Vignesh Gupta
Reputation: 21
What to do when Owasp dependency finds vulnerabilities
I want to ask, that what to do when Owasp dependency-check finds vulnerabilities.
I've recently deployed to a project and I'm a fresher, so I don't know what to do.
I've got a list of dependency those are vulnerabilities so how to find the stable one so that I can update that.
Here is the error.
One or more dependencies were identified with known vulnerabilities in <Project-name>:
commons-beanutils-1.9.4.jar (pkg:maven/commons-beanutils/[email protected], cpe:2.3:a:apache:commons_beanutils:1.9.4:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:1.9.4:*:*:*:*:*:*:*) : CVE-2021-37533
commons-cli-1.4.jar (pkg:maven/commons-cli/[email protected], cpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:*) : CVE-2021-37533
commons-codec-1.11.jar (pkg:maven/commons-codec/[email protected], cpe:2.3:a:apache:commons_net:1.11:*:*:*:*:*:*:*) : CVE-2021-37533
commons-codec-1.15.jar (pkg:maven/commons-codec/[email protected], cpe:2.3:a:apache:commons_net:1.15:*:*:*:*:*:*:*) : CVE-2021-37533
commons-collections-3.2.2.jar (pkg:maven/commons-collections/[email protected], cpe:2.3:a:apache:commons_collections:3.2.2:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:3.2.2:*:*:*:*:*:*:*) : CVE-2021-37533
commons-fileupload-1.4.jar (pkg:maven/commons-fileupload/[email protected], cpe:2.3:a:apache:commons_fileupload:1.4:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:1.4:*:*:*:*:*:*:*) : CVE-2021-37533
commons-io-2.6.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_net:2.6:*:*:*:*:*:*:*) : CVE-2021-37533
commons-io-2.7.jar (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.7:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:2.7:*:*:*:*:*:*:*) : CVE-2021-37533
commons-lang-2.4.jar (pkg:maven/commons-lang/[email protected], cpe:2.3:a:apache:commons_net:2.4:*:*:*:*:*:*:*) : CVE-2021-37533
commons-logging-1.2.jar (pkg:maven/commons-logging/[email protected], cpe:2.3:a:apache:commons_net:1.2:*:*:*:*:*:*:*) : CVE-2021-37533
commons-text-1.7.jar (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_net:1.7:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_text:1.7:*:*:*:*:*:*:*) : CVE-2021-37533, CVE-2022-42889
jackson-databind-2.11.4.jar (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.11.4:*:*:*:*:*:*:*) : CVE-2022-42003, CVE-2022-42004
lang-tag-1.4.4.jar (pkg:maven/com.nimbusds/[email protected], cpe:2.3:a:nim-lang:nim-lang:1.4.4:*:*:*:*:*:*:*, cpe:2.3:a:tag_project:tag:1.4.4:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
logstash-logback-encoder-5.3.jar/META-INF/maven/commons-lang/commons-lang/pom.xml (pkg:maven/commons-lang/[email protected], cpe:2.3:a:apache:commons_net:2.6:*:*:*:*:*:*:*) : CVE-2021-37533
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-buffer/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-codec-dns/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-codec-http/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-codec-socks/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-codec/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-common/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-handler-proxy/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-handler/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-resolver-dns-classes-macos/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-resolver-dns-native-macos/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-resolver-dns/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-resolver/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-transport-native-epoll/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
micrometer-registry-statsd-1.8.1.jar/META-INF/maven/io.netty/netty-transport/pom.xml (pkg:maven/io.netty/[email protected], cpe:2.3:a:netty:netty:4.1.70:*:*:*:*:*:*:*) : CVE-2021-43797, CVE-2022-24823
postgresql-42.2.18.jar (pkg:maven/org.postgresql/[email protected], cpe:2.3:a:postgresql:postgresql:42.2.18:*:*:*:*:*:*:*, cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.2.18:*:*:*:*:*:*:*) : CVE-2022-31197, CVE-2022-41946
scala-library-2.13.4.jar (pkg:maven/org.scala-lang/[email protected], cpe:2.3:a:scala-lang:scala:2.13.4:*:*:*:*:*:*:*) : CVE-2022-36944
scala-reflect-2.13.2.jar (pkg:maven/org.scala-lang/[email protected], cpe:2.3:a:scala-lang:scala:2.13.2:*:*:*:*:*:*:*) : CVE-2022-36944
snakeyaml-1.27.jar (pkg:maven/org.yaml/[email protected], cpe:2.3:a:snakeyaml_project:snakeyaml:1.27:*:*:*:*:*:*:*, cpe:2.3:a:yaml_project:yaml:1.27:*:*:*:*:*:*:*) : CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854
spring-security-config-5.4.9.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.4.9:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-core-5.4.9.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.4.9:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-crypto-5.4.9.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.4.9:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-web-5.4.9.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.4.9:*:*:*:*:*:*:*) : CVE-2018-1258
tomcat-embed-core-9.0.54.jar (pkg:maven/org.apache.tomcat.embed/[email protected], cpe:2.3:a:apache:tomcat:9.0.54:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.54:*:*:*:*:*:*:*) : CVE-2021-43980, CVE-2022-34305, CVE-2022-42252
tomcat-embed-websocket-9.0.55.jar (pkg:maven/org.apache.tomcat.embed/[email protected], cpe:2.3:a:apache:tomcat:9.0.55:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.55:*:*:*:*:*:*:*) : CVE-2021-43980, CVE-2022-34305, CVE-2022-42252
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml (pkg:maven/com.fasterxml.jackson.core/[email protected], cpe:2.3:a:fasterxml:jackson-databind:2.12.3:*:*:*:*:*:*:*) : CVE-2022-42003, CVE-2022-42004
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/commons-io/commons-io/pom.xml (pkg:maven/commons-io/[email protected], cpe:2.3:a:apache:commons_io:2.9.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:2.9.0:*:*:*:*:*:*:*) : CVE-2021-37533
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.apache.commons/commons-lang3/pom.xml (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_net:3.8.1:*:*:*:*:*:*:*) : CVE-2021-37533
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.apache.commons/commons-text/pom.xml (pkg:maven/org.apache.commons/[email protected], cpe:2.3:a:apache:commons_net:1.6:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_text:1.6:*:*:*:*:*:*:*) : CVE-2021-37533, CVE-2022-42889
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty.http2/http2-common/pom.xml (pkg:maven/org.eclipse.jetty.http2/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty.http2/http2-server/pom.xml (pkg:maven/org.eclipse.jetty.http2/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty_http_server:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-alpn-client/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-alpn-conscrypt-client/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-alpn-conscrypt-server/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-alpn-server/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-client/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-continuation/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-servlets/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util-ajax/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-webapp/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
wiremock-jre8-standalone-2.28.1.jar/META-INF/maven/org.eclipse.jetty/jetty-xml/pom.xml (pkg:maven/org.eclipse.jetty/[email protected], cpe:2.3:a:eclipse:jetty:9.4.41:20210516:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.41:20210516:*:*:*:*:*:*) : CVE-2022-2047, CVE-2022-2048
See the dependency-check report for more details.
Help will be highly appreciated.
Thanks
I'm expecting any suggestion for the next step
Upvotes: 2
Views: 1157
Answers (1)
Adrian B.
Reputation: 1570
We don't have sufficient context for this, so I'm going to assume we're talking about Maven and it's dependency check plugin.
Any dependency found to be problematic. Use Mvn Repo to identify newer (not vulnerable) libs. I've added as an example the scala lib, and you can see a column with known vulnerabilities for it. pick one that is not vulnerable and update your pom.xml file with it. If you notive that Maven does not update the dependency based on whatever version you supply, it could be that you're getting a transitive dependency from somewhere else that's overriding you. to discover it, you can use mvn dependency:tree in a command line to see from where each version is resolved. And, if there's no other option, look into using dependencyManagement in your pom.xml to impose a specific version.
There is also the case that there is no vulnerability-free version available, in which case, you should either replace the library, or, if it's an acceptable risk, look into using suppression files (see example 7 in the plugin link above) for that particular CVE.
nvd.nist.gov is a very good site where you can find details about each individual CVE. You can find the CVE number at the end of each finding in your report. Search for it on this website and it should tell you if there is any special remediation to be done or even how to reproduce to find out if you're vulnerable.
Upvotes: 3
Related Questions
- Disable modules in owasp dependency-check maven plugin
- OWASP dependency-check maven vs command line not same results
- OWASP Dependency check : Adding modelVersion version to dependency check report
- dependency-check for application code
- Solving Maven dependency convergence issues
- dependency-check-maven - suppression not working
- Resolving dependency conflicts in maven
- Suppress OWASP findings for JAR in certain dependency
- What's the reliability of OWASP's dependency-check-maven?
- OWASP Dependency Check determines wrong artifacts