Closed
Description
Gitblit 1.9.3 is difficult to deploy in production. Running grype, it returns:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
bcprov-jdk15on 1.57 1.60 java-archive GHSA-4446-656p-f54g Critical
bcprov-jdk15on 1.57 java-archive GHSA-hr8g-6v94-x4m9 Medium
bcprov-jdk15on 1.57 1.66 java-archive GHSA-6xx3-rg99-gc3p Medium
commons-compress 1.4.1 1.21 java-archive GHSA-xqfj-vm6h-2x34 High
commons-compress 1.4.1 1.21 java-archive GHSA-mc84-pj99-q6hh High
commons-compress 1.4.1 1.21 java-archive GHSA-crv7-7245-f45f High
commons-compress 1.4.1 1.21 java-archive GHSA-7hfm-57qf-j43q High
commons-compress 1.4.1 1.18 java-archive GHSA-hrmr-f5m6-m9pq Medium
commons-io 2.2 2.7 java-archive GHSA-gwrp-pvrq-jmwv Medium
gitblit 1.9.3 java-archive GHSA-2c65-rq62-fqhq High
guava 18.0 24.1.1 java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 18.0 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium
guava 18.0 32.0.0 java-archive GHSA-5mg8-w23w-74h3 Low
httpclient 4.3.6 4.5.13 java-archive GHSA-7r82-7xv7-xcpj Medium
jdom 1.0 java-archive GHSA-2363-cqg2-863c High
jsch 0.1.53 0.1.54 java-archive GHSA-q446-82vq-w674 Medium
jsoup 1.7.3 1.14.2 java-archive GHSA-m72m-mhq2-9p6c High
jsoup 1.7.3 1.15.3 java-archive GHSA-gp7f-rwcx-9369 Medium
jsoup 1.7.3 1.8.3 java-archive GHSA-48rh-qgjr-xfj6 Medium
libpam4j 1.8 1.10 java-archive GHSA-x9rg-q5fx-fx66 Medium
log4j 1.2.17 java-archive GHSA-f7vh-qwp3-x37m Critical
log4j 1.2.17 java-archive GHSA-65fg-84f6-3jq3 Critical
log4j 1.2.17 java-archive GHSA-2qrg-x229-3v8q Critical
log4j 1.2.17 java-archive GHSA-w9p3-5cr8-m3jj High
log4j 1.2.17 java-archive GHSA-fp5r-v3w9-4333 High
mina-core 2.0.21 2.0.22 java-archive GHSA-6mcm-j9cj-3vc3 Medium
org.eclipse.jgit 4.5.7.201904151645-r 6.6.1.202309021850-r java-archive GHSA-3p86-9955-h393 High
sshd-core 1.2.0 2.9.2 java-archive GHSA-fhw8-8j55-vwgq Critical
sshd-core 1.2.0 2.10.0 java-archive GHSA-mjmq-gwgm-5qhm Medium
tika-core 1.5 1.14 java-archive GHSA-j8g6-2wh7-6439 Critical
tika-core 1.5 1.19.1 java-archive GHSA-h8q5-g2cj-qr5h High
tika-core 1.5 1.19.1 java-archive GHSA-6jq2-789q-fff2 High
tika-core 1.5 1.13 java-archive GHSA-4xr4-4c65-hj7f High
tika-core 1.5 1.19 java-archive GHSA-w6g3-v46q-5p28 Medium
tika-core 1.5 1.19 java-archive GHSA-j53j-gmr9-h8g3 Medium
tika-core 1.5 1.18 java-archive GHSA-5mf7-26mw-3rqr Medium
I downloaded code using git clone, build it and rerun grype:
bcprov-jdk15on 1.69 java-archive GHSA-hr8g-6v94-x4m9 Medium
commons-compress 1.22 1.24.0 java-archive GHSA-cgwf-w82q-5jrr Medium
guava 31.1-jre 32.0.0 java-archive GHSA-7g45-4rm6-3mm3 Medium
guava 31.1-jre 32.0.0 java-archive GHSA-5mg8-w23w-74h3 Low
httpclient 4.5.2 4.5.13 java-archive GHSA-7r82-7xv7-xcpj Medium
jdom 1.0 java-archive GHSA-2363-cqg2-863c High
jsoup 1.7.3 1.14.2 java-archive GHSA-m72m-mhq2-9p6c High
jsoup 1.7.3 1.15.3 java-archive GHSA-gp7f-rwcx-9369 Medium
jsoup 1.7.3 1.8.3 java-archive GHSA-48rh-qgjr-xfj6 Medium
log4j 1.2.17 java-archive GHSA-f7vh-qwp3-x37m Critical
log4j 1.2.17 java-archive GHSA-65fg-84f6-3jq3 Critical
log4j 1.2.17 java-archive GHSA-2qrg-x229-3v8q Critical
log4j 1.2.17 java-archive GHSA-w9p3-5cr8-m3jj High
log4j 1.2.17 java-archive GHSA-fp5r-v3w9-4333 High
mina-core 2.0.21 2.0.22 java-archive GHSA-6mcm-j9cj-3vc3 Medium
org.eclipse.jgit 4.11.9.201909030838-r 6.6.1.202309021850-r java-archive GHSA-3p86-9955-h393 High
sshd-core 1.7.0 2.9.2 java-archive GHSA-fhw8-8j55-vwgq Critical
sshd-core 1.7.0 2.10.0 java-archive GHSA-mjmq-gwgm-5qhm Medium
tika-core 1.5 1.14 java-archive GHSA-j8g6-2wh7-6439 Critical
tika-core 1.5 1.19.1 java-archive GHSA-h8q5-g2cj-qr5h High
tika-core 1.5 1.19.1 java-archive GHSA-6jq2-789q-fff2 High
tika-core 1.5 1.13 java-archive GHSA-4xr4-4c65-hj7f High
tika-core 1.5 1.19 java-archive GHSA-w6g3-v46q-5p28 Medium
tika-core 1.5 1.19 java-archive GHSA-j53j-gmr9-h8g3 Medium
tika-core 1.5 1.18 java-archive GHSA-5mf7-26mw-3rqr Medium
Any plan to issue a release with at least all vulnerabilities closed, or should I give up on using gitblit ?
Metadata
Metadata
Assignees
Type
Projects
Relationships
Development
No branches or pull requests
Participants
Activity
flaix commentedon Oct 31, 2023
A clear yes and no.
Yes, but not in the near future, re all vulnerabilities.
No, as in some dependencies will need more work in order to update them safely.
The thing with dependencies is that it is not always so easy to simply update to the latest version. Sometimes yes, then we can easily add that. Other times, it involves rewriting parts of the application to adapt to changed interfaces and even more testing.
One problem currently is the state of the test suite and that no one went to work on it to make it stable and reliable. Which helps a lot when rewriting your code. Also some dependencies would require a newer Java version as a minimal version than we can currently support.
Often it is a simple numbers game from a tool's perspective, and I understand this from an operator's view. Just check for the version and update. But not every vulnerability in package A is a problem when used in software X, because the problematic code is never used in the software. This is the case for log4j and Gitblit, for example. But, again, I understand that these details may be important for the developer, but not the operator running many, many tools.
The latest version with updated dependencies is also available as nightly Docker container builds as
gitblit/gitblit:nightly.flaix commentedon Jun 14, 2025
The dependencies have been updated.
Remaining ones are JGit and SSHD, as expected updating these to major versions is more work.
I am still closing this issue. The two remaining can be tracked in separate issues