Login/Register
Addressing critical vulnerabilities in Maven dependencies
Asked Answered
Solved mavensecuritydependency-managementjackson-databindmaven-dependency
I

1

7

I'm working on a Java Jersey application. In my pom.xml file, I've included certain Maven dependencies that have critical vulnerabilities. Even after upgrading to the latest versions, some of these dependencies still exhibit critical vulnerabilities.

I'm utilizing the open-source OWASP dependency tool to scan for vulnerabilities in my dependencies. The specific dependencies I'm concerned about are:

  1. cassandra-driver-extras-3.11.4.jar
  2. jackson-databind-2.15.2.jar
  3. json-20230618.jar
  4. spark-core_2.13-3.4.1.jar
  5. spring-boot-starter-parent 3.1.2
  6. org.apache.kerby:kerb-server:1.0.1 (I'm unable to determine its source of download)

I'm wondering if these dependencies indeed have critical vulnerabilities. If they do, could you please advise on how to address this issue?

I would appreciate any recommendations for alternative open-source tools that can check for dependency vulnerabilities.

I have upgraded dependencies to the latest version but still shows critical vulnerability.

Inflate answered 24/8, 2023 at 18:6 Comment(3)
Which critical issues have been mentioned for Spring Boot ? There has been release a new version today (3.1.3) I assume that you might reference to snakeyml 1.33 but for the next minor version 3.2.0 (3.2.0-M2 available).. snake has been upgraded to 2.1.. ? And the other question what kind of vilnerabilities have been reported ? Do those are really targeting your use case?Houchens
Hello @khmarbaise, yes, that's SnakeYAML CVE-2022-1471. To avoid the vulnerability, I explicitly specified version snakeyaml 2.0 within the <projectmanagement> tag. Is this approach advisable? Additionally look at below, pino provided an answer . Is the issue with the tool itself?Inflate
You should use dependencyManagement instead ... maven.apache.org/guides/introduction/… (btw. In the meantime you should use version 2.2 instead)...Houchens
P
5

The output of the OWASP dependency check tool (like any other similar tool) must be examined carefully because it can contain false positives (very common with the OWASP tool) and "disputed" vulnerabilities.

I have created the following POM containing exactly the dependencies you have listed plus the latest version of the OWASP dependency-check-maven plugin:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <name>Test App</name>
    <groupId>test</groupId>
    <artifactId>testApp</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>jar</packaging>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.1.2</version>
        <relativePath />
    </parent>

    <dependencies>
        <dependency>
            <groupId>com.datastax.cassandra</groupId>
            <artifactId>cassandra-driver-extras</artifactId>
            <version>3.11.4</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.15.2</version>
        </dependency>
        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
            <version>20230618</version>
        </dependency>
        <dependency>
            <groupId>org.apache.spark</groupId>
            <artifactId>spark-core_2.13</artifactId>
            <version>3.4.1</version>
        </dependency>
        <dependency>
            <groupId>org.apache.kerby</groupId>
            <artifactId>kerb-server</artifactId>
            <version>1.0.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>8.4.0</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Then I executed mvn verify on it. The resulting vulnerability report says:

Vulnerable Dependencies: 25
Vulnerabilities Found: 56

Let's examine only the vulnerabilities of the first 3 libraries you listed:

  1. cassandra-driver-extras-3.11.4.jar: it's a false positive because the tool reports the CVEs of Apache Cassandra which is another software.
  2. jackson-databind-2.15.2.jar: it's the latest version and it has just one CVE labeled as "disputed". It's up to you to decide if it can be ignored.
  3. json-20230618.jar: it's a false positive because the report says that "versions up to (excluding) 20230227" are vulnerable but your version is newer.

And so on.

With the same POM, plus a dummy main class, I generated a Docker image with:

mvn spring-boot:build-image -Dspring-boot.build-image.imageName=myapp

then I checked it with trivy (another tool for vulnerability scanning). With trivy false positives are rare and, in fact, the three ones analyzed above do not appear; however the report still lists a lot of CVEs:

Total: 42 (UNKNOWN: 0, LOW: 4, MEDIUM: 27, HIGH: 10, CRITICAL: 1)
Paradise answered 25/8, 2023 at 11:1 Comment(1)
thanks for your response @pino , let me try with this oneInflate

© 2022 - 2025 — McMap. All rights reserved.