Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency on commons-text has vulnerability to CVE-2022-42889 #1990

Closed
krageon opened this issue Oct 17, 2022 · 8 comments
Closed

Dependency on commons-text has vulnerability to CVE-2022-42889 #1990

krageon opened this issue Oct 17, 2022 · 8 comments

Comments

@krageon
Copy link
Contributor

krageon commented Oct 17, 2022

Wiremock version

2.34.0

How I'm starting wiremock

I'm not - I'm simply scanning a wiremock image with trivy

A failing test case

You can run trivy image --ignore-unfixed --security-checks vuln wiremock/wiremock, which will among other things output the stated CVE.

What is the issue

Inside of the wiremock jar there is a META-INF folder containing a maven folder. There is a reference there to commons-text (an apache commons library) at version 1.9. I don't know how it gets there, because I cannot find any reference to it inside of the repository or inside of the gradle build dependencies. It's been a long time since I did jar file engineering, so I have only a vague notion that it is for pulling in dependencies at runtime from the internet.

What would I like to see

I'd like the dependency on commons-text to be gone if it is not needed, or to upgrade it to 1.10.0. That version doesn't have the vulnerability by default, which is nice.

Currently I can build a .jar by telling it exclude 'META-INF/maven/**' inside the shadowJar stage of the build.gradle file. This is probably very bad, and I'm still trying to figure out whether or not this breaks anything horrifically.

If someone could point me at some relevant docs that will explain to me how to upgrade this dependency I have no trouble creating a pull request.
@krageon
Copy link
Contributor Author

krageon commented Oct 17, 2022

https://github.com/aquasecurity/trivy

Trivy is found there

@krageon krageon mentioned this issue Oct 18, 2022
Merged
@lucasvc lucasvc mentioned this issue Oct 20, 2022
Open
@lucasvc
Copy link
Contributor

lucasvc commented Oct 20, 2022

Handlerbars has published a 4.3.1 release fixing the CVE.
So other workaround is to include in your project also that library updated version.

@lucasvc lucasvc mentioned this issue Oct 20, 2022
Merged
@dubonzi
Copy link

dubonzi commented Oct 21, 2022

Any plans to release a version with this fix? Our security scans are blocking wiremock due to this vulnerability.

@pcgeng
Copy link

pcgeng commented Oct 24, 2022

Is there a workaround to fix CVE-2022-42889?

@krageon
Copy link
Contributor Author

krageon commented Oct 24, 2022

Apologies for leaving this open. The latest master does not have this issue, which I would say is the best workaround.

@krageon krageon closed this as completed Oct 24, 2022
@dubonzi dubonzi mentioned this issue Oct 24, 2022
Closed
@lucasvc
Copy link
Contributor

lucasvc commented Oct 24, 2022
edited

@pcgeng

Is there a workaround to fix CVE-2022-42889?

If you can't wait to the next Wiremock release, you can add in your project the dependency Handlebars at the 4.3.1 version (see the link how adding according to different build systems).

@ravxz
Copy link

ravxz commented Oct 27, 2022

Any plans for 2.34/2.35 release with this fix?

@lucasvc
Copy link
Contributor

lucasvc commented Oct 28, 2022
edited

@ravxz It is being asked/informed in the PR#1995.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dubonzi @lucasvc @krageon @pcgeng @ravxz