CVE Vulnerabilities
Quentin Reul
Quentin Reul
Armando Stellato
Dear Quentin,
looks like the first and last one can be addressed and indeed will do for the next release.
About all the others (which in the end, are like one, connected to the netty server), this depends on the Karaf container, and we just moved to the latest version for 10.2.1
When we are close to releasing 11.0 (ETA start of May), we might consider updating to a new Karaf, if it is available with an update for the netty server
Kind Regards,
Armando
P.S: I’ve approved your msg explicitly since you are not registered to the group. Since it’s not the first time you write here, can I ask you to register to the group? As you can see, it’s not intensely populated with msgs (VocBench’s group is more frequented, though still acceptable)
--
You received this message because you are subscribed to the Google Groups "semanticturkey-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
semanticturkey-...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/semanticturkey-user/f6cdb558-bf0f-49d5-b7ac-00c752eb650bn%40googlegroups.com.
Manuel Fiorelli
To view this discussion on the web visit https://groups.google.com/d/msgid/semanticturkey-user/AS8PR09MB498294D8940094D7447AE50DC73D9%40AS8PR09MB4982.eurprd09.prod.outlook.com.
--
hugovanv...@gmail.com
I recently made a new build of Semantic Turkey with tag version 11.2 and built a Docker image with that. My CVE scanner (Trivy) reports 9 "critical" and 35 "high" vulnerabilities. A lot of them are org.springframework dependencies. I've added the report (json) to this message.
I've tried to fix some vulnerabilities by adding newer versions of the dependencies to the pom, but unfortunately wasn't able to make a successful build.
Could you please tell me if you plan to solve these vulnerabilities? Or if they maybe should be regarded as 'false positives'?
Kind regards,
Hugo
Armando Stellato
Dear Hugo,
apologies for the late reply.
Short answer is: we have already checked all possible (remaining) CVEs which, as you can see mostly relate to Spring. These do not apply for various reasons: e.g. they apply only if some class is being used, or they apply only when the JVM is 9+ (but VB3 requires strictly 8.x.y), etc..
The reason for them being vetted but still present is that it’s not always possible (or extremely difficult) for us to move to a newer version. One of the dependencies of Semantic Turkey is on Spring DM, which is the module “marrying” Spring with OSGi. Unfortunately, the two frameworks eventually “divorced”, and since Spring 4.0, Spring DM is no more supported. For the future, we will surely bring some heavy reworking to the core infrastructure of Semantic Turkey, trying to maintain the superficial form (e.g. so that the services keep their syntax, annotations, etc..) while adopting a different way to implement the dynamic part related to extension points, plugins, etc..
In the meanwhile, we guarantee that Semantic Turkey (and thus VB and SV) are safe (at least, at the best of known vulnerabilities :-) ).
Kind Regards,
Armando
P.S: Trivy has a nice readable export. Possibly better to use that one as not everybody uses Trivy for dependency and vulnerability checking
.
To view this discussion on the web visit https://groups.google.com/d/msgid/semanticturkey-user/ecc6ef1f-8667-4a83-91c6-652e4c7e5002n%40googlegroups.com.