolink', 'com.vladsch.flexmark:flexmark'] | vsch/flexmark-java | 0.42.14 | 0.62.2 | True | vsch | 11 | ||||||
| 5a3cd8aaa7126855fc2474cfb320de762be8524b | ['com.vladsch.flexmark:flexmark-ext-escaped-character', 'com.vladsch.flexmark:flexmark-ext-tables', 'com.vladsch.flexmark:flexmark-ext-typographic', 'com.vladsch.flexmark:flexmark-util', 'com.vladsch.flexmark:flexmark-ext-definition', 'com.vladsch.flexmark:flexmark-ext-yaml-front-matter', 'com.vladsch.flexmark:flexmark-ext-abbreviation', 'com.vladsch.flexmark:flexmark-ext-gfm-strikethrough', 'com.vladsch.flexmark:flexmark-ext-wikilink', 'com.vladsch.flexmark:flexmark-ext-autolink', 'com.vladsch.flexmark:flexmark'] | vsch/flexmark-java | 0.42.14 | 0.62.2 | True | vsch | 11 | ||||||
| 3697bb20d5bb21949404edbb1d8c1000a7ec64d8 | ['com.vladsch.flexmark:flexmark-ext-escaped-character', 'com.vladsch.flexmark:flexmark-ext-tables', 'com.vladsch.flexmark:flexmark-ext-typographic', 'com.vladsch.flexmark:flexmark-util', 'com.vladsch.flexmark:flexmark-ext-definition', 'com.vladsch.flexmark:flexmark-ext-yaml-front-matter', 'com.vladsch.flexmark:flexmark-ext-abbreviation', 'com.vladsch.flexmark:flexmark-ext-gfm-strikethrough', 'com.vladsch.flexmark:flexmark-ext-wikilink', 'com.vladsch.flexmark:flexmark-ext-autolink', 'com.vladsch.flexmark:flexmark'] | vsch/flexmark-java | 0.42.14 | 0.62.2 | True | vsch | 11 | ||||||
| 110a39bd13faec6508d9cde97b420a0b8f556946 | ['org.mockito:mockito-core', 'org.mockito:mockito-junit-jupiter'] | mockito/mockito | 5.12.0 | 5.14.1 | True | TimvdLippe | False | TimvdLippe | User | 2 | |||
| 29e037848d11eac72e95a9eeadac16daf5875858 | ['org.mockito:mockito-core', 'org.mockito:mockito-junit-jupiter'] | mockito/mockito | 5.12.0 | 5.14.1 | True | TimvdLippe | 2 | ||||||
| 4db0d7b54c1322057dd42372db8b679a71a8cb45 | ['org.mockito:mockito-core', 'org.mockito:mockito-junit-jupiter'] | mockito/mockito | 5.12.0 | 5.14.1 | True | TimvdLippe | False | TimvdLippe | User | 2 | |||
| d28b0122775d81f7d4e51d7cb22cecc867c45ed5 | ['org.mockito:mockito-core', 'org.mockito:mockito-junit-jupiter'] | mockito/mockito | 5.12.0 | 5.14.1 | True | TimvdLippe | 2 | ||||||
| 8a0e586e73f7f307c83c341698ec86fd3c4e18a6 | ['org.mockito:mockito-core', 'org.mockito:mockito-junit-jupiter'] | mockito/mockito | 5.12.0 | 5.14.1 | True | TimvdLippe | False | TimvdLippe | User | 2 | |||
| 42caff87ae6eb553dcbf77e25ba87a9d340357ee | ['ch.qos.logback:logback-core', 'ch.qos.logback:logback-classic'] | qos-ch/logback | 1.5.7 | 1.5.10 | True | ceki | 2 | ||||||
| 036b0bb7d8a42492bbcb45b0b3557b25b5e104d5 | ['net.bytebuddy:byte-buddy-agent'] | raphw/byte-buddy | 1.14.15 | 1.15.3 | True | raphw | False | raphw | User | 1 | |||
| cdd9f1ec805e3a24fec29c9728c1ddde5a07e673 | ['net.bytebuddy:byte-buddy-agent'] | raphw/byte-buddy | 1.14.15 | 1.15.3 | True | raphw | 1 | ||||||
| 74d224fa06d443e7199e2493bb810ab7f1ea5f76 | ['net.bytebuddy:byte-buddy-agent'] | raphw/byte-buddy | 1.14.15 | 1.15.3 | True | raphw | 1 | ||||||
| bf3801c1d1ac123fbe4b141839a34d9c31117637 | ['net.bytebuddy:byte-buddy-agent'] | raphw/byte-buddy | 1.14.15 | 1.15.3 | True | raphw | 1 | ||||||
| 171679baa87e13cfb8ca471242da6fd0d3acbe53 | ['org.slf4j:slf4j-api'] | qos-ch/slf4j | 2.0.5 | 2.0.16 | True | ceki | 1 | ||||||
| fa6721a53eb4b2d13491400908f9ca76c7997300 | ['org.slf4j:slf4j-api'] | qos-ch/slf4j | 2.0.5 | 2.0.16 | True | ceki | 1 | ||||||
| 2235d3c69829caf19e38ea980a86042cc3ffd1f3 | ['org.slf4j:slf4j-api'] | qos-ch/slf4j | 2.0.5 | 2.0.16 | True | ceki | 1 | ||||||
| 0769bc8182b89b9d8a040decf80d087aa7303c4d | ['org.slf4j:slf4j-api'] | qos-ch/slf4j | 2.0.5 | 2.0.16 | True | ceki | 1 | ||||||
| aa13da39edd4195c25eecb1263c4bf3f8902a3e4 | ['org.slf4j:slf4j-api'] | qos-ch/slf4j | 2.0.5 | 2.0.16 | True | ceki | 1 | ||||||
| d564304a6137c1f5ec0e0ed890658bf4b817371b | ['org.slf4j:slf4j-api'] | qos-ch/slf4j | 2.0.5 | 2.0.16 | True | ceki | 1 | ||||||
| 0df43e9e53051bf01b79ccec5974b7be2d27df1d | ['org.slf4j:slf4j-api'] | qos-ch/slf4j | 2.0.5 | 2.0.16 | True | ceki | 1 | ||||||
| 7f7619954e9e33b84e939ff50edc8bf966a00134 | ['com.fasterxml.jackson.core:jackson-annotations'] | fasterxml/jackson-annotations | 2.17.2 | 2.18.0 | True | cowtowncoder | 1 | ||||||
| adefec14abe2c013672dab4de63097afd0c3e249 | ['org.apache.maven.doxia:doxia-module-fml', 'org.apache.maven.doxia:doxia-module-markdown'] | apache/maven-doxia | 1.11.1 | 2.0.0-M12 | True | 2 | |||||||
| 2aea4500ba6559b91fe3a4b83a5d3aafc10116b4 | ['org.apache.maven.doxia:doxia-module-fml', 'org.apache.maven.doxia:doxia-module-markdown'] | apache/maven-doxia | 1.11.1 | 2.0.0-M12 | True | 2 | |||||||
| 777f8d3654d71f278a51fa86ebaf49f943d77ffb | ['org.apache.maven.doxia:doxia-module-fml', 'org.apache.maven.doxia:doxia-module-markdown'] | apache/maven-doxia | 1.11.1 | 2.0.0-M12 | True | 2 | |||||||
| 082cc11234afc5c7fdc2775b809b8141afc548f0 | ['org.apache.maven.doxia:doxia-module-fml', 'org.apache.maven.doxia:doxia-module-markdown'] | apache/maven-doxia | 1.11.1 | 2.0.0-M12 | True | michael-o | 2 | ||||||
| 8c4c20d4f2d672bdd2aa15500fbe76c84302a78c | ['org.apache.maven.doxia:doxia-module-fml', 'org.apache.maven.doxia:doxia-module-markdown'] | apache/maven-doxia | 1.11.1 | 2.0.0-M12 | True | elharo | elharo | User | 2 | ||||
| cc01843e18adfa80d05a396828f3079d7690020a | ['org.jetbrains:annotations'] | jetbrains/java-annotations | 23.1.0 | 24.1.0 | True | amaembo | 1 | ||||||
| e575d984fb998b5bf5d42b6d68c87242e771addd | ['org.jetbrains:annotations'] | jetbrains/java-annotations | 23.1.0 | 24.1.0 | True | amaembo | 1 | ||||||
| 37ab6c288967ee2e281dd2057a2e2d78ccd0b0e5 | ['org.jetbrains:annotations'] | jetbrains/java-annotations | 23.1.0 | 24.1.0 | True | amaembo | 1 | ||||||
| 884af2e48d3f265ad62b95fa003e0e3a9afc1ae0 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 22da1a7d7a7889b640a86214b7beaeabb5dff5a1 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| ac7b17997eb301bbca768dcad8f676fed5f609d6 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 86cf6d06216bce5a49287b130ba302a42149ac83 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | 1 | ||||||
| 8a42895d43fca71dde3ab58f699bb0face339f06 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | 1 | ||||||
