You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
When scan on a wildfly(26.1.3.Final) container which has xalan custom fork 2.7.1.jbossorg-6, the following vulnerabilities are reported.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
xalan 2.7.1.jbossorg-6 2.7.2 java-archive GHSA-rc2w-r4jq-7pfx High
xalan 2.7.1.jbossorg-6 2.7.3 java-archive GHSA-9339-86wc-4qgf High
What you expected to happen:
According to Wildfly community, xalan-2.7.1.jbossorg-6, both CVE-2014-0107 and CVE-2022-34169 are not affected. Probably Grype is comparing to NVD, anything less than 2.7.3 is at fault.
Upon inquiry to the community regarding the latest version with fixes for identified vulnerabilities, feedback indicated that reports in Maven Central were false positives. The custom fork, version 2.7.1.jbossorg-6, indeed addresses these vulnerabilities, as evidenced by the following commits. CVE-2014-0107 - jboss/xalan-j@534f2d3 CVE-2022-34169 - jboss/xalan-j@1e91610
Hi @bhreddy83, thanks very much for the report. I'm not super familiar with Wildly. I did a quick search on DockerHub, and there are a lot of images with wildfly in the name. https://hub.docker.com/r/bitnami/wildfly seems like a good candidate, but I don't see a tag called 26.1.3.Final. Would you mind replying with a DockerHub link or similar to an image you believe is affected by this false positive? If the image you're scanning is private, maybe a link to the base image and some maven links for other things installed?
I think what you're saying is, "I have an image built with FROM bitnami/wildfly:26.1.3 that also adds a Jboss fork of Xalan,". Can you confirm this? Can you provide a link to the version of Xalan you used?
I am utilizing the source code from the WildFly repository version 26.1.3.Final, available at https://github.com/wildfly/wildfly/tree/26.1.3.Final, to build WildFly. Notably, in the pom.xml file at line 389, the xlan version is specified as 2.7.1.jbossorg-6.
bhreddy83
changed the title
False Positive: CVE-2022-34169 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final
False Positive: CVE-2022-34169 CVE-2014-0107 xalan-2.7.1.jbossorg-6 in wildfly 26.1.3.Final
Feb 29, 2024
What happened:
When scan on a wildfly(26.1.3.Final) container which has xalan custom fork 2.7.1.jbossorg-6, the following vulnerabilities are reported.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
xalan 2.7.1.jbossorg-6 2.7.2 java-archive GHSA-rc2w-r4jq-7pfx High
xalan 2.7.1.jbossorg-6 2.7.3 java-archive GHSA-9339-86wc-4qgf High
These are linked to CVE-2014-0107 and CVE-2022-34169.
What you expected to happen:
According to Wildfly community, xalan-2.7.1.jbossorg-6, both CVE-2014-0107 and CVE-2022-34169 are not affected. Probably Grype is comparing to NVD, anything less than 2.7.3 is at fault.
Upon inquiry to the community regarding the latest version with fixes for identified vulnerabilities, feedback indicated that reports in Maven Central were false positives. The custom fork, version 2.7.1.jbossorg-6, indeed addresses these vulnerabilities, as evidenced by the following commits.
CVE-2014-0107 - jboss/xalan-j@534f2d3
CVE-2022-34169 - jboss/xalan-j@1e91610
Environment:
Output of
grype version
:Application: grype
Version: 0.70.0
BuildDate: 2023-10-11T00:36:57Z
GitCommit: 7e5df38
GitDescription: v0.70.0
Platform: linux/amd64
GoVersion: go1.21.1
Compiler: gc
Syft Version: v0.93.0
Supported DB Schema: 5
wildfly: 26.1.3.Final
The text was updated successfully, but these errors were encountered: