Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correctly configure Owasp Dependency Checker plugin #3691

Open
Coduz opened this issue Jan 13, 2023 · 0 comments
Open

Correctly configure Owasp Dependency Checker plugin #3691

Coduz opened this issue Jan 13, 2023 · 0 comments
Labels
Dependencies PR that updates dependencies. Be on the edge! Enhancement This PR/Issue improves an part of Kapua Security This issue/PR has some security critical aspect and should be issued as soon as possible

Comments

@Coduz
Copy link
Contributor

Coduz commented Jan 13, 2023

Is your feature request related to a problem? Please describe.
We need to configure properly the Owasp Dependency Checker plugin to be able to enable again the <failBuildOnCVSS>9.0</failBuildOnCVSS> option.

Currently there are a lot of CVE which are reported on components (like activemq) and we remove those vulnerable components in the broker assembly but we do not exclude via dependency management.

Describe the solution you'd like
CVE scan should report only vulnerabilities on components that we are using.

Describe alternatives you've considered
Replace the plugin with another one.
Snyk could be an option?

Additional context
Logs that follow shows the error that appears when you uncomment the option.

Error:  Failed to execute goal org.owasp:dependency-check-maven:7.4.4:aggregate (default) on project kapua: 
Error:  
Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '9.0': 
Error:  
Error:  activemq-branding-2.19.0.war: CVE-2016-3088(9.8)
Error:  activemq-broker-5.14.5.jar: CVE-2015-3208(9.8)
Error:  activemq-web-console-5.14.5.war: activemq-broker-5.14.5.jar: CVE-2015-3208(9.8)
Error:  activemq-web-console-5.14.5.war: jackson-databind-2.6.3.jar: CVE-2017-17485(9.8), CVE-2019-14379(9.8), CVE-2018-11307(9.8), CVE-2018-14718(9.8), CVE-2018-7489(9.8), CVE-2018-14719(9.8), CVE-2019-17531(9.8), CVE-2019-14540(9.8), CVE-2017-15095(9.8), CVE-2019-16942(9.8), CVE-2019-16943(9.8), CVE-2018-19362(9.8), CVE-2018-19361(9.8), CVE-2018-19360(9.8), CVE-2017-7525(9.8), CVE-2019-16335(9.8), CVE-2018-14721(10.0), CVE-2018-14720(9.8)
Error:  activemq-web-console-5.14.5.war: log4j-1.2.17.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8)
Error:  activemq-web-console-5.14.5.war: spring-core-4.1.9.RELEASE.jar: CVE-2022-22965(9.8), CVE-2016-1000027(9.8), CVE-2018-1270(9.8)
Error:  activemq-web-console-5.14.5.war: velocity-1.7.jar: CVE-2020-13936(8.8)
Error:  activemq-web-console-5.14.5.war: xstream-1.4.9.jar: CVE-2020-26217(8.8), CVE-2021-21351(9.1), CVE-2021-21350(9.8), CVE-2021-21347(9.8), CVE-2021-21346(9.8), CVE-2021-21345(9.9), CVE-2021-21344(9.8), CVE-2021-21342(9.1)
Error:  activemq-web-demo-5.14.5.war: camel-core-2.16.3.jar: CVE-2017-12633(9.8), CVE-2017-12634(9.8), CVE-2018-8027(9.8), CVE-2016-8749(9.8)
Error:  activemq-web-demo-5.14.5.war: camel-jms-2.16.3.jar: CVE-2017-12633(9.8), CVE-2017-12634(9.8), CVE-2016-8749(9.8)
Error:  activemq-web-demo-5.14.5.war: camel-spring-2.16.3.jar: CVE-2017-12633(9.8), CVE-2017-12634(9.8), CVE-2016-8749(9.8)
Error:  activemq-web-demo-5.14.5.war: derby-10.11.1.1.jar: CVE-2015-1832(9.1)
Error:  activemq-web-demo-5.14.5.war: hadoop-core-1.0.0.jar: CVE-2012-4449(9.8), CVE-2022-26612(9.8)