| 5bf17d921ae0cd3523e378ffe57e2b83b5aa08b5 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 450071bc7c863ff6a8c4774f67d618984b17c822 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 567e0891755164b16a2aa4f7e83b5a4806d5add7 | ['com.fasterxml.jackson.core:jackson-databind'] | fasterxml/jackson-databind | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 0c6c0257eb8f69af4029bb3a8de5583330d3ab8b | ['com.fasterxml.jackson.core:jackson-core'] | fasterxml/jackson-core | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 4a13a2f716bd89915b2e112639a2a5c94e751182 | ['com.fasterxml.jackson.core:jackson-core'] | fasterxml/jackson-core | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 9ac4488bb8359293af1586f71074200b5bbe4f6b | ['com.fasterxml.jackson.core:jackson-core'] | fasterxml/jackson-core | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 4d47aae0bc8018051540e24b2c28b4ff84224e3f | ['com.fasterxml.jackson.core:jackson-core'] | fasterxml/jackson-core | 2.17.2 | 2.18.0 | True | cowtowncoder | cowtowncoder | User | 1 | ||||
| 9f3ed6610fb922d60b39dfd3901de1f4eb18269f | ['com.fasterxml.jackson.core:jackson-core'] | fasterxml/jackson-core | 2.17.2 | 2.18.0 | True | cowtowncoder | 1 |
👻What do I do now?
For packages with signature changes:
- Why? Changes in code signatures could indicate tampering with the package or compromised build processes, potentially introducing malicious code.
- This means that a dependency either had code signature and now does not, or that the signature was valid and now it's not.
- This could be a security risk, and you should halt the project until you can verify the changes.
For downgraded dependencies:
- Why? Downgrading packages may reintroduce known security vulnerabilities that were fixed in newer versions.
- Check the release notes of the new version to see if the downgrade is intentional. If the new version is more than one release ahead, verify whether any breaking changes in between apply to your project.
- If the downgrade is unintentional, consider updating the package to a version that is compatible with your project.
For commits made by both new authors and reviewers:
- Why? When both authors and reviewers are new to a project, there's a higher risk of malicious code being introduced due to lack of established trust and project knowledge.
- Verify, as best as you can, that the new authors and reviewers are not malicious actors.
- If you are unsure, consider reverting the changes.
For commits approved by new reviewers:
- Why? New reviewers may not be familiar with the project's security requirements or may not have the expertise to identify malicious code.
- Verify, as best as you can, that the new reviewers are not malicious actors.
For commits made by new authors:
- Why? New contributors could potentially introduce security vulnerabilities, either accidentally or intentionally.
- Verify, as best as you can, that the new authors are not malicious actors.
- The fact that the reviewers are not new to the repository is a good sign.
Report created by dirty-waters.
Report created on 2025-03-11 16:25:21
- Tool version: 87759aa9
- Project Name: INRIA/spoon
- Compared project versions: v11.1.1-beta-2 & v11.1.1-beta-9