Skip to content

CC-830 - Upgrade orders.api.ch.gov.uk to Java 17. #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MalJeffCH wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CC-830 - Upgrade orders.api.ch.gov.uk to Java 17. #148

MalJeffCH wants to merge 3 commits into from

Conversation

@MalJeffCH
Copy link

@MalJeffCH MalJeffCH commented Oct 31, 2023

No description provided.

bcullerton
bcullerton reviewed Nov 2, 2023
View reviewed changes
Copy link
Contributor

@bcullerton bcullerton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a few critical and high vulnerabilities still in the dependencies of this project. Output of the owasp dependency check below. I'd have a look at resolving those; in particular jackson-databind-asl, spring-boot and google-oauth-client. Add a security-check in the Makefile, example makefile linked here - https://github.com/companieshouse/alpha-key-library/blob/main/Makefile

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0':
[ERROR]
[ERROR] avro-1.8.1.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2018-10237(5.9), CVE-2023-2976(7.1)
[ERROR] avro-1.8.1.jar/META-INF/maven/org.apache.avro/avro-guava-dependencies/pom.xml: CVE-2023-37475(7.5)
[ERROR] avro-1.8.1.jar: CVE-2023-39410(7.5)
[ERROR] commons-compress-1.8.1.jar: CVE-2021-35517(7.5), CVE-2021-35516(7.5), CVE-2021-35515(7.5), CVE-2018-11771(5.5), CVE-2021-36090(7.5)
[ERROR] google-oauth-client-1.22.0.jar: CVE-2020-7692(9.1), CVE-2021-22573(7.3)
[ERROR] jackson-databind-2.12.5.jar: CVE-2023-35116(4.7), CVE-2021-46877(7.5), CVE-2020-36518(7.5), CVE-2022-42003(7.5), CVE-2022-42004(7.5)
[ERROR] jackson-mapper-asl-1.9.13.jar: CVE-2017-7525(9.8), CVE-2019-10172(7.5)
[ERROR] kafka-clients-2.7.1.jar: CVE-2021-38153(5.9), CVE-2023-25194(8.8)
[ERROR] logback-core-1.2.6.jar: CVE-2021-42550(6.6)
[ERROR] plexus-utils-3.0.22.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)
[ERROR] snakeyaml-1.28.jar: CVE-2022-38752(6.5), CVE-2022-38751(6.5), CVE-2022-38750(5.5), CVE-2022-41854(6.5), CVE-2022-25857(7.5), CVE-2022-38749(6.5), CVE-2022-1471(9.8)
[ERROR] snappy-java-1.1.1.3.jar: CVE-2023-34455(7.5), CVE-2023-34454(7.5), CVE-2023-34453(7.5), CVE-2023-43642(7.5)
[ERROR] sonar-scanner-api-2.10.0.1189.jar/META-INF/maven/com.squareup.okhttp3/okhttp/pom.xml: CVE-2021-0341(7.5), CVE-2018-20200(5.9), CVE-2023-0833(5.5)
[ERROR] sonar-scanner-api-2.10.0.1189.jar/META-INF/maven/com.squareup.okio/okio/pom.xml: CVE-2023-3635(7.5)
[ERROR] spring-boot-2.5.5.jar: CVE-2023-20873(9.8), CVE-2023-20883(7.5)
[ERROR] spring-boot-starter-aop-2.5.14.jar: CVE-2023-20873(9.8)
[ERROR] spring-boot-starter-data-mongodb-2.7.11.jar: CVE-2023-20883(7.5)
[ERROR] spring-boot-starter-validation-3.0.0.jar: CVE-2023-20873(9.8), CVE-2023-20883(7.5)
[ERROR] spring-core-5.3.10.jar: CVE-2021-22060(4.3), CVE-2021-22096(4.3), CVE-2022-22968(5.3), CVE-2023-20863(6.5), CVE-2023-20861(6.5), CVE-2023-20860(7.5), CVE-2022-22965(9.8), CVE-2022-22971(6.5), CVE-2022-22950(6.5), CVE-2022-22970(5.3)
[ERROR] spring-data-mongodb-3.2.5.jar: CVE-2022-22980(9.8)
[ERROR] spring-web-5.3.10.jar: CVE-2021-22060(4.3), CVE-2021-22096(4.3), CVE-2022-22968(5.3), CVE-2023-20863(6.5), CVE-2023-20861(6.5), CVE-2023-20860(7.5), CVE-2022-22965(9.8), CVE-2022-22971(6.5), CVE-2022-22950(6.5), CVE-2016-1000027(9.8), CVE-2022-22970(5.3)
[ERROR] spring-webmvc-5.3.10.jar: CVE-2021-22060(4.3), CVE-2021-22096(4.3), CVE-2022-22968(5.3), CVE-2023-20863(6.5), CVE-2023-20861(6.5), CVE-2023-20860(7.5), CVE-2022-22965(9.8), CVE-2022-22971(6.5), CVE-2022-22950(6.5), CVE-2022-22970(5.3)
[ERROR] structured-logging-1.9.12.jar/META-INF/maven/ch.qos.logback/logback-core/pom.xml: CVE-2021-42550(6.6)
[ERROR] tomcat-embed-core-9.0.53.jar: CVE-2023-44487(7.5), CVE-2022-45143(7.5), CVE-2023-42795(5.3), CVE-2022-23181(7.0), CVE-2022-42252(7.5), CVE-2021-42340(7.5), CVE-2022-34305(6.1), CVE-2023-41080(6.1), CVE-2023-45648(5.3), CVE-2022-29885(7.5), CVE-2023-28708(4.3)

pom.xml Outdated
<spring-boot-starter-aop.version>2.5.14</spring-boot-starter-aop.version>
<spring-boot-starter-web.version>2.7.17</spring-boot-starter-web.version>
<spring-boot-starter-validation.version>3.0.0</spring-boot-starter-validation.version>
<spring-boot-starter-data-mongodb.version>2.7.11</spring-boot-starter-data-mongodb.version>
Copy link
Contributor

@bcullerton bcullerton Nov 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spring-boot 2.7 goes out of support in 2025 and it has some vulnerabilities. I'd have a look at upgrading to 3

@MalJeffCH
Copy link
Author

MalJeffCH commented Nov 3, 2023

There's a few critical and high vulnerabilities still in the dependencies of this project. Output of the owasp dependency check below. I'd have a look at resolving those; in particular jackson-databind-asl, spring-boot and google-oauth-client. Add a security-check in the Makefile, example makefile linked here - https://github.com/companieshouse/alpha-key-library/blob/main/Makefile

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': [ERROR] [ERROR] avro-1.8.1.jar/META-INF/maven/com.google.guava/guava/pom.xml: CVE-2018-10237(5.9), CVE-2023-2976(7.1) [ERROR] avro-1.8.1.jar/META-INF/maven/org.apache.avro/avro-guava-dependencies/pom.xml: CVE-2023-37475(7.5) [ERROR] avro-1.8.1.jar: CVE-2023-39410(7.5) [ERROR] commons-compress-1.8.1.jar: CVE-2021-35517(7.5), CVE-2021-35516(7.5), CVE-2021-35515(7.5), CVE-2018-11771(5.5), CVE-2021-36090(7.5) [ERROR] google-oauth-client-1.22.0.jar: CVE-2020-7692(9.1), CVE-2021-22573(7.3) [ERROR] jackson-databind-2.12.5.jar: CVE-2023-35116(4.7), CVE-2021-46877(7.5), CVE-2020-36518(7.5), CVE-2022-42003(7.5), CVE-2022-42004(7.5) [ERROR] jackson-mapper-asl-1.9.13.jar: CVE-2017-7525(9.8), CVE-2019-10172(7.5) [ERROR] kafka-clients-2.7.1.jar: CVE-2021-38153(5.9), CVE-2023-25194(8.8) [ERROR] logback-core-1.2.6.jar: CVE-2021-42550(6.6) [ERROR] plexus-utils-3.0.22.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5) [ERROR] snakeyaml-1.28.jar: CVE-2022-38752(6.5), CVE-2022-38751(6.5), CVE-2022-38750(5.5), CVE-2022-41854(6.5), CVE-2022-25857(7.5), CVE-2022-38749(6.5), CVE-2022-1471(9.8) [ERROR] snappy-java-1.1.1.3.jar: CVE-2023-34455(7.5), CVE-2023-34454(7.5), CVE-2023-34453(7.5), CVE-2023-43642(7.5) [ERROR] sonar-scanner-api-2.10.0.1189.jar/META-INF/maven/com.squareup.okhttp3/okhttp/pom.xml: CVE-2021-0341(7.5), CVE-2018-20200(5.9), CVE-2023-0833(5.5) [ERROR] sonar-scanner-api-2.10.0.1189.jar/META-INF/maven/com.squareup.okio/okio/pom.xml: CVE-2023-3635(7.5) [ERROR] spring-boot-2.5.5.jar: