Vulnerabilities from dependencies jetty-setuid-java 1.0.4
498 views
Skip to first unread message
Minh Giang Tran
Jun 29, 2023, 12:20:32 PM6/29/23
to dropwizard-user
Hi,
We are currently using Dropwizard 2.0.x for our project. During the process of scanning the Docker image built from our project, we have discovered several vulnerabilities in the dependencies, including jetty-setuid-java 1.0.4 (CVE-2017-7658 and CVE-2017-7657).
Unfortunately, jetty-setuid-java 1.0.4 is the latest version available, and even the latest version of Dropwizard still relies on it.
In light of this situation, I would like to inquire about the best course of action for excluding these vulnerabilities. Please find the details of the jetty-setuid-java 1.0.4 vulnerability information at the following link:
https://mvnrepository.com/artifact/org.eclipse.jetty.toolchain.setuid/jetty-setuid-java/1.0.4
Thank you for your assistance.
Jochen Schalanda
Jun 29, 2023, 4:02:53 PM6/29/23
to dropwizard-user
Hi,
Not a single one of the listed vulnerabilities is for org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:1.0.4. They are all for older versions of Jetty itself for which there are updated versions of Dropwizard 2.1.x, 3.x, and 4.x.
If your security scanner is flagging this, you should switch to another provider for these kind of things.
Please also note that Dropwizard 2.0.x is EOL since January 31, 2023 and will not receive any updates anymore.
Best regards,
Jochen
--
You received this message because you are subscribed to the Google Groups "dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/3cc3ce80-ab95-483d-9c34-22d6bd29791cn%40googlegroups.com.
Minh Giang Tran
Jun 29, 2023, 10:45:55 PM6/29/23
to dropwizard-user
hi,
I understand but even try with Dropwizard 2.1.7 or 3.0.0 or 4.0.1, but seem org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:1.0.4 still in the dependency.
I checked https://mvnrepository.com/artifact/io.dropwizard/dropwizard-core/2.1.7 , seem no vulnerabilities from version 2.1.7.
But jetty-setuid-java:1.0.4 still there, so I just worry that the vulnerabilities still in dropwizard package. Or I'm wrong?
I'm using grype to check the vulnerabilities from image, fyi.
I understand but even try with Dropwizard 2.1.7 or 3.0.0 or 4.0.1, but seem org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:1.0.4 still in the dependency.
I checked https://mvnrepository.com/artifact/io.dropwizard/dropwizard-core/2.1.7 , seem no vulnerabilities from version 2.1.7.
But jetty-setuid-java:1.0.4 still there, so I just worry that the vulnerabilities still in dropwizard package. Or I'm wrong?
I'm using grype to check the vulnerabilities from image, fyi.
Jochen Schalanda
Jul 4, 2023, 6:28:22 PM7/4/23
to dropwizard-user
Hi,
But jetty-setuid-java:1.0.4 still there, so I just worry that the vulnerabilities still in dropwizard package. Or I'm wrong?
That’s correct, the dependency on jetty-setuid-java 1.0.4 is still there but this was never an issue to begin with.
You should consider that https://mvnrepository.com/artifact/org.eclipse.jetty.toolchain.setuid/jetty-setuid-java/1.0.4 is showing incorrect data. ;-)
Cheers,
Jochen
To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/a2ae6bdc-dafc-4480-89e4-8a838166d1b8n%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages