OWASP dependency check #40

gnespolino · 2022-10-07T17:05:47Z

Expected - pom.xml should contain OWASP dependency check plugin

<plugin>
	<groupId>org.owasp</groupId>
	<artifactId>dependency-check-maven</artifactId>
	<version>6.0.1</version>
	<executions>
		<execution>
			<goals>
				<goal>check</goal>
			</goals>
		</execution>
	</executions>
</plugin>

OWASP check output:

One or more dependencies were identified with known vulnerabilities in LODE:

commons-beanutils-1.9.3.jar (pkg:maven/commons-beanutils/[email protected], cpe:2.3:a:apache:commons_beanutils:1.9.3:*:*:*:*:*:*:*) : CVE-2014-0114, CVE-2019-10086
commons-io-2.4.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*) : CVE-2021-29425
guava-18.0.jar (pkg:maven/com.google.guava/[email protected], cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
guice-4.0-beta.jar/META-INF/maven/com.google.guava/guava/pom.xml (pkg:maven/com.google.guava/[email protected], cpe:2.3:a:google:guava:11.0.1:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
httpclient-4.2.3.jar (pkg:maven/org.apache.httpcomponents/[email protected], cpe:2.3:a:apache:httpclient:4.2.3:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2015-5262, CVE-2020-13956
httpclient-cache-4.2.5.jar (pkg:maven/org.apache.httpcomponents/[email protected], cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2020-13956
jackson-databind-2.3.3.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.3.3:*:*:*:*:*:*:*) : CVE-2017-7525, CVE-2018-7489, CVE-2020-35490, CVE-2020-35491, CVE-2020-36518, CVE-2022-42003, CVE-2022-42004
jena-core-2.10.1.jar (pkg:maven/org.apache.jena/[email protected], cpe:2.3:a:apache:jena:2.10.1:*:*:*:*:*:*:*) : CVE-2021-39239, CVE-2022-28890
jena-iri-0.9.6.jar (pkg:maven/org.apache.jena/[email protected], cpe:2.3:a:apache:jena:0.9.6:*:*:*:*:*:*:*) : CVE-2021-39239, CVE-2022-28890
jquery.js (pkg:javascript/[email protected]) : CVE-2011-4969, CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023
log4j-1.2.17.jar (pkg:maven/log4j/[email protected], cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9493, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307
org.apache.commons.io-2.4.jar (pkg:maven/org.apache.directory.studio/[email protected], cpe:2.3:a:apache:commons_io:2.4:*:*:*:*:*:*:*, cpe:2.3:a:apache:directory_studio:2.4:*:*:*:*:*:*:*) : CVE-2021-29425
owlapi-distribution-4.0.2.jar (pkg:maven/net.sourceforge.owlapi/[email protected], cpe:2.3:a:apache:commons-httpclient:4.0.2:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_io:4.0.2:*:*:*:*:*:*:*, cpe:2.3:a:binary_project:binary:4.0.2:*:*:*:*:*:*:*) : CVE-2012-6153
owlapi-distribution-4.0.2.jar: httpclient-4.2.5.jar (pkg:maven/org.apache.httpcomponents/[email protected], cpe:2.3:a:apache:httpclient:4.2.5:*:*:*:*:*:*:*) : CVE-2014-3577, CVE-2015-5262, CVE-2020-13956
owlapi-distribution-4.0.2.jar: xz-1.5.jar (cpe:2.3:a:tukaani:xz:1.5:*:*:*:*:*:*:*) : CVE-2015-4035
xercesImpl-2.11.0.jar (pkg:maven/xerces/[email protected], cpe:2.3:a:apache:xerces2_java:2.11.0:*:*:*:*:*:*:*) : CVE-2012-0881, CVE-2013-4002, CVE-2017-10355, CVE-2022-23437

The text was updated successfully, but these errors were encountered:

giorgialodi · 2022-10-14T08:50:10Z

@luigi-asprino @alessandro-russo secondo voi possiamo fare qualcosa per questo?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OWASP dependency check #40

OWASP dependency check #40

gnespolino commented Oct 7, 2022

giorgialodi commented Oct 14, 2022

OWASP dependency check #40

OWASP dependency check #40

Comments

gnespolino commented Oct 7, 2022

giorgialodi commented Oct 14, 2022