Search code examples
mavensecuritydependency-managementjackson-databindmaven-dependency

Addressing critical vulnerabilities in Maven dependencies


I'm working on a Java Jersey application. In my pom.xml file, I've included certain Maven dependencies that have critical vulnerabilities. Even after upgrading to the latest versions, some of these dependencies still exhibit critical vulnerabilities.

I'm utilizing the open-source OWASP dependency tool to scan for vulnerabilities in my dependencies. The specific dependencies I'm concerned about are:

  1. cassandra-driver-extras-3.11.4.jar
  2. jackson-databind-2.15.2.jar
  3. json-20230618.jar
  4. spark-core_2.13-3.4.1.jar
  5. spring-boot-starter-parent 3.1.2
  6. org.apache.kerby:kerb-server:1.0.1 (I'm unable to determine its source of download)

I'm wondering if these dependencies indeed have critical vulnerabilities. If they do, could you please advise on how to address this issue?

I would appreciate any recommendations for alternative open-source tools that can check for dependency vulnerabilities.

I have upgraded dependencies to the latest version but still shows critical vulnerability.


Solution

  • The output of the OWASP dependency check tool (like any other similar tool) must be examined carefully because it can contain false positives (very common with the OWASP tool) and "disputed" vulnerabilities.

    I have created the following POM containing exactly the dependencies you have listed plus the latest version of the OWASP dependency-check-maven plugin:

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>
    
        <name>Test App</name>
        <groupId>test</groupId>
        <artifactId>testApp</artifactId>
        <version>1.0.0-SNAPSHOT</version>
        <packaging>jar</packaging>
    
        <parent>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-parent</artifactId>
            <version>3.1.2</version>
            <relativePath />
        </parent>
    
        <dependencies>
            <dependency>
                <groupId>com.datastax.cassandra</groupId>
                <artifactId>cassandra-driver-extras</artifactId>
                <version>3.11.4</version>
            </dependency>
            <dependency>
                <groupId>com.fasterxml.jackson.core</groupId>
                <artifactId>jackson-databind</artifactId>
                <version>2.15.2</version>
            </dependency>
            <dependency>
                <groupId>org.json</groupId>
                <artifactId>json</artifactId>
                <version>20230618</version>
            </dependency>
            <dependency>
                <groupId>org.apache.spark</groupId>
                <artifactId>spark-core_2.13</artifactId>
                <version>3.4.1</version>
            </dependency>
            <dependency>
                <groupId>org.apache.kerby</groupId>
                <artifactId>kerb-server</artifactId>
                <version>1.0.1</version>
            </dependency>
        </dependencies>
    
        <build>
            <plugins>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>8.4.0</version>
                    <executions>
                        <execution>
                            <goals>
                                <goal>check</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
    </project>
    

    Then I executed mvn verify on it. The resulting vulnerability report says:

    Vulnerable Dependencies: 25
    Vulnerabilities Found: 56
    

    Let's examine only the vulnerabilities of the first 3 libraries you listed:

    1. cassandra-driver-extras-3.11.4.jar: it's a false positive because the tool reports the CVEs of Apache Cassandra which is another software.
    2. jackson-databind-2.15.2.jar: it's the latest version and it has just one CVE labeled as "disputed". It's up to you to decide if it can be ignored.
    3. json-20230618.jar: it's a false positive because the report says that "versions up to (excluding) 20230227" are vulnerable but your version is newer.

    And so on.

    With the same POM, plus a dummy main class, I generated a Docker image with:

    mvn spring-boot:build-image -Dspring-boot.build-image.imageName=myapp
    

    then I checked it with trivy (another tool for vulnerability scanning). With trivy false positives are rare and, in fact, the three ones analyzed above do not appear; however the report still lists a lot of CVEs:

    Total: 42 (UNKNOWN: 0, LOW: 4, MEDIUM: 27, HIGH: 10, CRITICAL: 1)