From 46c6d06c0ad20d32552d4163262b3bc1dd9d4dd4 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 10:44:35 +0300 Subject: [PATCH 1/9] AE-1893: Suppress a false positive jackson-databind vulnerability - The whole issue itself is bogus, go read for fun https://github.com/FasterXML/jackson-databind/issues/3972 --- etp-backend/nvd_suppressions.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/etp-backend/nvd_suppressions.xml b/etp-backend/nvd_suppressions.xml index d97cef7ef..2c03f8a93 100644 --- a/etp-backend/nvd_suppressions.xml +++ b/etp-backend/nvd_suppressions.xml @@ -41,4 +41,13 @@ ^pkg:maven/org\.apache\.axis/axis@.*$ CVE-2007-2353 + + + + + ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ + CVE-2023-35116 + From 709706bf42751cfb0ab7b592b8039f2646e8d5a4 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 10:45:42 +0300 Subject: [PATCH 2/9] AE-1893: Update buddy dependencies and add buddy-core as direct dependency - Removes vulnerable version of jackson-dataformat-cbor --- etp-backend/deps.edn | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn index 539aea503..13096b316 100644 --- a/etp-backend/deps.edn +++ b/etp-backend/deps.edn @@ -30,8 +30,9 @@ metosin/spec-tools {:mvn/version "0.10.1"} webjure/jeesql {:mvn/version "0.4.7"} clj-http/clj-http {:mvn/version "3.10.0"} - buddy/buddy-sign {:mvn/version "3.3.0"} - buddy/buddy-hashers {:mvn/version "1.7.0"} + buddy/buddy-core {:mvn/version "1.11.423"} + buddy/buddy-sign {:mvn/version "3.5.346"} + buddy/buddy-hashers {:mvn/version "2.0.162"} org.apache.poi/poi {:mvn/version "4.1.2"} org.apache.poi/poi-ooxml {:mvn/version "4.1.2"} org.apache.pdfbox/pdfbox {:mvn/version "2.0.28"} From 730e4f8c8eba5ce09f1f2f7f1454167a4fc86194 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 12:33:07 +0300 Subject: [PATCH 3/9] AE-1893: Update ring-core - Removes transient dependency to vulnerable version of commons-fileupload --- etp-backend/deps.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn index 13096b316..1147ebc1e 100644 --- a/etp-backend/deps.edn +++ b/etp-backend/deps.edn @@ -12,7 +12,7 @@ org.clojure/java.jdbc {:mvn/version "0.7.11"} org.clojure/data.csv {:mvn/version "1.0.0"} http-kit/http-kit {:mvn/version "2.4.0-alpha6"} - ring/ring-core {:mvn/version "1.8.0"} + ring/ring-core {:mvn/version "1.10.0"} javax.servlet/servlet-api {:mvn/version "2.5"} org.clojure/tools.logging {:mvn/version "1.0.0"} prismatic/schema {:mvn/version "1.1.12"} From fbebc14a11a9ca675d0bc6b717dec91069a24b13 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 14:39:38 +0300 Subject: [PATCH 4/9] AE-1893: Update apache-poi - Fixes multiple vulnerabilities - New version of poi needed for some reason the explicit configuration of WorkBookFactory provider - Configured to use XSSFWorkbookFactory so the workbooks are xlsx format as before - Without this configured creation of xlsx file failed only in uberjar build --- etp-backend/deps.edn | 4 ++-- etp-backend/src/main/clj/solita/common/xlsx.clj | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn index 1147ebc1e..d0d67bc8a 100644 --- a/etp-backend/deps.edn +++ b/etp-backend/deps.edn @@ -33,8 +33,8 @@ buddy/buddy-core {:mvn/version "1.11.423"} buddy/buddy-sign {:mvn/version "3.5.346"} buddy/buddy-hashers {:mvn/version "2.0.162"} - org.apache.poi/poi {:mvn/version "4.1.2"} - org.apache.poi/poi-ooxml {:mvn/version "4.1.2"} + org.apache.poi/poi {:mvn/version "5.2.3"} + org.apache.poi/poi-ooxml {:mvn/version "5.2.3"} org.apache.pdfbox/pdfbox {:mvn/version "2.0.28"} puumerkki/puumerkki {:mvn/version "0.9.2" :exclusions [ring/ring diff --git a/etp-backend/src/main/clj/solita/common/xlsx.clj b/etp-backend/src/main/clj/solita/common/xlsx.clj index e05fbc059..6291777fd 100644 --- a/etp-backend/src/main/clj/solita/common/xlsx.clj +++ b/etp-backend/src/main/clj/solita/common/xlsx.clj @@ -3,11 +3,12 @@ [clojure.java.io :as io]) (:import (org.apache.poi.ss.usermodel WorkbookFactory HorizontalAlignment) (org.apache.poi.ss.util CellAddress) - (org.apache.poi.xssf.usermodel XSSFWorkbook XSSFFormulaEvaluator))) + (org.apache.poi.xssf.usermodel XSSFWorkbook XSSFWorkbookFactory XSSFFormulaEvaluator))) ;; ;; Workbook, loading, saving ;; +(WorkbookFactory/addProvider (XSSFWorkbookFactory.)) (defn create-xlsx [] (WorkbookFactory/create (boolean true))) @@ -52,7 +53,7 @@ (if (str/blank? v) nil