[security] Outdated Vulnerable Dependencies #489
Comments
|
This was opened due to the Trail of Bits security review |
|
@pierDipi is this something you might be able to take a look at? I'd like to close all "security" issues |
duglin
pushed a commit
to duglin/sdk-java
that referenced
this issue
Dec 8, 2022
Closes cloudevents#489 Signed-off-by: Doug Davis <[email protected]>
Merged
pierDipi
pushed a commit
that referenced
this issue
Dec 9, 2022
Closes #489 Signed-off-by: Doug Davis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Multiple outdated dependencies with publicly known vulnerabilities, including multiple high- and medium-risk vulnerabilities, were identified in the Java SDK. The open-source snyk tool was used to automatically audit each module. Due to time constraints and ease of remediation, exploitability of these issues within the context of the SDK was not manually reviewed.
A list of Java SDK modules and their vulnerable dependencies is provided below:
Exploit Scenario
Attackers identified vulnerable dependencies by observing the public GitHub repository of the SDK. They can then craft malicious requests (HTTP, event, etc.) that will be processed by SDK APIs to exploit these issues.
Recommendations
Short term, upgrade all outdated third-party dependencies used in the SDK.
Long term, outdated and vulnerable dependencies should be automatically and continuously highlighted as part of the CI/CD pipeline. Alternatively, developers can configure GitHub actions that warns developers when new security updates are available for dependencies.
The text was updated successfully, but these errors were encountered: