jetty-http issue on camel-jetty-starter - spring-boot

I got this vulnerability on my gradle.build,
jetty-http-9.4.46.v20220331.jar | Reference: CVE-2022-2047 | CVSS Score: 2.7 | Category: CWE-20 | In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
It's coming from this,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
For when I check the gradle dependencies,
--- org.apache.camel.springboot:camel-jetty-starter:3.14.5
| +--- org.springframework.boot:spring-boot-starter:2.6.10 -> 2.7.0 (*)
| +--- org.apache.camel:camel-jetty:3.14.5
| | +--- org.apache.camel:camel-support:3.14.5 (*)
| | +--- org.apache.camel:camel-http-common:3.14.5
| | | +--- org.apache.camel:camel-http-base:3.14.5
| | | | \--- org.apache.camel:camel-support:3.14.5 (*)
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- org.apache.camel:camel-attachments:3.14.5
| | | +--- org.apache.camel:camel-support:3.14.5 (*)
| | | \--- com.sun.activation:javax.activation:1.2.0
| | +--- org.apache.camel:camel-jetty-common:3.14.5
| | | +--- org.apache.camel:camel-cloud:3.14.5 (*)
| | | +--- org.apache.camel:camel-http-common:3.14.5 (*)
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-server:9.4.46.v20220331
| | | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | | +--- org.eclipse.jetty:jetty-http:9.4.46.v20220331
| | | | +--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331
| | | | \--- org.eclipse.jetty:jetty-util:9.4.46.v20220331
| | | \--- org.eclipse.jetty:jetty-io:9.4.46.v20220331 (*)
I tried to add this before or after,
implementation 'org.apache.camel.springboot:camel-jetty-starter:3.14.5'
implementation 'org.eclipse.jetty:jetty-http:11.0.11'
But eclipse will always give errror on unresolved dependency on jetty-http.

I put all the org.eclipse.jetty:jetty-xxx:9.4.48.v2022062 (hope this version stay no vulnerability). It's not xxx, what ever you see on your dependencies, you have to add it there like jetty-(io/server/servlet/serverts/etc). Take note of the serverlet/servlets too.
Actually, can you just put xxx instead of putting all the dependency listed, I tried it didn't work.

Related

Java Project Dependency clarification

I have Gradle project A which has another dependency module B (maven).
In Gradle project A dependency tree I can see below
+--- org.seleniumhq.selenium:selenium-api:3.141.59 -> 4.1.4
| | | +--- org.seleniumhq.selenium:selenium-chrome-driver:3.141.59 -> 4.1.4 (*)
| | | +--- org.seleniumhq.selenium:selenium-edge-driver:3.141.59 -> 4.1.4 (*)
I have few questions here:
So with above dep tree (i.e. 3.141.59 -> 4.1.4 (*) ), which version is the used one? I know (*) - dependencies omitted (listed previously)
If the used one here is 3.141.59, how should I use 4.1.4 instead?
Note : I can see in maven module B version is having 3.141.59.
Dep tree doesn't show clearly where does 4.1.4 version come from. As per the below tree snippets it comes under org.seleniumhq.selenium:selenium-server:3.141.59
:
| +--- org.seleniumhq.selenium:selenium-server:3.141.59
| | | +--- org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4
| | | | +--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | +--- org.seleniumhq.selenium:selenium-chrome-driver:4.1.4
| | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | +--- com.google.auto.service:auto-service:1.0.1
| | | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | | +--- com.google.auto:auto-common:1.2
| | | | | | | \--- com.google.guava:guava:31.0.1-jre -> 31.1-jre (*)
| | | | | | \--- com.google.guava:guava:31.0.1-jre -> 31.1-jre (*)
| | | | | +--- com.google.guava:guava:31.1-jre (*)
| | | | | +--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | | +--- org.seleniumhq.selenium:selenium-chromium-driver:4.1.4
| | | | | | +--- com.google.auto.service:auto-service-annotations:1.0.1
| | | | | | +--- com.google.auto.service:auto-service:1.0.1 (*)
| | | | | | +--- com.google.guava:guava:31.1-jre (*)
| | | | | | +--- org.seleniumhq.selenium:selenium-json:4.1.4
| | | | | | | \--- org.seleniumhq.selenium:selenium-api:4.1.4
| | | | | | \--- org.seleniumhq.selenium:selenium-remote-driver:4.1.4
In the dep tree what's the difference between
org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4
and
org.seleniumhq.selenium:selenium-java:3.141.59 -> 4.1.4 (*)

Confused with gradle select rule of dependency version

I have import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in project A. And here is dependency tree:
+--- org.springframework.boot:spring-boot-starter-jetty -> 2.1.18.RELEASE
| +--- org.eclipse.jetty:jetty-servlets:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-continuation:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-security:9.4.33.v20201020
| | \--- org.eclipse.jetty:jetty-server:9.4.33.v20201020 -> 9.4.48.v20220622
| | +--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-http:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-io:9.4.48.v20220622 -> 9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020
| | +--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-client:9.4.33.v20201020
| | | | +--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| | | | \--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-xml:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-util:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-io:9.4.33.v20201020 (*)
| | | \--- org.eclipse.jetty.websocket:websocket-common:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-servlet:9.4.33.v20201020
| | | +--- org.eclipse.jetty.websocket:websocket-api:9.4.33.v20201020
| | | \--- javax.servlet:javax.servlet-api:3.1.0 -> 4.0.1
| | +--- org.eclipse.jetty:jetty-servlet:9.4.33.v20201020 (*)
| | \--- org.eclipse.jetty:jetty-http:9.4.33.v20201020 (*)
| +--- org.eclipse.jetty.websocket:javax-websocket-server-impl:9.4.33.v20201020
| | +--- org.eclipse.jetty:jetty-annotations:9.4.33.v20201020
| | | +--- org.eclipse.jetty:jetty-plus:9.4.33.v20201020
| | | | \--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- org.eclipse.jetty:jetty-webapp:9.4.33.v20201020 (*)
| | | +--- javax.annotation:javax.annotation-api:1.3.2
| | | +--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-commons:9.0
| | | +--- org.ow2.asm:asm:9.0
| | | +--- org.ow2.asm:asm-tree:9.0
| | | | \--- org.ow2.asm:asm:9.0
| | | \--- org.ow2.asm:asm-analysis:9.0
| | | \--- org.ow2.asm:asm-tree:9.0 (*)
| | +--- org.eclipse.jetty.websocket:javax-websocket-client-impl:9.4.33.v20201020
| | | \--- org.eclipse.jetty.websocket:websocket-client:9.4.33.v20201020 (*)
| | +--- org.eclipse.jetty.websocket:websocket-server:9.4.33.v20201020 (*)
| | \--- javax.websocket:javax.websocket-api:1.0 -> 1.1
| \--- org.mortbay.jasper:apache-el:8.5.54
I can not understand why module jetty-server upgrade from 9.4.33.v20201020 to 9.4.48.v20220622,because other jetty module version remain at 9.4.33.v20201020
And I import dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE" in another clean project B. And here is dependency tree:
All jetty module version is unified:9.4.45
Why does the same dependency implementation group: "org.springframework.boot", name: "spring-boot-starter-jetty", version: "2.1.18.RELEASE refer different version of module jetty
As you may know Gradle implementation acts transitively which means any dependencies bring its dependencies. Although your jetty-server version is 9.4.33.v20201020 but somehow spring-boot-starter-jetty is dependent on jetty-servlets:9.4.48.v20220622 so it's being brought. However, it's a little waired that your second screenshot shows version 9.4.45 because I myself test it with an isolated project and the version was 9.4.48. Anyway, you can inform the implementation to not act completely transitively and exclude some dependencies like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty"
}
But if there is org.eclipse.jetty that spring-boot-starter-jetty is dependent on, you had to put it inside your build.gradle or exclude the malicious module specifically like blow:
implementation("org.springframework.boot:spring-boot-starter-jetty:2.1.18.RELEASE")
{
exclude group: "org.eclipse.jetty", module: "jetty-servlets"
}

How to find out why Gradle tries to use specific library version?

I'm new to using gradle and need some help with frustrating issue.
In the output of ./gradlew dependencies of my Spring Boot project I have a bunch of FAILED statements, for example:
+--- io.netty:netty-handler-proxy:4.1.75.Final FAILED
When I look up this library in my dependencies output, it has only following outputs related to this library:
+--- io.netty:netty-handler-proxy:{strictly 4.1.75.Final} -> 4.1.77.Final (c)
and
+--- io.projectreactor.netty:reactor-netty -> 1.0.19
| +--- io.projectreactor.netty:reactor-netty-core:1.0.19
| | +--- io.netty:netty-handler:4.1.77.Final
| | | +--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-resolver:4.1.77.Final
| | | | \--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-buffer:4.1.77.Final
| | | | \--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-transport:4.1.77.Final
| | | | +--- io.netty:netty-common:4.1.77.Final
| | | | +--- io.netty:netty-buffer:4.1.77.Final (*)
| | | | \--- io.netty:netty-resolver:4.1.77.Final (*)
| | | \--- io.netty:netty-codec:4.1.77.Final
| | | +--- io.netty:netty-common:4.1.77.Final
| | | +--- io.netty:netty-buffer:4.1.77.Final (*)
| | | \--- io.netty:netty-transport:4.1.77.Final (*)
| | +--- io.netty:netty-handler-proxy:4.1.77.Final
I'm trying to find out why Gradle is even trying to use the 4.1.75 library version. I don't declare this version explicitly in gradle.properties, but for some reason it is denoted as strictly.
I'm also wondering, how to find out what library beside io.projectreactor.netty:reactor-netty (requiring version 4.1.77) is using io.netty:netty-handler-proxy (apparently of version 4.1.75)
Could someone help me please?

Gradle dependency tree, what does the (*) mean?

I am just wondering what does the (*) mean under the dependency tree for Gradle. I have been searching online and could not find any answers.
+--- org.apache.httpcomponents:httpclient:4.2.6 -> 4.5 (*)
| +--- org.apache.jena:apache-jena-libs:2.12.1
| | +--- org.apache.jena:jena-tdb:1.1.1
| | | +--- org.apache.jena:jena-arq:2.12.1
| | | | +--- org.apache.jena:jena-core:2.12.1
| | | | | +--- org.slf4j:slf4j-api:1.7.6 -> 1.7.10
| | | | | +--- org.apache.jena:jena-iri:1.1.1
| | | | | | +--- org.slf4j:slf4j-api:1.7.6 -> 1.7.10
| | | | | | \--- log4j:log4j:1.2.17
| | | | | +--- xerces:xercesImpl:2.11.0
| | | | | | \--- xml-apis:xml-apis:1.4.01
| | | | | \--- log4j:log4j:1.2.17
| | | | +--- org.apache.httpcomponents:httpclient:4.2.6 -> 4.5 (*)
| | | | +--- com.github.jsonld-java:jsonld-java:0.5.0
| | | | | +--- com.fasterxml.jackson.core:jackson-core:2.3.3 -> 2.5.1
| | | | | +--- com.fasterxml.jackson.core:jackson-databind:2.3.3 -> 2.5.1 (*)
| | | | | \--- org.slf4j:jcl-over-slf4j:1.7.7 -> 1.7.10 (*)
(*) - dependencies omitted (listed previously)
Should be displayed under your dependency tree.
The dependencies of the marked dependency are omitted for readability because they were already listed higher up in the dependency graph output.
Also,
(c) - dependency constraint
(n) - Not resolved
Dependencies with the same coordinates that can occur multiple times in the graph are omitted and indicated by an asterisk(*). Dependencies that had to undergo conflict resolution render the requested and selected version separated by a right arrow character(->).
gradle manual: https://docs.gradle.org/current/userguide/viewing_debugging_dependencies.html

Where can I find the document for `(*)` and `1.7.6 -> 1.7.7` in the output of `gradle dependencies`

For a gradle project with simple build.gradle file:
apply plugin: 'java'
repositories.jcenter()
dependencies {
compile "org.springframework.boot:spring-boot-starter-web:1.1.5.RELEASE"
compile 'org.slf4j:slf4j-api:1.7.1'
}
When I run gradle dependencies, it will show:
:dependencies
------------------------------------------------------------
Root project
------------------------------------------------------------
archives - Configuration for archive artifacts.
No dependencies
compile - Compile classpath for source set 'main'.
+--- org.springframework.boot:spring-boot-starter-web:1.1.5.RELEASE
| +--- org.springframework.boot:spring-boot-starter:1.1.5.RELEASE
| | +--- org.springframework.boot:spring-boot:1.1.5.RELEASE
| | | +--- org.springframework:spring-core:4.0.6.RELEASE
| | | | \--- commons-logging:commons-logging:1.1.3
| | | \--- org.springframework:spring-context:4.0.6.RELEASE
| | | +--- org.springframework:spring-aop:4.0.6.RELEASE
| | | | +--- aopalliance:aopalliance:1.0
| | | | +--- org.springframework:spring-beans:4.0.6.RELEASE
| | | | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| | | +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | | \--- org.springframework:spring-expression:4.0.6.RELEASE
| | | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | +--- org.springframework.boot:spring-boot-autoconfigure:1.1.5.RELEASE
| | | \--- org.springframework.boot:spring-boot:1.1.5.RELEASE (*)
| | +--- org.springframework.boot:spring-boot-starter-logging:1.1.5.RELEASE
| | | +--- org.slf4j:jcl-over-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | +--- org.slf4j:jul-to-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | +--- org.slf4j:log4j-over-slf4j:1.7.7
| | | | \--- org.slf4j:slf4j-api:1.7.7
| | | \--- ch.qos.logback:logback-classic:1.1.2
| | | +--- ch.qos.logback:logback-core:1.1.2
| | | \--- org.slf4j:slf4j-api:1.7.6 -> 1.7.7
| | +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| | \--- org.yaml:snakeyaml:1.13
| +--- org.springframework.boot:spring-boot-starter-tomcat:1.1.5.RELEASE
| | +--- org.apache.tomcat.embed:tomcat-embed-core:7.0.54
| | +--- org.apache.tomcat.embed:tomcat-embed-el:7.0.54
| | \--- org.apache.tomcat.embed:tomcat-embed-logging-juli:7.0.54
| +--- com.fasterxml.jackson.core:jackson-databind:2.3.3
| | +--- com.fasterxml.jackson.core:jackson-annotations:2.3.0
| | \--- com.fasterxml.jackson.core:jackson-core:2.3.3
| +--- org.hibernate:hibernate-validator:5.0.3.Final
| | +--- javax.validation:validation-api:1.1.0.Final
| | +--- org.jboss.logging:jboss-logging:3.1.1.GA
| | \--- com.fasterxml:classmate:1.0.0
| +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| +--- org.springframework:spring-web:4.0.6.RELEASE
| | +--- org.springframework:spring-aop:4.0.6.RELEASE (*)
| | +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| | +--- org.springframework:spring-context:4.0.6.RELEASE (*)
| | \--- org.springframework:spring-core:4.0.6.RELEASE (*)
| \--- org.springframework:spring-webmvc:4.0.6.RELEASE
| +--- org.springframework:spring-beans:4.0.6.RELEASE (*)
| +--- org.springframework:spring-context:4.0.6.RELEASE (*)
| +--- org.springframework:spring-core:4.0.6.RELEASE (*)
| +--- org.springframework:spring-expression:4.0.6.RELEASE (*)
| \--- org.springframework:spring-web:4.0.6.RELEASE (*)
\--- org.slf4j:slf4j-api:1.7.1 -> 1.7.7
There are two things I'm not very sure, although I've read some articles:
(*) means this dependency is already present and download in previous steps
1.7.1 -> 1.7.7 this dependency is declared as 1.7.1, but gradle decide to use 1.7.7 after conflict resolution
Not sure if my understanding correct, how can I find some official document to explain them? I searched the gradle website, but not find yet
While not an official documentation, I found the following in gradle dependency-resolution-reporting.md design-doc:
avoid regression of current features:
subtree is omitted (*)
Note, however, that this design-doc was changed on April 2 (see change here) as part of the work on the release of v2.5 and this comment was removed from this document.

Resources