How to fix CVE-2019-8457 vulnerability in Spring Boot application, since none of my known dependencies includes SQLite3 in Spring Boot 2.6.6, jdk18-slim docker image
CVE-2019-8457
db5.3:5.3.28+dfsg1-0.8
HIGH
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
use alpine version of container images which mostly does not have high and critical vulnerabilities
Please inspect the dependency tree of your project to check if there is a transitive dependency defined on sqlite3. You may not be using sqlite3 directly in the project dependencies, there is a chance that some other library has defined it as a dependency.
For maven.
mvn dependency:tree
For gradle.
gradle dependencies
Once you find it, use exclusion pattern to exclude the older version of sqlite3 and explicitly declare a dependency of sqlite3 with the fixed version of sqlite3 version.
Related
In my build.gradle , for one of the direct dependency A , "jersey-client" 2.25.1 is transitive dependency. But when I do gradle build it downloads 2.7 version, when I check dependency A pom, it has only 2.25.1 version, how Gradle resolves it to 2.7?
There are versions above 2.7 as well in the artifactory, how only 2.7 is downloaded?
Only dependency A is using jersey-client.
Cleared gradle cache and tried, but same result.
There's probably another dependency in your dependency graph bringing in a later version. Try running
gradle dependencies
And it should show some insight into why it chose the newer version. Gradle has a few strategies allowing you to force a particular version of a dependency or perhaps ignoring transitive dependencies of a particular dependency should you wish to do so
Spring dependency management plugin is overriding jersey 2.25.1 with 2.7,
I have explicitly declared in my build.gradle file to use 2.25.1 by adding the below property.
ext['jersey.version'] = '2.25.1'
I noticed that I cannot create an issue on the spring-batch github and I could not create a topic on the Spring forum so I was redirected here.
I have this in my pom.xml file as explained on Spring.io's Batch tutorial
<dependency>
<groupId>org.springframework.batch</groupId>
<artifactId>spring-batch-core</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
And when I run the mvn dependency-check:check I see these issues
spring-tx-5.0.0.RELEASE.jar
CVE-2018-1199 - upgrade spring framework to latest 4.x
spring-batch-core-4.0.1.RELEASE.jar
CVE-2014-0225 - upgrade spring mvc - added it and latest 4.x
CVE-2015-5211 - upgrade springframework 4.x
CVE-2016-5007 - upgrade springframework 4.x
CVE-2014-3578 - upgrade springframework 4.x
CVE-2014-3625 - upgrade springframework 4.x
I ran mvn dependency:build-classpath -Dmdep.outputFile=cp.txt the offending jars above are located in my classpath. Then ran 'mvn dependency:tree` but did not see the offending jars.
mvn dependency:tree 2>&1 | egrep -i 'batch-core|spring-tx'
I tried googling some of the core CVEs which said to upgrade spring-mvc which I don't even have in my project but I explicitly defined it anyway. My spring version is set to the latest 4.x and even upgrading to 5.x still throws the vulnerability because spring-batch-core's latest version is still vulnerable.
Am I doing something wrong in my pom file?
To start, none of those CVEs apply directly to Spring Batch or the spring-batch-core jar file. They are all related to Spring Framework and Spring MVC. Also, every one of those CVEs has been mitigated in the specified patch versions.
If you have confirmed that your POM is bringing in the correct, non-vunlerable, version of Spring Framework, this is a case of a false positive and you'll need to configure whatever tool you're using to address this. If the artifact you are building as a result of the build process includes a vulnerable version of Spring Framework (or related components), then you do have an issue with your POM. We can help, but we need to see the POM in order to do so.
I am using the following camel packages in my Maven project:
camel-core
camel-jms
camel-jaxb
camel-quartz
camel-bindy
camel-ftp
And when all these are using version 2.8.0 my server starts up fine and the app works ok. But if I update the camel version to anything higher like 2.10.0 then I get the following exception on startup and not sure which of these is causing this issue:
Caused by: org.apache.camel.TypeConverterLoaderException: Failed to load type converters because of: Cannot find any type converter classes from the following packages: [org.apache.camel.component.file.remote]
Any help would be much appreciated?
Maybe another library of your project is using a different version of camel.
You can check the camel dependency tree of your project with this maven command:
mvn dependency:tree -Dverbose -Dincludes=camel-core
In verbose mode, the dependency tree shows dependencies that were omitted for being a duplicate of another, conflicting with another's version and/or scope, and introducing a cycle into the dependency tree.
