Groups

netty-codec sonatype IQ report - security-high vulnerability

32 views

Skip to first unread message

Jeyanthi B

unread,

Oct 1, 2019, 4:19:13 AM10/1/19

to ne...@googlegroups.com

Hi Team,

I am using the jar org.hyperledger.fabric-sdk-java : fabric-sdk-java :1.4.4 as a direct dependency in maven project module. Getting Security-High vulnerability as shown below when I execute Sonatype CLM/IQ analysis (CVE-2019-12402,CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518). fabric-sdk-java has transitive dependencies with netty jars which led to these security vulnerabilities. I can’t exclude transitive dependencies in pom.xml. Since, my functionality to connect to network/ledger will break.

For example: CVE-2019-12402 because netty uses commons-compress 1.18 jar. It must be commons-compress 1.19. Adding exclusions for 1.18 and tried to override with 1.19 in my project pom file. But no luck due to multiple transitive dependencies of netty. I have verified latest release 4.1.42.Final in https://netty.io/news/2019/09/25/4-1-42-Final.html . But dont see any security fix. How to fix it ? Can I expect fix in next release ? Please advice.

Error log from Sonatype CLM:

Sonatype CLM reports policy failing due to

[ERROR] Policy(Security-High) [

[ERROR] Component(displayName=org.hyperledger.fabric-sdk-java : fabric-sdk-java : jar : jar-with-dependencies : 1.4.4, hash=d0167d0f2d971bf88d2c) [

[ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability CVE-2019-12402 with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-12402 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-12402 with status 'Open', not 'Not Applicable'., on condition 0] ]]

[ERROR] Sonatype CLM reports policy failing due to

[ERROR] Policy(Security-High) [

[ERROR] Component(displayName=io.netty : netty-codec-http2 : 4.1.30.Final, hash=2da92f518409904954d3) [

[ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability CVE-2019-9512 with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9512 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9512 with status 'Open', not 'Not Applicable'., on condition 0] ]]

[ERROR] Sonatype CLM reports policy failing due to

[ERROR] Policy(Security-High) [

[ERROR] Component(displayName=io.netty : netty-codec-http2 : 4.1.30.Final, hash=2da92f518409904954d3) [

[ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability CVE-2019-9514 with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9514 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9514 with status 'Open', not 'Not Applicable'., on condition 0] ]]

[ERROR] Sonatype CLM reports policy failing due to

[ERROR] Policy(Security-High) [

[ERROR] Component(displayName=io.netty : netty-codec-http2 : 4.1.30.Final, hash=2da92f518409904954d3) [

[ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability CVE-2019-9515 with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9515 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9515 with status 'Open', not 'Not Applicable'., on condition 0] ]]

[ERROR] Sonatype CLM reports policy failing due to

[ERROR] Policy(Security-High) [

[ERROR] Component(displayName=io.netty : netty-common : 4.1.30.Final, hash=5dca0c34d8f38af51a23) [

[ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability CVE-2019-9518 with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9518 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9518 with status 'Open', not 'Not Applicable'., on condition 0] ]]

Stackoverflow: https://stackoverflow.com/questions/58095943/how-to-fix-netty4-1-41-final-or-hyperledger-fabri-sdk-java-1-4-4-maven-jars-s

Thanks,

Jeyanthi

Reply all

Reply to author

Forward

0 new messages

Search

Clear search

Close search

Google apps

Main menu