v))) (defn row-and-column-idx [address] - (let [cell-address (CellAddress. address)] + (let [cell-address (CellAddress. ^String address)] {:row-idx (.getRow cell-address) :col-idx (.getColumn cell-address)})) From d6ca7aba1e897b0db4ca90cf94197dcd0a0885f2 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 15:19:43 +0300 Subject: [PATCH 5/9] AE-1893: Exclude batik dependencies from openhtmltopdf-svg-support and depend directly to newer versions - Newer versions contain a bunch of fixes to known vulnerabilities --- etp-backend/deps.edn | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn index d0d67bc8a..a3a01b26f 100644 --- a/etp-backend/deps.edn +++ b/etp-backend/deps.edn @@ -52,9 +52,19 @@ commonmark-hiccup/commonmark-hiccup {:mvn/version "0.2.0"} com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"} - com.openhtmltopdf/openhtmltopdf-svg-support {:mvn/version "1.0.10"} com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"} + ;; Contains vulnerable version of batik-* libraries, exclude those + ;; and add direct dependency to newer versions + com.openhtmltopdf/openhtmltopdf-svg-support + {:mvn/version "1.0.10" + :exclusions [org.apache.xmlgraphics/batik-transcoder + org.apache.xmlgraphics/batik-codec + org.apache.xmlgraphics/batik-ext]} + org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.16"} + org.apache.xmlgraphics/batik-codec {:mvn/version "1.16"} + org.apache.xmlgraphics/batik-ext {:mvn/version "1.16"} + ;; Non-alpha version does not support xml namespaces org.clojure/data.xml {:mvn/version "0.2.0-alpha6"} camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.1"} From 7157c4184a909c158571cd1ce7538b78a45248d9 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 15:27:16 +0300 Subject: [PATCH 6/9] AE-1893: Update logback, fixes a vulnerability --- etp-backend/deps.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn index a3a01b26f..d0b58339a 100644 --- a/etp-backend/deps.edn +++ b/etp-backend/deps.edn @@ -2,7 +2,7 @@ "src/main/sql" "src/main/resources"] :deps {org.clojure/clojure {:mvn/version "1.10.1"} - ch.qos.logback/logback-classic {:mvn/version "1.2.3"} + ch.qos.logback/logback-classic {:mvn/version "1.4.8"} org.slf4j/log4j-over-slf4j {:mvn/version "1.7.30"} flathead/flathead {:mvn/version "0.0.4"} integrant/integrant {:mvn/version "0.8.0"} From 5dc454140eedb302a152ad3664d9e2576444bb54 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 16:08:10 +0300 Subject: [PATCH 7/9] AE-1893: Suppress a false positive vulnerability --- etp-backend/nvd_suppressions.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/etp-backend/nvd_suppressions.xml b/etp-backend/nvd_suppressions.xml index 2c03f8a93..d13f724d3 100644 --- a/etp-backend/nvd_suppressions.xml +++ b/etp-backend/nvd_suppressions.xml @@ -50,4 +50,13 @@ ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ CVE-2023-35116 + + + + + ^pkg:maven/commons\-discovery/commons\-discovery@.*$ + CVE-2022-0869 + From d278e31c97ce25031ef54fc2a4a08b4faafaa3dc Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Wed, 28 Jun 2023 16:08:33 +0300 Subject: [PATCH 8/9] AE-1893: Update clj-http, fixes a vulnerability in transitive dependency --- etp-backend/deps.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn index d0b58339a..41e5634da 100644 --- a/etp-backend/deps.edn +++ b/etp-backend/deps.edn @@ -29,7 +29,7 @@ ;; https://github.com/metosin/reitit/issues/355 metosin/spec-tools {:mvn/version "0.10.1"} webjure/jeesql {:mvn/version "0.4.7"} - clj-http/clj-http {:mvn/version "3.10.0"} + clj-http/clj-http {:mvn/version "3.12.3"} buddy/buddy-core {:mvn/version "1.11.423"} buddy/buddy-sign {:mvn/version "3.5.346"} buddy/buddy-hashers {:mvn/version "2.0.162"} From e0ec40ac098f921fe7eb53e2f5f5067706b911e6 Mon Sep 17 00:00:00 2001 From: Juho Leinonen Date: Thu, 29 Jun 2023 10:40:58 +0300 Subject: [PATCH 9/9] AE-1893: Suppress opensaml vulnerability, it was for opensaml c++ implementation --- etp-backend/nvd_suppressions.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/etp-backend/nvd_suppressions.xml b/etp-backend/nvd_suppressions.xml index d13f724d3..267b6cf62 100644 --- a/etp-backend/nvd_suppressions.xml +++ b/etp-backend/nvd_suppressions.xml @@ -59,4 +59,13 @@ ^pkg:maven/commons\-discovery/commons\-discovery@.*$ CVE-2022-0869 + + + + + ^pkg:maven/org\.opensaml/opensaml@.*$ + CVE-2017-16853 +