Hi Team,
I am using the jar org.hyperledger.fabric-sdk-java : fabric-sdk-java :1.4.4 as a direct dependency in maven project module. Getting Security-High vulnerability as shown below when I execute Sonatype CLM/IQ analysis (CVE-2019-12402,CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518). fabric-sdk-java has transitive dependencies with netty jars which led to these security vulnerabilities. I can’t exclude transitive dependencies in pom.xml. Since, my functionality to connect to network/ledger will break. For example: *CVE-2019-12402* because netty uses commons-compress 1.18 jar. It must be commons-compress 1.19. Adding exclusions for 1.18 and tried to override with 1.19 in my project pom file. But no luck due to multiple transitive dependencies of netty. I have verified latest release 4.1.42.Final in https://netty.io/news/2019/09/25/4-1-42-Final.html . But dont see any security fix. How to fix it ? Can I expect fix in next release ? Please advice. *Error log from Sonatype CLM:* Sonatype CLM reports policy failing due to [ERROR] Policy(Security-High) [ [ERROR] Component(displayName=org.hyperledger.fabric-sdk-java : fabric-sdk-java : jar : jar-with-dependencies : 1.4.4, hash=d0167d0f2d971bf88d2c) [ [ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability *CVE-2019-12402* with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-12402 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-12402 with status 'Open', not 'Not Applicable'., on condition 0] ]] [ERROR] Sonatype CLM reports policy failing due to [ERROR] Policy(Security-High) [ [ERROR] Component(displayName=*io.netty : netty-codec-http2 *: 4.1.30.Final, hash=2da92f518409904954d3) [ [ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability *CVE-2019-9512* with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9512 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9512 with status 'Open', not 'Not Applicable'., on condition 0] ]] [ERROR] Sonatype CLM reports policy failing due to [ERROR] Policy(Security-High) [ [ERROR] Component(displayName=*io.netty : netty-codec-http2* : 4.1.30.Final, hash=2da92f518409904954d3) [ [ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability *CVE-2019-9514* with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9514 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9514 with status 'Open', not 'Not Applicable'., on condition 0] ]] [ERROR] Sonatype CLM reports policy failing due to [ERROR] Policy(Security-High) [ [ERROR] Component(displayName=*io.netty : netty-codec-http2* : 4.1.30.Final, hash=2da92f518409904954d3) [ [ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability *CVE-2019-9515* with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9515 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9515 with status 'Open', not 'Not Applicable'., on condition 0] ]] [ERROR] Sonatype CLM reports policy failing due to [ERROR] Policy(Security-High) [ [ERROR] Component(displayName=*io.netty : netty-common* : 4.1.30.Final, hash=5dca0c34d8f38af51a23) [ [ERROR] Constraint(High risk CVSS score) [Security Vulnerability Severity >= 7 because: Found security vulnerability *CVE-2019-9518* with severity 7.5., on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2019-9518 with severity 7.5., on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2019-9518 with status 'Open', not 'Not Applicable'., on condition 0] ]] Stackoverflow: https://stackoverflow.com/questions/58095943/how-to-fix-netty4-1-41-final-or-hyperledger-fabri-sdk-java-1-4-4-maven-jars-s Thanks, Jeyanthi -- You received this message because you are subscribed to the Google Groups "Netty discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/netty/CAETAENs-9wYZ%3DZp6dV%2BRfCfu7hnaq3p2OktvpKOeQ56A0c7LVw%40mail.gmail.com.
