Skip to content
This repository has been archived by the owner on Oct 29, 2024. It is now read-only.

CVEs in the execution path imported by dependencies #337

Open
CleWang opened this issue Mar 1, 2020 · 0 comments
Open

CVEs in the execution path imported by dependencies #337

CleWang opened this issue Mar 1, 2020 · 0 comments

Comments

@CleWang
Copy link

CleWang commented Mar 1, 2020

Your project are using some dependencies with CVEs. I found the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I suggest a version update to increase the security of your project. Details are listed below:

  • Vulnerable Dependency: org.apache.httpcomponents : httpclient : 4.3

  • Call Chain to Buggy Methods:

    • Some files in your project call the library method org.apache.http.impl.client.HttpClientBuilder.build(), which can reach the buggy method of CVE-2013-4366.

      • Files in your project:
        src/main/java/com/uber/jenkins/phabricator/conduit/ConduitAPIClient.java
      • One of the possible call chain:
      org.apache.http.impl.client.HttpClientBuilder.build() [buggy method]

  • Update suggestion: version 4.5.11
    4.5.11 is a safe version without CVEs. From 4.3 to 4.5.11, 2 of the APIs (called by 3 times in your project) were modified.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CleWang