Addressing critical vulnerabilities in Maven dependencies

Question

I'm working on a Java Jersey application. In my pom.xml file, I've included certain Maven dependencies that have critical vulnerabilities. Even after upgrading to the latest versions, some of these dependencies still exhibit critical vulnerabilities.

I'm utilizing the open-source OWASP dependency tool to scan for vulnerabilities in my dependencies. The specific dependencies I'm concerned about are:

1. cassandra-driver-extras-3.11.4.jar
2. jackson-databind-2.15.2.jar
3. json-20230618.jar
4. spark-core_2.13-3.4.1.jar
5. spring-boot-starter-parent 3.1.2
6. org.apache.kerby:kerb-server:1.0.1 (I'm unable to determine its source of download)

I'm wondering if these dependencies indeed have critical vulnerabilities. If they do, could you please advise on how to address this issue?

I would appreciate any recommendations for alternative open-source tools that can check for dependency vulnerabilities.

I have upgraded dependencies to the latest version but still shows critical vulnerability.

Answer 1

How to address vulnerabilities? It differs case by case, but below is what we prefer / used.

• Go through the vulnerabilitiy report
• Critical one's to be handled for sure. And in most cases, even the third parties would have released a fixed version for the vulnerability. So just update the version (mostly this will be a patch version, so very safe to use and it should be backward compatible.
• Follow the step for all dependencies.

I will share a quick example. We were using SpringBoot 3.3.0

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.3.0</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

And when we integrated OWASP plugin, the report shown vulnerability CVE-2024-38820 in below jars.

1. spring-core-6.1.8.jar
2. spring-web-6.1.8.jar
3. spring-webmvc-6.1.8.jar

A quick google will tell a Spring release specific page. https://spring.io/security/cve-2024-38820 And then looked at the spring boot release notes and identified they released a patch version 3.3.5, so just updated in pom.xml

 <parent>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-parent</artifactId>
            <version>3.3.5</version>
            <relativePath/> <!-- lookup parent from repository -->
        </parent>

And we have 6 less vulnerabilities.

• If the vulnerability is not yet targeted by third party libraries, then we can add the suppressions. Now the approach we prefer is to use suppress until instead of supress

for e.g. below suppression entry in the suppressions.xml suppresses the vulnerability CVE-2024-47535 until 30th March 2025. This is like a reminder to revisit as build will start failing post this date.

 <suppress until="2025-03-30Z">
    <notes><![CDATA[ file name: netty-common-4.1.114.Final.jar ]]></notes>
    <packageUrl regex="true">^pkg:maven/io\.netty/netty-common@.*$</packageUrl>
    <vulnerabilityName>CVE-2024-47535</vulnerabilityName>
  </suppress>

Suppression file can be defined in OWASP config (in pom.xml if mvn is used)

<configuration>
    <suppressionFile>config/dependency-check/suppressions.xml</suppressionFile>
</configuration>

Answer 2

If you have the pom.xml file, you can easily check it on the Vulert playground. It will list all vulnerabilities caused by the dependencies in the pom.xml.

Answer 3

The output of the OWASP dependency check tool (like any other similar tool) must be examined carefully because it can contain false positives (very common with the OWASP tool) and "disputed" vulnerabilities.

I have created the following POM containing exactly the dependencies you have listed plus the latest version of the OWASP dependency-check-maven plugin:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <name>Test App</name>
    <groupId>test</groupId>
    <artifactId>testApp</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>jar</packaging>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.1.2</version>
        <relativePath />
    </parent>

    <dependencies>
        <dependency>
            <groupId>com.datastax.cassandra</groupId>
            <artifactId>cassandra-driver-extras</artifactId>
            <version>3.11.4</version>
        </dependency>
        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
            <artifactId>jackson-databind</artifactId>
            <version>2.15.2</version>
        </dependency>
        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
            <version>20230618</version>
        </dependency>
        <dependency>
            <groupId>org.apache.spark</groupId>
            <artifactId>spark-core_2.13</artifactId>
            <version>3.4.1</version>
        </dependency>
        <dependency>
            <groupId>org.apache.kerby</groupId>
            <artifactId>kerb-server</artifactId>
            <version>1.0.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>8.4.0</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Then I executed mvn verify on it. The resulting vulnerability report says:

Vulnerable Dependencies: 25
Vulnerabilities Found: 56

Let's examine only the vulnerabilities of the first 3 libraries you listed:

1. cassandra-driver-extras-3.11.4.jar: it's a false positive because the tool reports the CVEs of Apache Cassandra which is another software.
2. jackson-databind-2.15.2.jar: it's the latest version and it has just one CVE labeled as "disputed". It's up to you to decide if it can be ignored.
3. json-20230618.jar: it's a false positive because the report says that "versions up to (excluding) 20230227" are vulnerable but your version is newer.

And so on.

With the same POM, plus a dummy main class, I generated a Docker image with:

mvn spring-boot:build-image -Dspring-boot.build-image.imageName=myapp

then I checked it with trivy (another tool for vulnerability scanning). With trivy false positives are rare and, in fact, the three ones analyzed above do not appear; however the report still lists a lot of CVEs:

Total: 42 (UNKNOWN: 0, LOW: 4, MEDIUM: 27, HIGH: 10, CRITICAL: 1)