Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerable transitive dependency #916

Open
TWiStErRob opened this issue Oct 9, 2022 · 14 comments
Open

Vulnerable transitive dependency #916

TWiStErRob opened this issue Oct 9, 2022 · 14 comments

Comments

@TWiStErRob
Copy link
Contributor

Description of the problem: There are vulnerabilities in transitive dependencies because they're not using the latest versions.

Browser and version: N/A

Operating system: N/A

WebDriverManager version: 5.3.0

This report is by Sonatype lift:
image

All (except 1) vulnerabilities will be fixed by bumping to latest minor for these.

Please watch (Subscribe button in sidebar) on docker-java/docker-java#1974 and bump whenever they release.

@wszczepaniak
Copy link

version 5.3.2 is still reported to have a transitive vulnerability from jackson-databind:2.10.3 :(

@TWiStErRob
Copy link
Contributor Author

@wszczepaniak barking up the wrong tree, see the link in OP.

@wszczepaniak
Copy link

  1. I've seen the link in OP.
  2. Seen no activity in there
  3. Commented here, as depending on something is a decision, that can be changed
  4. I don't see any "barking" in my comment, and I've found your answer as not very polite. To be honest, I thought open-source threads are not like those on facebook, but I might be wrong.

@TWiStErRob
Copy link
Contributor Author

4 is up to you how you read it, it's just an expression, I meant @bonigarcia can't do much here until it's fixed upstream.

I haven't considered 3 as a solution, but that's a fair point.
It might be a quite fundamental change though, because it's part of the public API.

@bonigarcia
Copy link
Owner

I believe the latest version of docker-java has bumped bcprov and commons-io. But the docker-java team refuses to bump jackson (see docker-java/docker-java#2037).

@TWiStErRob
Copy link
Contributor Author

Let's see what's the explanation, but regardless, that's some progress with the other two 👏.

@masoodmd0786
Copy link

Hi, Do we have any Update on this ?

@bonigarcia
Copy link
Owner

@masoodmd0786 As you have seen in docker-java/docker-java#1974, no news yet

@derolk
Copy link

derolk commented Jan 9, 2024

Sad but happy to see you're working on fixing the issue. Thanks

@christianhujer
Copy link

I just wanted to report the same, but then found that there already is such an issue open.

In case it helps, here's a list of vulnerabilities from transitive dependencies found in 5.7.0.
As far as I can tell, they're all coming through com.fasterxml.jackson.core:jackson-databind:2.10.3

  • CVE-2022-42003 7.5 Deserialization of Untrusted Data vulnerability with High severity found
    Cxced0c06c-935c 5.9 Uncontrolled Resource Consumption vulnerability with Medium severity found
  • CVE-2022-42004 7.5 Deserialization of Untrusted Data vulnerability with High severity found
  • CVE-2021-46877 7.5 Uncontrolled Resource Consumption vulnerability with High severity found
  • CVE-2020-25649 7.5 Improper Restriction of XML External Entity Reference vulnerability with High severity found
  • CVE-2020-36518 7.5 Out-of-bounds Write vulnerability with High severity found
  • CVE-2021-20190 8.1 Deserialization of Untrusted Data vulnerability with High severity found

The criticality is probably low.

The easiest way to suppress the issue is by adding this to my dependencies in Gradle:

    testImplementation("com.fasterxml.jackson.core:jackson-databind:2.16.0")

If folks want to play it safe, they can also do this:

    testImplementation("io.github.bonigarcia:webdrivermanager:5.7.0") {
        exclude(group = "com.fasterxml.jackson.core", module = "jackson-databind")
    }

Hope this helps someone.

@TurboCoder13
Copy link

Thank you @christianhujer 🙇

Curious if you know whether excluding this dependency will affect how the package functions? 🤔

@sivaprakashspg
Copy link

sivaprakashspg commented May 23, 2024

Thank you @christianhujer 🙇

Curious if you know whether excluding this dependency will affect how the package functions? 🤔

Was wondering the same! They just won't upgrade #2328

Not sure if this would work, but can we <exclude'> Jackson from java-docker and add the latest Jackson dependency in WebDriverManager pom.xml?

@bonigarcia
Copy link
Owner

Not sure if this would work, but can we <exclude'> Jackson from java-docker and add the latest Jackson dependency in WebDriverManager pom.xml?

I have just released WebDriverManager 5.9.0, which excludes org.bouncycastle:bcpkix-jdk18on and forces to use jackson-databind 2.17.1. So I believe this issue should be fixed now.

@bonigarcia
Copy link
Owner

bonigarcia commented Jun 24, 2024

Sorry but forcing to use latest jackson-databind release does not work. The Docker support in WebDriverManager 5.9.0 seems broken now. See errors Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.NoClassDefFoundError: com/fasterxml/jackson/core/util/JacksonFeature in:

https://github.com/bonigarcia/selenium-jupiter/actions/runs/9647381928/job/26606009989

I am going to release WebDriverManager 5.9.1 without forcing the use of jackson-databind 2.17.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants