[BUILD-1079] Dismiss CVE mismatches about sleepycat:je:18.3.12 Created: 22/May/23  Updated: 26/May/23  Resolved: 22/May/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Team: Foundation
Work Started:
Approved:
Yes

 Description   

We received a report compiled against Magnolia 6.2.33 with CVEs allegedly affecting the 3rd party Oracle NoSQL Database Server (com.sleepycat:je:18.3.12) 

This library would come transitively via 

[INFO] +- info.magnolia.solr:magnolia-content-indexer:jar:6.1.4:compile
[INFO] |  +- edu.uci.ics:crawler4j:jar:4.4.1-magnolia:compile
[INFO] |  \- com.sleepycat:je:jar:18.3.12:compile

The mismatch happens because com.sleepycat:je:18.3.12 erroneously matches cpe:2.3:a:oracle:nosql_database:::::::: which actually concerns later versions of Oracle NoSQL db (not used by Magnolia).

All the CVEs mentioned in the report actually affect 3rd party libraries/versions, none of which is shipped with Magnolia.
The Oracle NoSQL db version inherited by the Magnolia Solr module has no 3rd party dependencies.

CVE Affects Magnolia 6.2.33 ships with
https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 Fasterxml before 2.9.7 Fasterxml 2.13.5
https://nvd.nist.gov/vuln/detail/CVE-2018-1320  Apache Thrift no such library
https://nvd.nist.gov/vuln/detail/CVE-2020-11612  ZlibDecoders   no such library
https://nvd.nist.gov/vuln/detail/CVE-2021-22883 
https://nvd.nist.gov/vuln/detail/CVE-2021-22884  
Node.js  no such library
https://nvd.nist.gov/vuln/detail/CVE-2021-23840  OpenSSL no such library
https://nvd.nist.gov/vuln/detail/CVE-2019-10219  Hibernate-Validator  no such library
https://nvd.nist.gov/vuln/detail/CVE-2021-21409  Netty before 4.1.61 Netty 4.1.86
https://nvd.nist.gov/vuln/detail/CVE-2021-21290  Netty before 4.1.59 Netty 4.1.86
https://nvd.nist.gov/vuln/detail/CVE-2020-13956  Apache HttpClient before 4.5.13 HttpClient 4.5.14
https://nvd.nist.gov/vuln/detail/CVE-2020-8908  Guava before 30.0 Guava 31.1

 

 


Generated at Sun Feb 11 23:47:56 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.