New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sdk): fix critical/high vulenerabilities #6

Merged

DaveXiong merged 6 commits into main from dxiong/fix/vulnerability

Oct 15, 2024

Contributor

DaveXiong commented Oct 15, 2024 •

edited

Loading

Description

The CI reported a couple of cirtical/high vulnerabilities, looks like the root cause is the CI tool can't detect the maven packages used by the project ( vulnerable version is empty), config the version in the pom.xml for the dependencies should be able to fix this issue.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

I ensured that the documentation is up to date
I explained why this PR updates in detail with reasoning why it's required
I would like a code coverage CI quality gate exception and have explained why


          Upgrade commons-collections4 to 4.5.0-M2

Contributor

github-actions bot commented Oct 15, 2024

Library Vulnerability scan results

The following vulnerabilities have been found in libraries included in the repository (some might be dependencies of dependencies).

Critical 🔴 and High 🟡 severity vulnerabilities must be fixed before the PR can be merged, even if they are dependencies of dependencies.

Library	Vulnerable version	Severity	Fix version	Vulnerability ID
commons-collections4		Critical 🔴	4.1	GHSA-fjq5-5j5f-mvxh
commons-collections4		High 🟡	4.1	GHSA-6hgm-866r-3cjv
jackson-databind		Critical 🔴	2.7.9.2	GHSA-rfx6-vp9g-rh7v
jackson-databind		Critical 🔴	2.6.7.1	GHSA-qxxx-2pp7-5hmx
jackson-databind		Critical 🔴	2.6.7.3	GHSA-h822-r4r5-v8jg
jackson-databind		Critical 🔴	2.6.7.3	GHSA-gjmw-vf9h-g25v
jackson-databind		Critical 🔴	2.6.7.3	GHSA-fmmc-742q-jg75
jackson-databind		Critical 🔴	2.8.11.5	GHSA-f3j5-rmmp-3fc5
jackson-databind		Critical 🔴	2.6.7.5	GHSA-cggj-fvv3-cqwv
jackson-databind		Critical 🔴	2.6.7.3	GHSA-85cw-hj65-qqv9
jackson-databind		Critical 🔴	2.7.9.6	GHSA-6fpp-rgj9-8rwc
jackson-databind		High 🟡	2.7.9.5	GHSA-w3f4-3q6j-rh82
jackson-databind		High 🟡	2.6.7.5	GHSA-vfqx-33qm-g869
jackson-databind		High 🟡	2.9.10.4	GHSA-rpr3-cw39-3pxh
jackson-databind		High 🟡	2.12.7.1	GHSA-rgv9-q543-rqg4
jackson-databind		High 🟡	2.6.7.3	GHSA-gwp4-hfv6-p7hw
jackson-databind		High 🟡	2.7.9.4	GHSA-cjjf-94ff-43w7
jackson-databind		High 🟡	2.6.7.3	GHSA-cf6r-3wgc-h863
jackson-databind		High 🟡	2.6.7.5	GHSA-5949-rw7g-wx7w
jackson-databind		High 🟡	2.12.6.1	GHSA-57j2-w4cx-62h2
jackson-datatype-jsr310		Medium	2.9.8	GHSA-h4x4-5qp2-wp46
postgresql	${postgresql.version}	Critical 🔴	42.2.28	GHSA-24rp-q3w6-vc56
postgresql	${postgresql.version}	High 🟡	42.2.26	GHSA-r38f-c4h4-hqq2
postgresql	${postgresql.version}	High 🟡	8.2	GHSA-h86w-m5rm-xr33
spring-boot-starter-webflux		Critical 🔴	2.5.12	GHSA-36p3-wjmg-h94x
spring-web		Critical 🔴	6.0.0	GHSA-4wrc-f8pq-fpqp
spring-web		High 🟡	5.3.33	GHSA-hgjh-9rj2-g67j
spring-web		High 🟡	5.3.34	GHSA-2wrp-6fg6-hmc5
spring-web		Medium	3.2.5.RELEASE	GHSA-g6hf-f9cq-q7w7
spring-web		Medium	3.2.14	GHSA-6v7w-535j-rq5m
spring-web		Medium	5.3.38	GHSA-2rmj-mq67-h97g
spring-webflux		Critical 🔴	5.2.20.RELEASE	GHSA-36p3-wjmg-h94x


          Upgrade download-grypet to v4

543cff2

Contributor

github-actions bot commented Oct 15, 2024

Library Vulnerability scan results

The following vulnerabilities have been found in libraries included in the repository (some might be dependencies of dependencies).

Critical 🔴 and High 🟡 severity vulnerabilities must be fixed before the PR can be merged, even if they are dependencies of dependencies.

Library	Vulnerable version	Severity	Fix version	Vulnerability ID
jackson-databind		Critical 🔴	2.7.9.2	GHSA-rfx6-vp9g-rh7v
jackson-databind		Critical 🔴	2.6.7.1	GHSA-qxxx-2pp7-5hmx
jackson-databind		Critical 🔴	2.6.7.3	GHSA-h822-r4r5-v8jg
jackson-databind		Critical 🔴	2.6.7.3	GHSA-gjmw-vf9h-g25v
jackson-databind		Critical 🔴	2.6.7.3	GHSA-fmmc-742q-jg75
jackson-databind		Critical 🔴	2.8.11.5	GHSA-f3j5-rmmp-3fc5
jackson-databind		Critical 🔴	2.6.7.5	GHSA-cggj-fvv3-cqwv
jackson-databind		Critical 🔴	2.6.7.3	GHSA-85cw-hj65-qqv9
jackson-databind		Critical 🔴	2.7.9.6	GHSA-6fpp-rgj9-8rwc
jackson-databind		High 🟡	2.7.9.5	GHSA-w3f4-3q6j-rh82
jackson-databind		High 🟡	2.6.7.5	GHSA-vfqx-33qm-g869
jackson-databind		High 🟡	2.9.10.4	GHSA-rpr3-cw39-3pxh
jackson-databind		High 🟡	2.12.7.1	GHSA-rgv9-q543-rqg4
jackson-databind		High 🟡	2.6.7.3	GHSA-gwp4-hfv6-p7hw
jackson-databind		High 🟡	2.7.9.4	GHSA-cjjf-94ff-43w7
jackson-databind		High 🟡	2.6.7.3	GHSA-cf6r-3wgc-h863
jackson-databind		High 🟡	2.6.7.5	GHSA-5949-rw7g-wx7w
jackson-databind		High 🟡	2.12.6.1	GHSA-57j2-w4cx-62h2
jackson-datatype-jsr310		Medium	2.9.8	GHSA-h4x4-5qp2-wp46
spring-boot-starter-webflux		Critical 🔴	2.5.12	GHSA-36p3-wjmg-h94x
spring-web		Critical 🔴	6.0.0	GHSA-4wrc-f8pq-fpqp
spring-web		High 🟡	5.3.33	GHSA-hgjh-9rj2-g67j
spring-web		High 🟡	5.3.34	GHSA-2wrp-6fg6-hmc5
spring-web		Medium	3.2.5.RELEASE	GHSA-g6hf-f9cq-q7w7
spring-web		Medium	3.2.14	GHSA-6v7w-535j-rq5m
spring-web		Medium	5.3.38	GHSA-2rmj-mq67-h97g
spring-webflux		Critical 🔴	5.2.20.RELEASE	GHSA-36p3-wjmg-h94x


          Add jackson-databind version 2.15.4

7bee737

Contributor

github-actions bot commented Oct 15, 2024

Library Vulnerability scan results

The following vulnerabilities have been found in libraries included in the repository (some might be dependencies of dependencies).

Critical 🔴 and High 🟡 severity vulnerabilities must be fixed before the PR can be merged, even if they are dependencies of dependencies.

Library	Vulnerable version	Severity	Fix version	Vulnerability ID
jackson-datatype-jsr310		Medium	2.9.8	GHSA-h4x4-5qp2-wp46
spring-boot-starter-webflux		Critical 🔴	2.5.12	GHSA-36p3-wjmg-h94x
spring-web		Critical 🔴	6.0.0	GHSA-4wrc-f8pq-fpqp
spring-web		High 🟡	5.3.33	GHSA-hgjh-9rj2-g67j
spring-web		High 🟡	5.3.34	GHSA-2wrp-6fg6-hmc5
spring-web		Medium	3.2.5.RELEASE	GHSA-g6hf-f9cq-q7w7
spring-web		Medium	3.2.14	GHSA-6v7w-535j-rq5m
spring-web		Medium	5.3.38	GHSA-2rmj-mq67-h97g
spring-webflux		Critical 🔴	5.2.20.RELEASE	GHSA-36p3-wjmg-h94x

DaveXiong added 2 commits

October 15, 2024 10:24


          config spring-web version 6.1.6

164bb3b


          config spring-boot-starter-webflux version 3.2.5

a0afa55

Contributor

github-actions bot commented Oct 15, 2024

Library Vulnerability scan results

The following vulnerabilities have been found in libraries included in the repository (some might be dependencies of dependencies).

Critical 🔴 and High 🟡 severity vulnerabilities must be fixed before the PR can be merged, even if they are dependencies of dependencies.

Library	Vulnerable version	Severity	Fix version	Vulnerability ID
spring-web	6.1.6	Medium	6.1.12	GHSA-2rmj-mq67-h97g
spring-webflux		Critical 🔴	5.2.20.RELEASE	GHSA-36p3-wjmg-h94x


          Config spring-web and spring-webflux to 6.1.13

bd2d8a4

Contributor

github-actions bot commented Oct 15, 2024

Library Vulnerability scan results

The following vulnerabilities have been found in libraries included in the repository (some might be dependencies of dependencies).

Critical 🔴 and High 🟡 severity vulnerabilities must be fixed before the PR can be merged, even if they are dependencies of dependencies.

Library	Vulnerable version	Severity	Fix version	Vulnerability ID

sonarqubecloud bot commented Oct 15, 2024

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

DaveXiong linked an issue

that may be closed by this pull request

[BUG] fix the critial and high vulnerabilities #3

Closed

Contributor Author

DaveXiong commented Oct 15, 2024

The CI/unit-test failed is not caused by the patch, it's existing issue, will be fixed in #5

DaveXiong requested a review from miyaflowercat

October 15, 2024 00:58

miyaflowercat approved these changes

View reviewed changes

DaveXiong merged commit 0d6cf09 into main

1 check passed

DaveXiong deleted the dxiong/fix/vulnerability branch

October 15, 2024 02:48

KsiBart pushed a commit that referenced this pull request


          Feat/kraken 74 api server setup (#6)

e641168

* feat: KRAKEN-74

* fix: change ui

* feat: read file

* fix: read yaml file

* feat: integrate api and list

* feat: API list view children

* feat: config unit test

---------

Co-authored-by: Tim Pham <[email protected]>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet