SNOW-1732054: CVE-2024-47554 is marking affecting this package due to using a version of Apache Commons IO below version 2.14.0

[HappyZombies]

As per GHSA-78wr-2p64-hpwj, this package is using version 2.11.0 of the Apache Commons IO -- https://github.com/snowflakedb/snowflake-jdbc/blob/master/thin_public_pom.xml#L42

I believe a simple update to the latest version should address this, https://commons.apache.org/proper/commons-io/changes-report.html#a2.17.0 if not at least to version 2.14.0

In addition, I think that Apache Commons Text, https://github.com/snowflakedb/snowflake-jdbc/blob/master/parent-pom.xml#L19 , which is on version 1.10.0 could also use the update? As it's io version is also 2.11.0 https://github.com/apache/commons-text/blob/rel/commons-text-1.10.0/pom.xml#L108

[sfc-gh-wfateem]

Thanks for the heads up @HappyZombies.

Just a few things to note here. The CVE's status is currently "awaiting analysis.".

The initial information says the potential issue is with the org.apache.commons.io.input.XmlStreamReader class, and it doesn't seem like we're using that class anywhere in the source code.

So while we could probably just upgrade those libraries, I'm not sure it's really necessary at this point.

Would you agree with that assessment?

[sfc-gh-dszmolka]

besides being a likely false positive hit for snowflake-jdbc, i don't really get why the linked advisory is classified at 8.7 High (which then of course Sonatype and other scanners pick up as High), it looks like other companies classify differently:

• Apache themselves ;) - Low. https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1
• Snyk - Medium. https://security.snyk.io/vuln/SNYK-JAVA-COMMONSIO-8161190
• Suse - Moderate. https://www.suse.com/security/cve/CVE-2024-47554.html
• RedHat - Moderate. https://access.redhat.com/security/cve/cve-2024-47554

hopefully the advisory can get adjusted sometime but as my colleague mentioned, we don't rely on the vulnerable class.

[HappyZombies]

Thank you all for replying! So I started this issue because I noticed that a few days ago, the protobuf package was updated (#1910) due to the following CVE https://nvd.nist.gov/vuln/detail/CVE-2024-7254 (which btw, is still in Awaiting Analysis -- but I'm guessing it was merged/updated since the affected issue is more widespread).

But anyways I think I see now how/why this is more than likely a false positive, since the CVE is mentioning a specific file and version, and the fact that it's there is probably tripping these scanners (such as Sonatype) -- even if the method is not being used directly by this package.

In addition I also find it interesting how different sites are ranking these vulnerabilities...weird.

So while I think it wouldn't hurt to update these anyways, I'm ok with just waiting to see how this plays out.

Thanks!

[sfc-gh-dszmolka]

commons.io dependency bump PR #1942

[sfc-gh-dszmolka]

PR is merged and will be part of the next release cycle

[sfc-gh-dprzybysz]

Released in version 3.20.0