sonatype-lift[bot] commented on a change in pull request #7190: URL: https://github.com/apache/skywalking/pull/7190#discussion_r662318685
########## File path: test/plugin/scenarios/sentinel-scenario/pom.xml ########## @@ -0,0 +1,121 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + ~ + --> +<project xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + + <groupId>org.apache.skywalking.apm.testcase</groupId> + <artifactId>sentinel-scenario</artifactId> + <version>1.0.0</version> + <packaging>jar</packaging> + + <modelVersion>4.0.0</modelVersion> + + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <test.framework.version>1.7.2</test.framework.version> + <spring-boot-version>2.1.18.RELEASE</spring-boot-version> + </properties> + + <name>skywalking-sentinel-scenario</name> + + <dependencyManagement> + <dependencies> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-dependencies</artifactId> + <version>${spring-boot-version}</version> + <type>pom</type> + <scope>import</scope> + </dependency> + </dependencies> + </dependencyManagement> + + <dependencies> + <dependency> Review comment: *Critical OSS Vulnerability:* ### pkg:maven/com.fasterxml.jackson.core/[email protected] 16 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:maven/org.springframework.boot/[email protected] <!-- Lift_Details --> <details> <summary><b>CRITICAL Vulnerabilities (16)</b></summary> <ul> *** <details> <summary>CVE-2020-36187</summary> > #### [CVE-2020-36187] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36179</summary> > #### [CVE-2020-36179] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36184</summary> > #### [CVE-2020-36184] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36188</summary> > #### [CVE-2020-36188] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-35491</summary> > #### [CVE-2020-35491] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-35728</summary> > #### [CVE-2020-35728] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2021-20190</summary> > #### [CVE-2021-20190] A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the i... > A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36183</summary> > #### [CVE-2020-36183] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36181</summary> > #### [CVE-2020-36181] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36182</summary> > #### [CVE-2020-36182] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36185</summary> > #### [CVE-2020-36185] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36186</summary> > #### [CVE-2020-36186] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36189</summary> > #### [CVE-2020-36189] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-36180</summary> > #### [CVE-2020-36180] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-35490</summary> > #### [CVE-2020-35490] FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction betwee... > FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. > > **CVSS Score:** 8.1 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2020-25649</summary> > #### [CVE-2020-25649] A flaw was found in FasterXML Jackson Databind, where it did not have entity exp... > A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N </details> *** </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift) with `help` or `ignore`) ########## File path: test/plugin/scenarios/sentinel-scenario/pom.xml ########## @@ -0,0 +1,121 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + ~ + --> +<project xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + + <groupId>org.apache.skywalking.apm.testcase</groupId> + <artifactId>sentinel-scenario</artifactId> + <version>1.0.0</version> + <packaging>jar</packaging> + + <modelVersion>4.0.0</modelVersion> + + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <test.framework.version>1.7.2</test.framework.version> + <spring-boot-version>2.1.18.RELEASE</spring-boot-version> + </properties> + + <name>skywalking-sentinel-scenario</name> + + <dependencyManagement> + <dependencies> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-dependencies</artifactId> + <version>${spring-boot-version}</version> + <type>pom</type> + <scope>import</scope> + </dependency> + </dependencies> + </dependencyManagement> + + <dependencies> + <dependency> Review comment: *Critical OSS Vulnerability:* ### pkg:maven/org.apache.tomcat.embed/[email protected] 5 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:maven/org.springframework.boot/[email protected] <!-- Lift_Details --> <details> <summary><b>CRITICAL Vulnerabilities (5)</b></summary> <ul> *** <details> <summary>CVE-2020-17527</summary> > #### [CVE-2020-17527] While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to ... > While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N </details> *** <details> <summary>CVE-2021-25122</summary> > #### [CVE-2021-25122] When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1... > When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N </details> *** <details> <summary>CVE-2021-24122</summary> > #### [CVE-2021-24122] When serving resources from a network location using the NTFS file system, Apach... > When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. > > **CVSS Score:** 7.5 > > **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N </details> *** <details> <summary>CVE-2020-9484</summary> > #### [CVE-2020-9484] When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.... > When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. > > **CVSS Score:** 7 > > **CVSS Vector:** CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H </details> *** <details> <summary>CVE-2021-25329</summary> > #### [CVE-2021-25329] The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to ... > The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. > > **CVSS Score:** 7 > > **CVSS Vector:** CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H </details> *** </ul> </details> (at-me [in a reply](https://help.sonatype.com/lift) with `help` or `ignore`) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