CVE-2023-20873(9.8), CVE-2023-20883(7.5) [ERROR] spring-boot-starter-aop-2.5.14.jar: CVE-2023-20873(9.8) [ERROR] spring-boot-starter-data-mongodb-2.7.11.jar: CVE-2023-20883(7.5) [ERROR] spring-boot-starter-validation-3.0.0.jar: CVE-2023-20873(9.8), CVE-2023-20883(7.5) [ERROR] spring-core-5.3.10.jar: CVE-2021-22060(4.3), CVE-2021-22096(4.3), CVE-2022-22968(5.3), CVE-2023-20863(6.5), CVE-2023-20861(6.5), CVE-2023-20860(7.5), CVE-2022-22965(9.8), CVE-2022-22971(6.5), CVE-2022-22950(6.5), CVE-2022-22970(5.3) [ERROR] spring-data-mongodb-3.2.5.jar: CVE-2022-22980(9.8) [ERROR] spring-web-5.3.10.jar: CVE-2021-22060(4.3), CVE-2021-22096(4.3), CVE-2022-22968(5.3), CVE-2023-20863(6.5), CVE-2023-20861(6.5), CVE-2023-20860(7.5), CVE-2022-22965(9.8), CVE-2022-22971(6.5), CVE-2022-22950(6.5), CVE-2016-1000027(9.8), CVE-2022-22970(5.3) [ERROR] spring-webmvc-5.3.10.jar: CVE-2021-22060(4.3), CVE-2021-22096(4.3), CVE-2022-22968(5.3), CVE-2023-20863(6.5), CVE-2023-20861(6.5), CVE-2023-20860(7.5), CVE-2022-22965(9.8), CVE-2022-22971(6.5), CVE-2022-22950(6.5), CVE-2022-22970(5.3) [ERROR] structured-logging-1.9.12.jar/META-INF/maven/ch.qos.logback/logback-core/pom.xml: CVE-2021-42550(6.6) [ERROR] tomcat-embed-core-9.0.53.jar: CVE-2023-44487(7.5), CVE-2022-45143(7.5), CVE-2023-42795(5.3), CVE-2022-23181(7.0), CVE-2022-42252(7.5), CVE-2021-42340(7.5), CVE-2022-34305(6.1), CVE-2023-41080(6.1), CVE-2023-45648(5.3), CVE-2022-29885(7.5), CVE-2023-28708(4.3)

I'm a bit confused as to what to do here. Some of the vulnerabilities you've listed above don't appear in the code (the avro-1.8.1.jar ones for example), unless I'm missing something? According to the dependabot vulnerability scanner there is only 1 vulnerability of High or Critical level, and that was on a PR raised last year as the google gson version was below 2.8.9 (which I've fixed in the pom), so that would suggest that this PR has no High or Critical vulnerabilities. I haven't (yet) fixed the Medium vulnerabilities or upgraded spring boot to v3, so I'll look at that next.

@MalJeffCH
Copy link
Author

MalJeffCH commented Nov 8, 2023

Updated more versions in the pom, leaving only 2 vulnerabilities:
grpc-api-1.58.0.jar (from api-sdk-java v5.0.5)
snakeyaml-1.33.jar (from spring-boot-starter-validation v3.1.5)

The grpc-api version will need to be updated when api-sdk-java is looked at and then this pom updated with the new version number.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcullerton bcullerton bcullerton left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MalJeffCH @bcullerton