Security vulnerability issues in version 1.6.0 #393
Comments
|
@dkinzer thanks for the report. All of the jars listed here are in tools that FITS bundles:
Of those tools, we are only really able to upgrade JHOVE, DROID, and Tika. The snapshot version on the main branch does include more recent versions of JHOVE and Tika, so you could try using that if you wanted. The DROID upgrade is currently blocked waiting feedback from @awoods and co (see #387). In regards to embarc and nzmetool, if you are worried about those dependencies, I would recommend simply deleting the tools from your fits.xml and then deleting the tool directories. This will remove them from your install. |
|
Thanks @pwinckles unfortunately I tried building the snapshot and it is also failing. Then I tried building 1.6.0 and it fails to build too. There are two issues. One is that the version of exiftool that it wants to build with no longer exists and even if you upgrade it to the latest production version (or even an earlier production version that still exists) then the tests fail. This is the same issue that I was running into when I was trying to upgrade the various dependencies that you mention in your post to the latest versions. |
|
@dkinzer Thanks, I'll look into the exiftool issue. Was that the only issue that you experienced when trying to build (besides the tests failing)? |
|
I guess the other issue is that I tried the skip test argument to just build the project and it seems to work but I can't find where it builds to (assuming I'm looking for an asset named something like fits-1.6.0.zip to appear in a build directory) |
|
Ah. I was misssing the "package" argument! Thanks! |
I have scanned a Hyku docker image built using Fits v1.6.0 for security vulnerabilities. The following issues were reported as coming from this project:
(note: I tried to address the issues and create a PR but my knowledge of the java ecosystem is very limited and I failed to make changes that would not fail the build process).
[{ "VulnerabilityID": "CVE-2022-40152", "PkgPath": "app/fits/lib/droid/woodstox-core-5.0.3.jar", "InstalledVersion": "5.0.3", "Status": "fixed", "FixedVersion": "6.4.0, 5.4.0" }, { "VulnerabilityID": "CVE-2022-23596", "PkgPath": "app/fits/lib/droid/junrar-4.0.0.jar", "InstalledVersion": "4.0.0", "Status": "fixed", "FixedVersion": "7.4.1" }, { "VulnerabilityID": "CVE-2023-2976", "PkgPath": "app/fits/lib/jhove/guava-24.1.1-android.jar", "InstalledVersion": "24.1.1-android", "Status": "fixed", "FixedVersion": "32.0.0-android" }, { "VulnerabilityID": "CVE-2023-2976", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "24.1.1-android", "Status": "fixed", "FixedVersion": "32.0.0-android" }, { "VulnerabilityID": "CVE-2020-8908", "PkgPath": "app/fits/lib/jhove/guava-24.1.1-android.jar", "InstalledVersion": "24.1.1-android", "Status": "fixed", "FixedVersion": "32.0.0-android" }, { "VulnerabilityID": "CVE-2020-8908", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "24.1.1-android", "Status": "fixed", "FixedVersion": "32.0.0-android" }, { "VulnerabilityID": "CVE-2021-23792", "PkgPath": "app/fits/lib/jhove/imageio-metadata-3.4.1.jar", "InstalledVersion": "3.4.1", "Status": "fixed", "FixedVersion": "3.7.1" }, { "VulnerabilityID": "CVE-2021-23792", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "3.4.1", "Status": "fixed", "FixedVersion": "3.7.1" }, { "VulnerabilityID": "CVE-2012-5783", "PkgPath": "app/fits/lib/droid/commons-httpclient-3.1.jar", "InstalledVersion": "3.1", "Status": "fixed", "FixedVersion": "4.0" }, { "VulnerabilityID": "CVE-2012-5783", "PkgPath": "app/fits/lib/nzmetool/commons-httpclient-3.1.jar", "InstalledVersion": "3.1", "Status": "fixed", "FixedVersion": "4.0" }, { "VulnerabilityID": "CVE-2021-29425", "PkgPath": "app/fits/lib/droid/commons-io-2.6.jar", "InstalledVersion": "2.6", "Status": "fixed", "FixedVersion": "2.7" }, { "VulnerabilityID": "CVE-2021-35515", "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar", "InstalledVersion": "1.19", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-35516", "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar", "InstalledVersion": "1.19", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-35517", "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar", "InstalledVersion": "1.19", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-36090", "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar", "InstalledVersion": "1.19", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2024-25710", "PkgPath": "app/fits/lib/droid/commons-compress-1.19.jar", "InstalledVersion": "1.19", "Status": "fixed", "FixedVersion": "1.26.0" }, { "VulnerabilityID": "CVE-2021-35515", "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-35515", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-35516", "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-35516", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-35517", "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-35517", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-36090", "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2021-36090", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.21" }, { "VulnerabilityID": "CVE-2024-25710", "PkgPath": "app/fits/lib/jhove/commons-compress-1.20.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.26.0" }, { "VulnerabilityID": "CVE-2024-25710", "PkgPath": "app/fits/lib/jhove/jhove-ext-modules-1.26.1.jar", "InstalledVersion": "1.20", "Status": "fixed", "FixedVersion": "1.26.0" }, { "VulnerabilityID": "CVE-2024-25710", "PkgPath": "app/fits/lib/tika/commons-compress-1.22.jar", "InstalledVersion": "1.22", "Status": "fixed", "FixedVersion": "1.26.0" }, { "VulnerabilityID": "CVE-2024-26308", "PkgPath": "app/fits/lib/tika/commons-compress-1.22.jar", "InstalledVersion": "1.22", "Status": "fixed", "FixedVersion": "1.26.0" }, { "VulnerabilityID": "CVE-2023-42503", "PkgPath": "app/fits/lib/tika/commons-compress-1.22.jar", "InstalledVersion": "1.22", "Status": "fixed", "FixedVersion": "1.24.0" }, { "VulnerabilityID": "CVE-2022-46364", "PkgPath": "app/fits/lib/droid/cxf-core-3.3.6.jar", "InstalledVersion": "3.3.6", "Status": "fixed", "FixedVersion": "3.4.10, 3.5.5" }, { "VulnerabilityID": "CVE-2022-46363", "PkgPath": "app/fits/lib/droid/cxf-core-3.3.6.jar", "InstalledVersion": "3.3.6", "Status": "fixed", "FixedVersion": "3.4.10, 3.5.5" }, { "VulnerabilityID": "CVE-2024-28752", "PkgPath": "app/fits/lib/droid/cxf-core-3.3.6.jar", "InstalledVersion": "3.3.6", "Status": "fixed", "FixedVersion": "3.5.8, 3.6.3, 4.0.4" }, { "VulnerabilityID": "CVE-2022-46337", "PkgPath": "app/fits/lib/droid/derby-10.13.1.1.jar", "InstalledVersion": "10.13.1.1", "Status": "fixed", "FixedVersion": "10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0" }, { "VulnerabilityID": "CVE-2018-1313", "PkgPath": "app/fits/lib/droid/derby-10.13.1.1.jar", "InstalledVersion": "10.13.1.1", "Status": "fixed", "FixedVersion": "10.14.2.0" }, { "VulnerabilityID": "CVE-2024-21742", "PkgPath": "app/fits/lib/tika/apache-mime4j-core-0.8.4.jar", "InstalledVersion": "0.8.4", "Status": "fixed", "FixedVersion": "0.8.10" }, { "VulnerabilityID": "CVE-2017-12626", "PkgPath": "app/fits/lib/nzmetool/poi-3.12.jar", "InstalledVersion": "3.12", "Status": "fixed", "FixedVersion": "3.17" }, { "VulnerabilityID": "CVE-2017-5644", "PkgPath": "app/fits/lib/nzmetool/poi-3.12.jar", "InstalledVersion": "3.12", "Status": "fixed", "FixedVersion": "3.15" }, { "VulnerabilityID": "CVE-2019-12415", "PkgPath": "app/fits/lib/nzmetool/poi-3.12.jar", "InstalledVersion": "3.12", "Status": "fixed", "FixedVersion": "4.1.1" }, { "VulnerabilityID": "CVE-2023-33201", "PkgPath": "app/fits/lib/droid/bcprov-jdk15on-1.68.jar", "InstalledVersion": "1.68", "Status": "affected", "FixedVersion": null }, { "VulnerabilityID": "CVE-2023-33202", "PkgPath": "app/fits/lib/droid/bcprov-jdk15on-1.68.jar", "InstalledVersion": "1.68", "Status": "affected", "FixedVersion": null }, { "VulnerabilityID": "CVE-2023-33201", "PkgPath": "app/fits/lib/tika/bcprov-jdk15on-1.70.jar", "InstalledVersion": "1.70", "Status": "affected", "FixedVersion": null }, { "VulnerabilityID": "CVE-2023-33202", "PkgPath": "app/fits/lib/tika/bcprov-jdk15on-1.70.jar", "InstalledVersion": "1.70", "Status": "affected", "FixedVersion": null }, { "VulnerabilityID": "CVE-2020-15522", "PkgPath": "app/fits/lib/nzmetool/bcprov-jdk16-1.46.jar", "InstalledVersion": "1.46", "Status": "fixed", "FixedVersion": "1.66" }, { "VulnerabilityID": "CVE-2020-26939", "PkgPath": "app/fits/lib/nzmetool/bcprov-jdk16-1.46.jar", "InstalledVersion": "1.46", "Status": "fixed", "FixedVersion": "1.61" }, { "VulnerabilityID": "CVE-2023-33202", "PkgPath": "app/fits/lib/nzmetool/bcprov-jdk16-1.46.jar", "InstalledVersion": "1.46", "Status": "fixed", "FixedVersion": "1.73" }, { "VulnerabilityID": "CVE-2019-10202", "PkgPath": "app/fits/lib/jhove/jackson-mapper-asl-1.9.12.jar", "InstalledVersion": "1.9.12", "Status": "affected", "FixedVersion": null }, { "VulnerabilityID": "CVE-2019-10172", "PkgPath": "app/fits/lib/jhove/jackson-mapper-asl-1.9.12.jar", "InstalledVersion": "1.9.12", "Status": "affected", "FixedVersion": null }, { "VulnerabilityID": "CVE-2022-45688", "PkgPath": "app/fits/lib/embarc/embarc-0.2.jar", "InstalledVersion": "20201115", "Status": "fixed", "FixedVersion": "20230227" }, { "VulnerabilityID": "CVE-2022-45688", "PkgPath": "app/fits/lib/embarc/json-20201115.jar", "InstalledVersion": "20201115", "Status": "fixed", "FixedVersion": "20230227" }, { "VulnerabilityID": "CVE-2022-45688", "PkgPath": "app/fits/lib/json-20201115.jar", "InstalledVersion": "20201115", "Status": "fixed", "FixedVersion": "20230227" }, { "VulnerabilityID": "CVE-2023-5072", "PkgPath": "app/fits/lib/embarc/embarc-0.2.jar", "InstalledVersion": "20201115", "Status": "fixed", "FixedVersion": "20231013" }, { "VulnerabilityID": "CVE-2023-5072", "PkgPath": "app/fits/lib/embarc/json-20201115.jar", "InstalledVersion": "20201115", "Status": "fixed", "FixedVersion": "20231013" }, { "VulnerabilityID": "CVE-2023-5072", "PkgPath": "app/fits/lib/json-20201115.jar", "InstalledVersion": "20201115", "Status": "fixed", "FixedVersion": "20231013" }, { "VulnerabilityID": "CVE-2022-22965", "PkgPath": "app/fits/lib/droid/spring-beans-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "5.2.20.RELEASE, 5.3.18" }, { "VulnerabilityID": "CVE-2022-22970", "PkgPath": "app/fits/lib/droid/spring-beans-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "5.2.22.RELEASE, 5.3.20" }, { "VulnerabilityID": "CVE-2022-22968", "PkgPath": "app/fits/lib/droid/spring-context-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "5.3.19, 5.2.21" }, { "VulnerabilityID": "CVE-2021-22060", "PkgPath": "app/fits/lib/droid/spring-core-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "5.3.14, 5.2.19" }, { "VulnerabilityID": "CVE-2021-22096", "PkgPath": "app/fits/lib/droid/spring-core-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "5.3.11, 5.2.18" }, { "VulnerabilityID": "CVE-2023-20863", "PkgPath": "app/fits/lib/droid/spring-expression-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "6.0.8, 5.3.27, 5.2.24.RELEASE" }, { "VulnerabilityID": "CVE-2022-22950", "PkgPath": "app/fits/lib/droid/spring-expression-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "5.3.17, 5.2.20.RELEASE" }, { "VulnerabilityID": "CVE-2023-20861", "PkgPath": "app/fits/lib/droid/spring-expression-5.2.5.RELEASE.jar", "InstalledVersion": "5.2.5.RELEASE", "Status": "fixed", "FixedVersion": "6.0.7, 5.3.26, 5.2.23.RELEASE" }, { "VulnerabilityID": "CVE-2012-0881", "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar", "InstalledVersion": "2.9.1", "Status": "fixed", "FixedVersion": "2.12.0" }, { "VulnerabilityID": "CVE-2013-4002", "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar", "InstalledVersion": "2.9.1", "Status": "fixed", "FixedVersion": "2.12.0" }, { "VulnerabilityID": "CVE-2009-2625", "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar", "InstalledVersion": "2.9.1", "Status": "fixed", "FixedVersion": "2.10.0" }, { "VulnerabilityID": "CVE-2020-14338", "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar", "InstalledVersion": "2.9.1", "Status": "fixed", "FixedVersion": "2.12.0.sp3" }, { "VulnerabilityID": "CVE-2022-23437", "PkgPath": "app/fits/lib/jhove/xercesImpl-2.9.1.jar", "InstalledVersion": "2.9.1", "Status": "fixed", "FixedVersion": "2.12.2" }]The text was updated successfully, but these errors were encountered: