CVEDetect opened a new pull request, #19: URL: https://github.com/apache/openwebbeans-meecrowave/pull/19
Hi, In **/meecrowave-maven-plugin**,there is a dependency **org.apache.commons:commons-compress:1.18** that calls the risk method. [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402) The scope of this CVE affected version is **[1.15,1.19)** After further analysis, in this project, the main Api called is **org.apache.commons.compress.archivers.zip.NioZipEncoding: encode(java.lang.String)Ljava.nio.ByteBuffer** Risk method repair link : [GitHub](https://github.com/apache/commons-compress/commit/4ad5d80a6272e007f64a6ac66829ca189a8093b9) **CVE Bug Invocation Path--** **Path Length : 5** ``` CVE Bug Invocation Path : org.apache.meecrowave.maven.MeecrowaveBundleMojo: execute()V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar org.apache.meecrowave.maven.MeecrowaveBundleMojo: tarGz(org.apache.commons.compress.archivers.tar.TarArchiveOutputStream,java.io.File,java.nio.file.Path)V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar org.apache.commons.compress.archivers.tar.TarArchiveOutputStream: putArchiveEntry(org.apache.commons.compress.archivers.ArchiveEntry)V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar org.apache.commons.compress.archivers.tar.TarArchiveOutputStream: handleLongName(org.apache.commons.compress.archivers.tar.TarArchiveEntry,java.lang.String,java.util.Map,java.lang.String,byte,java.lang.String)Z /ho.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar org.apache.commons.compress.archivers.zip.NioZipEncoding: encode(java.lang.String)Ljava.nio.ByteBuffer; ``` [CVE-2021-36090](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090) The scope of this CVE affected version is **[0,1.31)** After further analysis, in this project, the main Api called is **org.apache.commons.compress.archivers.zip.AsiExtraField: parseFromLocalFileData(byte[],int,int)V** Risk method repair link : [GitHub](https://github.com/apache/commons-compress/commit/ef5d70b625000e38404194aaab311b771c44efda) **CVE Bug Invocation Path--** **Path Length : 8** ``` CVE Bug Invocation Path : org.apache.meecrowave.maven.MeecrowaveBundleMojo: execute()V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar org.apache.meecrowave.maven.MeecrowaveBundleMojo: zip(org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream,java.io.File,java.nio.file.Path)V .m2/repository/org/apache/maven/maven-model-builder/3.6.3/maven-model-builder-3.6.3.jar org.apache.commons.compress.archivers.jar.JarArchiveOutputStream: putArchiveEntry(org.apache.commons.compress.archivers.ArchiveEntry)V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar org.apache.commons.compress.archivers.zip.ZipArchiveEntry: addAsFirstExtraField(org.apache.commons.compress.archivers.zip.ZipExtraField)V /.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar org.apache.commons.compress.archivers.zip.ZipArchiveEntry: setExtra()V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar org.apache.commons.compress.archivers.zip.ZipArchiveEntry: setExtra(byte[])V .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar org.apache.commons.compress.archivers.zip.ExtraFieldUtils: parse(byte[],boolean,org.apache.commons.compress.archivers.zip.ExtraFieldUtils$UnparseableExtraField)[Lorg.apache.commons.compress.archivers.zip.ZipExtraField; .m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar org.apache.commons.compress.archivers.zip.AsiExtraField: parseFromLocalFileData(byte[],int,int)V ``` **Dependency tree--** ``` [INFO] org.apache.meecrowave:meecrowave-maven-plugin:maven-plugin:1.2.16-SNAPSHOT [INFO] +- org.apache.maven:maven-plugin-api:jar:3.6.3:compile [INFO] | +- org.apache.maven:maven-model:jar:3.6.3:compile [INFO] | +- org.apache.maven:maven-artifact:jar:3.6.3:compile [INFO] | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:compile [INFO] | +- org.codehaus.plexus:plexus-utils:jar:3.2.1:compile [INFO] | \- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile [INFO] +- org.apache.maven:maven-core:jar:3.6.3:compile [INFO] | +- org.apache.maven:maven-settings:jar:3.6.3:compile [INFO] | +- org.apache.maven:maven-settings-builder:jar:3.6.3:compile [INFO] | | \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:compile [INFO] | | \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile [INFO] | +- org.apache.maven:maven-builder-support:jar:3.6.3:compile [INFO] | +- org.apache.maven:maven-repository-metadata:jar:3.6.3:compile [INFO] | +- org.apache.maven:maven-model-builder:jar:3.6.3:compile [INFO] | +- org.apache.maven:maven-resolver-provider:jar:3.6.3:compile [INFO] | +- org.apache.maven.resolver:maven-resolver-impl:jar:1.4.1:compile [INFO] | +- org.apache.maven.resolver:maven-resolver-api:jar:1.4.1:compile [INFO] | +- org.apache.maven.resolver:maven-resolver-spi:jar:1.4.1:compile [INFO] | +- org.apache.maven.resolver:maven-resolver-util:jar:1.4.1:compile [INFO] | +- org.apache.maven.shared:maven-shared-utils:jar:3.2.1:compile [INFO] | +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.4:compile [INFO] | +- com.google.inject:guice:jar:no_aop:4.2.1:compile [INFO] | | +- aopalliance:aopalliance:jar:1.0:compile [INFO] | | \- com.google.guava:guava:jar:25.1-android:compile [INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] | +- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:compile [INFO] | \- org.apache.commons:commons-lang3:jar:3.8.1:compile [INFO] +- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.3:compile [INFO] +- org.apache.maven.shared:maven-dependency-tree:jar:3.0.1:compile [INFO] | \- org.eclipse.aether:aether-util:jar:0.9.0.M2:compile [INFO] +- org.apache.meecrowave:meecrowave-core:jar:1.2.16-SNAPSHOT:compile [INFO] | +- org.apache.meecrowave:meecrowave-specs-api:jar:1.2.16-SNAPSHOT:compile [INFO] | +- org.apache.tomcat:tomcat-jaspic-api:jar:9.0.70:compile [INFO] | +- org.apache.xbean:xbean-finder-shaded:jar:4.20:compile [INFO] | +- org.apache.xbean:xbean-asm9-shaded:jar:4.20:compile [INFO] | +- org.apache.xbean:xbean-reflect:jar:4.20:compile [INFO] | +- org.apache.openwebbeans:openwebbeans-spi:jar:2.0.27:compile [INFO] | +- org.apache.openwebbeans:openwebbeans-web:jar:2.0.27:compile [INFO] | | +- org.apache.openwebbeans:openwebbeans-impl:jar:2.0.27:compile [INFO] | | \- org.apache.openwebbeans:openwebbeans-el22:jar:2.0.27:compile [INFO] | +- org.apache.tomcat:tomcat-catalina:jar:9.0.70:compile [INFO] | | +- org.apache.tomcat:tomcat-juli:jar:9.0.70:compile [INFO] | | +- org.apache.tomcat:tomcat-api:jar:9.0.70:compile [INFO] | | +- org.apache.tomcat:tomcat-jni:jar:9.0.70:compile [INFO] | | +- org.apache.tomcat:tomcat-coyote:jar:9.0.70:compile [INFO] | | +- org.apache.tomcat:tomcat-util:jar:9.0.70:compile [INFO] | | \- org.apache.tomcat:tomcat-util-scan:jar:9.0.70:compile [INFO] | +- org.apache.cxf:cxf-rt-frontend-jaxrs:jar:3.5.5:compile [INFO] | | +- org.apache.cxf:cxf-core:jar:3.5.5:compile [INFO] | | +- org.apache.cxf:cxf-rt-transports-http:jar:3.5.5:compile [INFO] | | \- org.apache.cxf:cxf-rt-security:jar:3.5.5:compile [INFO] | +- org.apache.cxf:cxf-integration-cdi:jar:3.5.5:compile [INFO] | +- org.apache.cxf:cxf-rt-rs-client:jar:3.5.5:compile [INFO] | +- org.apache.johnzon:johnzon-jsonb:jar:1.2.19:compile [INFO] | | \- org.apache.johnzon:johnzon-mapper:jar:1.2.19:compile [INFO] | | \- org.apache.johnzon:johnzon-core:jar:1.2.19:compile [INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.19.0:compile [INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.19.0:compile [INFO] | \- org.apache.logging.log4j:log4j-jul:jar:2.19.0:compile [INFO] +- org.apache.commons:commons-compress:jar:1.18:compile [INFO] +- org.apache.maven.plugin-testing:maven-plugin-testing-harness:jar:3.3.0:test [INFO] | \- commons-io:commons-io:jar:2.2:compile [INFO] +- org.codehaus.plexus:plexus-archiver:jar:4.2.3:test [INFO] | +- org.codehaus.plexus:plexus-io:jar:3.2.0:test [INFO] | +- org.iq80.snappy:snappy:jar:0.4:test [INFO] | \- org.tukaani:xz:jar:1.8:test [INFO] +- org.apache.maven:maven-compat:jar:3.6.3:test [INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.25:compile [INFO] | \- org.apache.maven.wagon:wagon-provider-api:jar:3.3.4:test [INFO] +- junit:junit:jar:4.13.2:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] +- org.apache.tomee:ziplock:jar:7.0.3:test [INFO] \- org.slf4j:slf4j-simple:jar:1.7.32:test [INFO] \- org.slf4j:slf4j-api:jar:1.7.32:compile ``` **_Suggested solutions:_** Update dependency version Thank you very much. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@openwebbeans.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