Here are some reference links:
https://maven.apache.org/plugins/maven-dependency-plugin/examples/filtering-the-dependency-tree.html
https://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.html
Recently, I upgraded a Grails project to 2.3.1 from 2.0.1. The project runs fine on my Window's machine, and on my coworker's Mac (pulled via Git). On my Mac, though, I get this error when I try to run-app, after it finishes installing plugins and compiling:
ClassNotFoundException: org.springframework.beans.factory.NoUniqueBeanDefinitionException
The full stack trace is at http://pastebin.com/iEvKBmG5, but that's the crux of the error.
If I run grails in interactive mode, the server starts up, but when I browse to a controller, I just get a white page.
What could be different between my environment on my Mac and the environment on my colleague's that causes this error? Here's what I've tried in order to fix the issue:
Deleting the contents of my ~/.grails folder (as well as less extreme variants clearing particular subfolders)
Deleting the project and pulling it back from git
grails clean
Reinstalling grails 2.3.1 (using gvm, so the commands I ran were gvm uninstall grails 2.3.1, gvm flush archives, gvm install grails 2.3.1)
Cloning the project contents into a different directory
Checking my dependency report to make sure that the version of spring pulled is greater than 3.2.1, in which the NoUniqueBeanDefinitionException class was added. See http://pastebin.com/0AVC0SA0 for full report.
Verifying that the NoUniqueBeanDefinitionException.class file is inside the spring-beans jar, located at ~/.gvm/grails/2.3.1/lib/org.springframework/spring-beans/jars/spring-beans-3.2.4.RELEASE.jar.
grails refresh-dependencies myApplicationDependencies.xml Resulting file at http://pastebin.com/5bG9Vv78.
Manually deleted the 3.1.2 release of spring-beans and other spring jars from my maven repository, since that was being listed in the dependencies. Maven just re-resolves it though.
Switching the dependency resolver to ivy and getting a dependency report. The 3.1.2 version of Spring is listed as "evicted."
Both my colleague and I are running Mac OS X Mavericks and the latest version of Java. Any thoughts welcome.
UPDATE
I've also double-checked to make sure that my project doesn't contain duplicate classes. To do that, I ran grails dev war and used jar scan with the -double flag to search for duplicate classes. None were found.
Again, I am pretty sure the system isn't actually trying to throw a NoUniqueBeanDefinitionException. I think it's just trying to find that class and can't for some reason.
----------------------------------------------
Scanned archives: 2
Errors: 0
Archives with hits: 0
Maybe a problem with some file name upper/lower case. Check all source file names are correctly names (camel case) and there are not to file with the same name but different case
es:
Controllers/MyGreatController.groovy
Controllers/MygreatController.groovy
Failing that, take a look at the output of grails dependency-report. Make sure that the version of Spring that your project is pulling in is above or equal to 3.2.1, since that's the version of Spring where the NoUniqueBeanDefinitionException class was added. That class is in the spring-beans module. Also, make sure that none of your other dependencies are pulling in an older version of spring-beans.
If they are, you can tell Grails to ignore that transitive dependency with the excludes configuration option in BuildConfig.groovy. For example, let's say you're pulling in the activiti-engine jar from the mavenRepo "https://maven.alfresco.com/nexus/content/groups/public/". Change the dependency declaration to exclude spring-beans, and you should be right as rain.
compile("org.activiti:activiti-engine:5.13") {
excludes "spring-beans"
}
See http://grails.org/doc/2.3.1/guide/conf.html#dependencyResolution.
I had a dependency (activiti 5.13) that included and older version of the spring-beans module as a dependency of its own. For some reason, the version was winning out on my Mac, but was getting trumped on other workstations by the newer spring jar. The workaround was to exclude spring-beans from that dependency in my BuildConfig.groovy file.
...
dependencies {
// specify dependencies here under either 'build', 'compile', 'runtime', 'test' or 'provided' scopes eg.
compile("org.activiti:activiti-engine:5.13") {
excludes "spring-beans"
}
// runtime 'mysql:mysql-connector-java:5.1.16'
}
That prevents Grails from transitively resolving that particular dependency of my dependency.
See the information under Disabling transitive dependency resolution at http://grails.org/doc/2.3.1/guide/conf.html#configurationsAndDependencies.
I'm trying to build a complete Spring Framework distribution for version 3.2.4.RELEASE without using maven (just the spring jars) and managed to manually get all jars except for spring-asm.
Spring-asm stops at version 3.1.4. Why is that?
I have older spring distributions up to 3.1.1 (those for which you had a zip file, not forced to use maven) and all have the same spring-asm jar inside, with the same version.
Why is there no spring-asm-3.2.4.RELEASE jar?
Here is from release notes for 3.2
we've eliminated the dedicated spring-asm jar in M2 in favor of including org.springframework.asm classes directly in spring-core