Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.5] Upgrade AWS version for SDKs to 1.12.687 #891

Merged
merged 1 commit into from
Mar 28, 2024

[BUG] Upgrade AWS version for SDKs to 1.12.687 (#884)

c7bacf7
Select commit
Loading
Failed to load commit list.
Merged

[Backport 2.5] Upgrade AWS version for SDKs to 1.12.687 #891

[BUG] Upgrade AWS version for SDKs to 1.12.687 (#884)
c7bacf7
Select commit
Loading
Failed to load commit list.
Mend for GitHub.com / Mend Security Check failed Mar 27, 2024 in 14m 56s

Security Report

10 new vulnerabilities were introduced in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2023-26136

Path to dependency file: /dashboards-notifications/package.json

Path to vulnerable library: /dashboards-notifications/package.json

Dependency Hierarchy:

-> cypress-6.9.1.tgz (Root Library)

   -> request-2.88.10.tgz

     -> ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Critical 9.8 tough-cookie-2.5.0.tgz Upgrade to version: tough-cookie - 4.1.3 None
CVE-2022-1471

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.32/e80612549feb5c9191c498de628c1aa80693cf0b/snakeyaml-1.32.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.32/e80612549feb5c9191c498de628c1aa80693cf0b/snakeyaml-1.32.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.32/e80612549feb5c9191c498de628c1aa80693cf0b/snakeyaml-1.32.jar

Dependency Hierarchy:

-> opensearch-2.5.1-SNAPSHOT.jar (Root Library)

   -> opensearch-x-content-2.5.1-SNAPSHOT.jar

     -> ❌ snakeyaml-1.32.jar (Vulnerable Library)

Critical 9.8 snakeyaml-1.32.jar Upgrade to version: org.yaml:snakeyaml:2.0 None
WS-2021-0419

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.7/69d9503ea0a40ee16f0bcdac7e3eaf83d0fa914a/gson-2.8.7.jar

Dependency Hierarchy:

-> ❌ gson-2.8.7.jar (Vulnerable Library)

High 7.7 gson-2.8.7.jar Upgrade to version: com.google.code.gson:gson:2.8.9 #625
CVE-2023-6481

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.9/cdaca0cf922c5791a8efa0063ec714ca974affe3/logback-core-1.2.9.jar

Dependency Hierarchy:

-> ktlint-0.44.0.jar (Root Library)

   -> ktlint-core-0.44.0.jar

     -> logback-classic-1.2.9.jar

       -> ❌ logback-core-1.2.9.jar (Vulnerable Library)

High 7.5 logback-core-1.2.9.jar Upgrade to version: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14 #826
CVE-2023-6378

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.9/7d495522b08a9a66084bf417e70eedf95ef706bc/logback-classic-1.2.9.jar

Dependency Hierarchy:

-> ktlint-0.44.0.jar (Root Library)

   -> ktlint-core-0.44.0.jar

     -> ❌ logback-classic-1.2.9.jar (Vulnerable Library)

High 7.5 logback-classic-1.2.9.jar Upgrade to version: ch.qos.logback:logback-classic:1.3.12,1.4.12 #826
CVE-2023-5072

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20180813/8566b2b0391d9d4479ea225645c6ed47ef17fe41/json-20180813.jar

Dependency Hierarchy:

-> ❌ json-20180813.jar (Vulnerable Library)

High 7.5 json-20180813.jar Upgrade to version: org.json:json:20231013 #664
CVE-2022-45688

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20180813/8566b2b0391d9d4479ea225645c6ed47ef17fe41/json-20180813.jar

Dependency Hierarchy:

-> ❌ json-20180813.jar (Vulnerable Library)

High 7.5 json-20180813.jar Upgrade to version: org.json:json:20230227 #664
CVE-2022-25647

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.7/69d9503ea0a40ee16f0bcdac7e3eaf83d0fa914a/gson-2.8.7.jar

Dependency Hierarchy:

-> ❌ gson-2.8.7.jar (Vulnerable Library)

High 7.5 gson-2.8.7.jar Upgrade to version: com.google.code.gson:gson:gson-parent-2.8.9 #625
CVE-2023-28155

Path to dependency file: /dashboards-notifications/package.json

Path to vulnerable library: /dashboards-notifications/package.json

Dependency Hierarchy:

-> cypress-6.9.1.tgz (Root Library)

   -> ❌ request-2.88.10.tgz (Vulnerable Library)

Medium 6.1 request-2.88.10.tgz Upgrade to version: @cypress/request - 3.0.0 None
CVE-2020-15250

Path to dependency file: /core-spi/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar

Dependency Hierarchy:

-> framework-2.5.1-SNAPSHOT.jar (Root Library)

   -> ❌ junit-4.12.jar (Vulnerable Library)

Medium 5.5 junit-4.12.jar Upgrade to version: junit:junit:4.13.1 None

Base branch total remaining vulnerabilities: 0
Base branch commit: 6f33b566b8d316e343ff95bd3b763d351c7d7c0f


Total libraries scanned: 381

Scan token: ce375c4bdaec472d99e9b1367d9936e9

View more details on Mend for GitHub.com