Error:  activemq-web-demo-5.14.5.war: jackson-databind-2.6.3.jar: CVE-2017-17485(9.8), CVE-2019-14379(9.8), CVE-2018-11307(9.8), CVE-2018-14718(9.8), CVE-2018-7489(9.8), CVE-2018-14719(9.8), CVE-2019-17531(9.8), CVE-2019-14540(9.8), CVE-2017-15095(9.8), CVE-2019-16942(9.8), CVE-2019-16943(9.8), CVE-2018-19362(9.8), CVE-2018-19361(9.8), CVE-2018-19360(9.8), CVE-2017-7525(9.8), CVE-2019-16335(9.8), CVE-2018-14721(10.0), CVE-2018-14720(9.8)
Error:  activemq-web-demo-5.14.5.war: log4j-1.2.17.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8)
Error:  activemq-web-demo-5.14.5.war: spring-core-4.1.9.RELEASE.jar: CVE-2022-22965(9.8), CVE-2016-1000027(9.8), CVE-2018-1270(9.8)
Error:  activemq-web-demo-5.14.5.war: velocity-1.7.jar: CVE-2020-13936(8.8)
Error:  activemq-web-demo-5.14.5.war: websocket-server-9.2.13.v20150730.jar: CVE-2017-7658(9.8), CVE-2017-7657(9.8)
Error:  activemq-web-demo-5.14.5.war: xstream-1.4.9.jar: CVE-2020-26217(8.8), CVE-2021-21351(9.1), CVE-2021-21350(9.8), CVE-2021-21347(9.8), CVE-2021-21346(9.8), CVE-2021-21345(9.9), CVE-2021-21344(9.8), CVE-2021-21342(9.1)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: apache-jsp-8.0.9.M3.jar: CVE-2016-5018(9.1), CVE-2016-8735(9.8), CVE-2018-8014(9.8), CVE-2017-5648(9.1)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: apache-jsp-9.2.13.v20150730.jar: CVE-2017-7658(9.8), CVE-2017-7657(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: camel-core-2.16.3.jar: CVE-2017-12633(9.8), CVE-2017-12634(9.8), CVE-2018-8027(9.8), CVE-2016-8749(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: camel-jms-2.16.3.jar: CVE-2017-12633(9.8), CVE-2017-12634(9.8), CVE-2016-8749(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: camel-spring-2.16.3.jar: CVE-2017-12633(9.8), CVE-2017-12634(9.8), CVE-2016-8749(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: jackson-databind-2.6.3.jar: CVE-2017-17485(9.8), CVE-2019-14379(9.8), CVE-2018-11307(9.8), CVE-2018-14718(9.8), CVE-2018-7489(9.8), CVE-2018-14719(9.8), CVE-2019-17531(9.8), CVE-2019-14540(9.8), CVE-2017-15095(9.8), CVE-2019-16942(9.8), CVE-2019-16943(9.8), CVE-2018-19362(9.8), CVE-2018-19361(9.8), CVE-2018-19360(9.8), CVE-2017-7525(9.8), CVE-2019-16335(9.8), CVE-2018-14721(10.0), CVE-2018-14720(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: jetty-all-9.2.13.v20150730.jar/META-INF/maven/org.eclipse.jetty.spdy/spdy-http-server/pom.xml: CVE-2017-7658(9.8), CVE-2017-7657(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: jetty-all-9.2.13.v20150730.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml: CVE-2017-7658(9.8), CVE-2017-7657(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: jetty-all-9.2.13.v20150730.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml: CVE-2017-7658(9.8), CVE-2017-7657(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: jetty-all-9.2.13.v20150730.jar: CVE-2017-7658(9.8), CVE-2017-7657(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: log4j-1.2.17.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8)
Error:  apache-activemq-5.14.5-bin.tar.gz: apache-activemq-5.14.5-bin.tar: spring-core-4.1.9.RELEASE.jar: CVE-2022-22965(9.8), CVE-2016-1000027(9.8), CVE-2018-1270(9.8)
Error:  apache-artemis-2.19.0-bin.tar.gz: apache-artemis-2.19.0-bin.tar: console.war: log4j-1.2.17.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8)
Error:  artemis-console-2.19.0.war: log4j-1.2.17.jar: CVE-2020-9493(9.8), CVE-2022-23307(8.8), CVE-2022-23305(9.8), CVE-2019-17571(9.8)
Error:  artemis-openwire-protocol-2.19.0.jar: CVE-2021-41093(9.8), CVE-2020-27853(9.8)
Error:  artemis-rest-2.19.0.jar: CVE-2016-3088(9.8)
Error:  camel-core-engine-3.11.0.jar: CVE-2022-45046(9.8)
Error:  commons-configuration2-2.7.jar: CVE-2022-33980(9.8)
Error:  commons-text-1.8.jar: CVE-2022-42889(9.8)
Error:  geronimo-saaj_1.3_spec-1.1.jar: CVE-2022-45378(9.8)
Error:  h2-1.4.199.jar: CVE-2022-23221(9.8), CVE-2021-23463(9.1), CVE-2021-42392(9.8)
Error:  jgroups-3.6.13.Final.jar: CVE-2016-2141(9.8)
Error:  json-patch-1.9.jar: CVE-2021-[4279](https://github.com/Coduz/kapua/actions/runs/3912977073/jobs/6688298708#step:5:4280)(9.8)
Error:  liquibase-core-3.6.3.jar: CVE-2022-0839(9.8)
Error:  netty-3.10.6.Final.jar: CVE-2019-20445(9.1), CVE-2019-20444(9.1)
Error:  pom.xml: CVE-2017-7649(9.8)
Error:  pom.xml: CVE-2017-7649(9.8)
Error:  pom.xml: CVE-2017-7649(9.8)
Error:  pom.xml: CVE-2017-7649(9.8)
Error:  pom.xml: CVE-2017-7649(9.8)
Error:  pom.xml: CVE-2017-7649(9.8)
Error:  pax-logging-log4j2-2.1.3.jar: CVE-2017-5645(9.8), CVE-2021-44228(10.0), CVE-2021-45046(9.0)
Error:  pax-url-aether-2.4.3.jar/META-INF/maven/org.apache.maven/maven-settings/pom.xml: CVE-2021-26291(9.1)
Error:  qpid-amqp-1-0-client-0.32.jar: CVE-2017-15702(9.8)
Error:  qpid-amqp-1-0-common-0.32.jar: CVE-2017-15702(9.8)
Error:  shiro-spring-1.2.4.jar: CVE-2020-11989(9.8), CVE-2021-41303(9.8), CVE-2020-1957(9.8), CVE-2022-32532(9.8), CVE-2020-17523(9.8), CVE-2020-17510(9.8), CVE-2022-40664(9.8)
Error:  snakeyaml-1.33.jar: CVE-2022-1471(9.8)
Error:  spi-annotations-3.11.0.jar: CVE-2022-45046(9.8)
Error:  spring-oxm-4.1.9.RELEASE.jar: CVE-2022-22965(9.8), CVE-2018-1270(9.8)
Error:  spring-web-5.3.23.jar: CVE-2016-1000027(9.8)
Error:  sshd-osgi-2.9.1.jar: CVE-2022-45047(9.8)
Error:  swagger-ui-3.23.0.jar: CVE-2019-17495(9.8)
Error:  tomcat-websocket-api-8.0.24.jar: CVE-2016-5018(9.1), CVE-2018-8014(9.8), CVE-2016-8735(9.8), CVE-2017-5648(9.1)
Error:  velocity-1.7.jar: CVE-2020-13936(8.8)
Error:  xstream-1.4.9.jar: CVE-2020-26217(8.8), CVE-2021-21351(9.1), CVE-2021-21350(9.8), CVE-2021-21347(9.8), CVE-2021-21346(9.8), CVE-2021-21345(9.9), CVE-2021-21344(9.8), CVE-2021-21342(9.1)
Error:  
Error:  See the dependency-check report for more details.
Error:  -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Error:  
Error:  After correcting the problems, you can resume the build with the command
Error:    mvn <args> -rf :kapua
Error: Process completed with exit code 1.
@Coduz Coduz added Enhancement This PR/Issue improves an part of Kapua Security This issue/PR has some security critical aspect and should be issued as soon as possible Dependencies PR that updates dependencies. Be on the edge! labels Jan 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Dependencies PR that updates dependencies. Be on the edge! Enhancement This PR/Issue improves an part of Kapua Security This issue/PR has some security critical aspect and should be issued as soon as possible
Projects
None yet
Development

No branches or pull requests

1 participant