From e03a9d24f27708a1ff52547ce08680226390f154 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 27 Oct 2024 20:04:50 +0000 Subject: [PATCH 1/5] fix: todolist-goof/Dockerfile to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN9-FREETYPE-1019584 - https://snyk.io/vuln/SNYK-DEBIAN9-INETUTILS-564742 - https://snyk.io/vuln/SNYK-DEBIAN9-SQLITE3-307593 - https://snyk.io/vuln/SNYK-DEBIAN9-WGET-300458 - https://snyk.io/vuln/SNYK-DEBIAN9-GLIBC-356506 --- todolist-goof/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/todolist-goof/Dockerfile b/todolist-goof/Dockerfile index 3d4c4fdfda..b8cdb36b88 100644 --- a/todolist-goof/Dockerfile +++ b/todolist-goof/Dockerfile @@ -10,7 +10,7 @@ COPY todolist-web-common todolist-web-common COPY todolist-web-struts todolist-web-struts RUN --mount=target=$HOME/.m2,type=cache mvn install -FROM tomcat:8.5.21 +FROM tomcat:8.5.100 RUN mkdir /tmp/extracted_files COPY web.xml /usr/local/tomcat/conf/web.xml From 37634a58a6e2ce5539221af418398f23b3992fb4 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sun, 27 Oct 2024 20:06:55 +0000 Subject: [PATCH 2/5] fix: todolist-goof/Dockerfile to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-UBUNTU2204-EXPAT-7885369 - https://snyk.io/vuln/SNYK-UBUNTU2204-EXPAT-7885572 - https://snyk.io/vuln/SNYK-UBUNTU2204-KRB5-7413877 - https://snyk.io/vuln/SNYK-UBUNTU2204-KRB5-7413877 - https://snyk.io/vuln/SNYK-UBUNTU2204-WGET-7266700 --- todolist-goof/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/todolist-goof/Dockerfile b/todolist-goof/Dockerfile index b8cdb36b88..928577a7de 100644 --- a/todolist-goof/Dockerfile +++ b/todolist-goof/Dockerfile @@ -10,7 +10,7 @@ COPY todolist-web-common todolist-web-common COPY todolist-web-struts todolist-web-struts RUN --mount=target=$HOME/.m2,type=cache mvn install -FROM tomcat:8.5.100 +FROM tomcat:9.0.95-jdk8-corretto-al2 RUN mkdir /tmp/extracted_files COPY web.xml /usr/local/tomcat/conf/web.xml From e6327ccf0217dcaa2ab4cffe3a2d9689ca242919 Mon Sep 17 00:00:00 2001 From: MimiDas-Snyk Date: Thu, 31 Oct 2024 13:36:36 -0400 Subject: [PATCH 3/5] Create main.yml --- .github/workflows/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..b56803c8f0 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,11 @@ +name: Example workflow for Maven using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/maven@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From e8af2d90bdb8adf31b9b78386291fab7ee5ba69a Mon Sep 17 00:00:00 2001 From: MimiDas-Snyk Date: Thu, 31 Oct 2024 13:38:22 -0400 Subject: [PATCH 4/5] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9e47442aab..6620af47ec 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ ## Java Goof -This is a collection of Java demo apps that are vulnerable in different ways. +This is a collection of Java demo apps that are vulnerable in different ways.. It's divided into modules, each one having its own README: * [Todolist Goof](todolist-goof/README.md) * [Log4Shell Goof](log4shell-goof/README.md) -* [Quickstart for running both Todolist with Log4Shell in Kubernetes](README-K8S.md) \ No newline at end of file +* [Quickstart for running both Todolist with Log4Shell in Kubernetes](README-K8S.md) From 897c5103cc06d6684780627daec1175e7590a8b3 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 15 Nov 2024 17:47:18 +0000 Subject: [PATCH 5/5] fix: todolist-goof/todolist-web-struts/pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720 --- todolist-goof/todolist-web-struts/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/todolist-goof/todolist-web-struts/pom.xml b/todolist-goof/todolist-web-struts/pom.xml index e58874f827..f64788a41d 100644 --- a/todolist-goof/todolist-web-struts/pom.xml +++ b/todolist-goof/todolist-web-struts/pom.xml @@ -27,7 +27,7 @@ org.apache.logging.log4j log4j-core - 2.7 + 2.12.2 org.apache.logging.log4j