[jbosstools-issues] [JBoss JIRA] (JBDS-4631) First analysis and actions for CVE vulnerabilities

Jeff MAURY (JIRA) issues at jboss.org
Thu Dec 21 12:00:00 EST 2017 

    [ https://issues.jboss.org/browse/JBDS-4631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507914#comment-13507914 ] 

Jeff MAURY commented on JBDS-4631:
----------------------------------

*jbosstools-openshift*
Run with 
{code:java}
mvn clean package org.owasp:dependency-check-maven:3.0.2:check
{code}

Against the jbosstools-openshift repo
Only HIGH CVEs are analyzed


||Plugin||Dependency||Comment||Action||
|org.jboss.tools.openshift.cdk.server|com.fasterxml.jackson.core.jackson-core-2.6.2.v20161117-2150.jar|Need update to Jackson 2.7.4 but not in Orbit|
| |com.google.javascript-0.0.20160315.v20161124-1903.jar|CVE mentionned com.google.gapps so I think this is a false positive|
|  |org.glassfish.jersey.core.jersey-client-2.22.1.v20161103-1916.jar|CVE mentionned a problem in Oracle Client so I think this is a false positive|
| |org.apache.batik.css-1.8.0.v20170214-1941.jar|Need update to Batik 1.9 but not in Orbit|
|  |org.eclipse.linuxtools.docker.editor-1.0.0.201710132200.jar|CVE mentionned Docker 1.0.0 so I think this is a false positive|
| |org.eclipse.swt.win32.win32.x86-3.106.0.v20170608-0516.jar: swt-webkit-win32-4757.dll|CVE mentionned vulnerability in WebKit which is not included -> false positive|
| |org.jboss.ide.eclipse.as.classpath.core-3.5.2.v20171114-2016.jar: cdi-api.jar|CVE mentioned Seam 2.X but cdi-api does not include Seam -> false positive|
| |org.eclipse.wst.jsdt.chromium.debug.core-0.5.300.v201705091354.jar|CVE mentionned Chromium but it is not included -> false positive|

*jbosstools-base*
The report did not show additional dependencies
*jbosstools-server*
The report did not show additional dependencies


> First analysis and actions for CVE vulnerabilities
> --------------------------------------------------
>
>                 Key: JBDS-4631
>                 URL: https://issues.jboss.org/browse/JBDS-4631
>             Project: Red Hat JBoss Developer Studio (devstudio)
>          Issue Type: Bug
>          Components: 3rd-party-dependencies
>    Affects Versions: 11.1.0.GA
>            Reporter: Jeff MAURY
>            Assignee: Jeff MAURY
>             Fix For: 11.2.0.AM3
>
>         Attachments: jbosstools-base-common-dependency-check-report.html, jbosstools-base-foundation-dependency-check-report.html, jbosstools-base-runtime-dependency-check-report.html, jbosstools-base-stacks-dependency-check-report.html, jbosstools-base-usage-dependency-check-report.html, jbosstools-openshift-dependency-check-report.html
>
>




--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jbosstools-issues mailing list