I am trying to create a Spring Boot project. When I modified some dependency and use Maven reload the project, these warnings happen.
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.hank</groupId>
<artifactId>springboot-mall</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>springboot-mall</name>
<description>springboot-mall</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
<version>8.0.22</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
warnings
Warning:(20, 3) Provides transitive vulnerable dependency ch.qos.logback:logback-classic:1.2.3 CVE-2021-42550 6.6 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency ch.qos.logback:logback-core:1.2.3 CVE-2021-42550 6.6 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-beans:5.2.12.RELEASE CVE-2022-22965 9.8 Improper Control of Generation of Code ('Code Injection') vulnerability pending CVSS allocation CVE-2022-22970 5.3 Allocation of Resources Without Limits or Throttling vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-context:5.2.12.RELEASE CVE-2022-22968 5.3 Improper Handling of Case Sensitivity vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-core:5.2.12.RELEASE CVE-2021-22060 4.3 Improper Output Neutralization for Logs vulnerability pending CVSS allocation CVE-2021-22096 4.3 Improper Output Neutralization for Logs vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency com.fasterxml.jackson.core:jackson-databind:2.11.3 Cxced0c06c-935c 5.9 Uncontrolled Resource Consumption vulnerability pending CVSS allocation CVE-2020-36518 7.5 Out-of-bounds Write vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.apache.tomcat.embed:tomcat-embed-core:9.0.41 CVE-2021-25329 7.0 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-25122 7.5 Exposure of Sensitive Information to an Unauthorized Actor vulnerability pending CVSS allocation CVE-2021-33037 5.3 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability pending CVSS allocation CVE-2021-41079 7.5 Improper Input Validation vulnerability pending CVSS allocation CVE-2021-30639 7.5 Improper Handling of Exceptional Conditions vulnerability pending CVSS allocation CVE-2021-30640 6.5 Improper Encoding or Escaping of Output vulnerability pending CVSS allocation CVE-2022-23181 7.0 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.glassfish:jakarta.el:3.0.3 CVE-2021-28170 5.3 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.apache.tomcat.embed:tomcat-embed-websocket:9.0.41 CVE-2021-42340 7.5 Missing Release of Resource after Effective Lifetime vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-web:5.2.12.RELEASE CVE-2016-1000027 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-22118 7.8 Improper Privilege Management vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-webmvc:5.2.12.RELEASE CVE-2016-1000027 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-expression:5.2.12.RELEASE CVE-2022-22950 6.5 Allocation of Resources Without Limits or Throttling vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(29, 3) Dependency com.h2database:h2:1.4.200 is vulnerable CVE-2018-14335 6.5 Improper Link Resolution Before File Access ('Link Following') vulnerability pending CVSS allocation CVE-2021-42392 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-23463 9.1 Improper Restriction of XML External Entity Reference vulnerability pending CVSS allocation CVE-2022-23221 9.8 Improper Control of Generation of Code ('Code Injection') vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(34, 3) Dependency mysql:mysql-connector-java:8.0.22 is vulnerable CVE-2021-2471 5.9 Improper Restriction of XML External Entity Reference vulnerability with medium severity found CVE-2022-21363 6.6 Improper Input Validation vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(40, 3) Provides transitive vulnerable dependency net.minidev:json-smart:2.3 CVE-2021-27568 9.1 Improper Check for Unusual or Exceptional Conditions vulnerability pending CVSS allocation CVE-2021-31684 7.5 Out-of-bounds Write vulnerability pending CVSS allocation Results powered by Checkmarx(c)
What exactly means these message? It seems something security problem, but I don't know how to figure it out. I have tried to google the warnings, but there is no information to refer to.
CodePudding user response:
These messages telling you that the dependencies you used have some known vurnerabilities either direct or transitive to other dependencies.
for example spring boot version 2.3.7.RELEASE you can check at the maven repository website list of known vurnerabilities of this dependency
So you either upgrade the dependency version or check the mitigation of the known vurnerabilities for further details.
CodePudding user response:
try this one,
<dependency>
<groupId>org.foo.bar</groupId>
<artifactId>foo-bar</artifactId>
</dependency>
rather than
<dependency>
<groupId>org.foo.bar</groupId>
<artifactId>foo-bar</artifactId>
<version>1.3.56</version>
</dependency>