Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-4279 in json-patch-1.13.jar #1867

Closed
dmitry-weirdo opened this issue Jan 5, 2023 · 2 comments
Closed

CVE-2021-4279 in json-patch-1.13.jar #1867

dmitry-weirdo opened this issue Jan 5, 2023 · 2 comments

Comments

@dmitry-weirdo
Copy link

dmitry-weirdo commented Jan 5, 2023
edited
Loading

The dependency check is now failing with the following CVE on a json-patch dependency from swagger-parser.

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] json-patch-1.13.jar: CVE-2021-4279(9.8)

The dependency tree looks like this:

+- io.swagger.parser.v3:swagger-parser:jar:2.1.7:compile
|  +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.7:compile
|  |  +- io.swagger:swagger-core:jar:1.6.8:compile
|  |  |  +- io.swagger:swagger-models:jar:1.6.8:compile
|  |  |  |  \- io.swagger:swagger-annotations:jar:1.6.8:compile
|  |  |  \- javax.validation:validation-api:jar:2.0.1.Final:compile
|  |  +- io.swagger:swagger-parser:jar:1.0.63:compile
|  |  +- io.swagger:swagger-compat-spec-parser:jar:1.0.63:compile
|  |  |  +- com.github.java-json-tools:json-schema-validator:jar:2.2.14:compile
|  |  |  |  +- com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:compile
|  |  |  |  +- com.github.java-json-tools:json-schema-core:jar:1.2.14:compile
|  |  |  |  |  +- com.github.java-json-tools:uri-template:jar:0.10:compile
|  |  |  |  |  \- org.mozilla:rhino:jar:1.7.7.2:compile
|  |  |  |  +- com.sun.mail:mailapi:jar:1.6.2:compile
|  |  |  |  \- com.googlecode.libphonenumber:libphonenumber:jar:8.11.1:compile
|  |  |  \- com.github.java-json-tools:json-patch:jar:1.13:compile
|  |  |     +- com.github.java-json-tools:msg-simple:jar:1.2:compile
|  |  |     |  \- com.github.java-json-tools:btf:jar:1.3:compile
|  |  |     \- com.github.java-json-tools:jackson-coreutils:jar:2.0:compile

I know this is not the swagger-parser itself, but probably we have to update it to the newer json-patch version.
This version of json-patch is pretty old (27.May.2020), and no newer versions are available :(

So probably swagger-parser should be switched to another, more up-to-date library — see java-json-tools/json-patch#86.
@dmitry-weirdo dmitry-weirdo mentioned this issue Jan 5, 2023
Open
@swiss-chris
Copy link

looks to me like an error in the dependency check. The vulnerability is in a different repo, as you said elsewhere. See also here jeremylong/DependencyCheck#5212

@frantuma
Copy link
Member

closing as false positive in external tool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@swiss-chris @frantuma @dmitry-weirdo