fix(security): vulnerabilities found in corda-4-8-all-in-one #2064

zondervancalvez · 2022-06-01T08:10:53Z

List of vulnerabilities found in corda-4-8-all-in-one image during Azure Container scan.

VULNERABILITY ID	PACKAGE NAME	SEVERITY
CVE-2021-36159	apk-tools	CRITICAL
CVE-2021-30139	apk-tools	HIGH
CVE-2022-28391	busybox	CRITICAL
CVE-2021-28831	busybox	HIGH
CVE-2021-42378	busybox	HIGH
CVE-2018-15756	org.springframework:spring-core	HIGH
CVE-2022-22970	org.springframework:spring-core	HIGH
CVE-2022-22965	org.springframework:spring-webmvc	CRITICAL
CVE-2020-5398	org.springframework:spring-webmvc	HIGH
CVE-2017-18640	org.yaml:snakeyaml	HIGH
CVE-2017-18640	org.yaml:snakeyaml	HIGH
CVE-2017-18640	org.yaml:snakeyaml	HIGH
CVE-2017-18640	org.yaml:snakeyaml	HIGH

Depends on #2621

petermetz · 2022-06-02T17:02:07Z

P4 because the Corda AIO images are not meant to be used in production.

charellesandig · 2022-10-05T06:18:31Z

Hi Peter! I'd like to work on this ticket, thank you.

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

aldousalvarez · 2023-09-01T07:55:59Z

Hello @jagpreetsinghsasan I am also currently helping on this one.

github-actions · 2023-09-01T08:00:19Z

This PR/issue depends on:

build(corda-all-in-one-obligation): fix image build error - unable to select packages #2621
By Dependent Issues (🤖). Happy coding!

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto · 2023-09-21T07:28:56Z

The vulnerability issues found on the Trivy scan had to do with the Corda jar files. I'll raise a ticket to corda giving them the list of vulnerabilities we have found so they can fix it. Will update this ticket with the issue ticket raised to corda once I have it.

petermetz · 2023-11-07T16:29:47Z

@adrianbatuto Could you please make the issue title unique (CVE ID or IDs of the most severe vulnerabilities is my go-to in these cases - while keeping in mind the maximum length for the commit linter at the same time)

petermetz · 2024-07-12T14:56:52Z

We've retired the corda v4.8 AIO image. Also, we'll pause fixes of CVEs in test tools as they are not getting deployed into production.

petermetz added bug Something isn't working good-first-issue Good for newcomers dependencies Pull requests that update a dependency file Security Related to existing or potential security vulnerabilities good-first-issue-300-advanced P4 Priority 4: Low Corda labels Jun 2, 2022

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 4, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

deb8296

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 4, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

cdf80b5

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 4, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

321e8f4

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 4, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

1716bf5

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 5, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

18bc3f4

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 5, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

d91c8af

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 5, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

44f24f2

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 9, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

1d69d1d

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 9, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

ddce0ea

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 10, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

530f4a2

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 10, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

80df843

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 10, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

34dab2f

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 11, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

7654adf

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 12, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

1042a2e

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 12, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

08392da

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 12, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

8570b1f

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 16, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

461f6d7

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 16, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

54cace8

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 16, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

3e73e84

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 16, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

be02640

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

charellesandig added a commit to charellesandig/cactus that referenced this issue Jan 16, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one Fixes hy…

5fa8091

…perledger-cacti#2064 Signed-off-by: charelle <[email protected]>

petermetz assigned adrianbatuto Aug 31, 2023

jagpreetsinghsasan moved this from Todo to In Progress in Cacti_Scrum_Project_v2_Release Sep 1, 2023

jagpreetsinghsasan assigned aldousalvarez Sep 1, 2023

github-actions bot added the dependent label Sep 1, 2023

jagpreetsinghsasan moved this from In Progress to Blocked in Cacti_Scrum_Project_v2_Release Sep 6, 2023

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 8, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

50ed251

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 8, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

53e6773

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

jagpreetsinghsasan moved this from Blocked to In Progress in Cacti_Scrum_Project_v2_Release Sep 8, 2023

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 8, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

65d8f99

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 8, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

b853f63

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto mentioned this issue Sep 8, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one adrianbatuto/cacti#3

Draft

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 8, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

8fa8f0c

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 11, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

473e586

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 11, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

cee3bbf

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 12, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

83dea59

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto added a commit to adrianbatuto/cacti that referenced this issue Sep 13, 2023

fix(security): vulnerabilities found in corda-4-8-all-in-one

5d84257

Fixes hyperledger-cacti#2064 Signed-off-by: adrianbatuto <[email protected]>

adrianbatuto moved this from In Progress to Blocked in Cacti_Scrum_Project_v2_Release Oct 4, 2023

jagpreetsinghsasan unassigned aldousalvarez and adrianbatuto May 9, 2024

petermetz modified the milestones: v2.0.0-rc.0, v2.0.0-rc.2 Jun 27, 2024

petermetz modified the milestones: v2.0.0-rc.2, v2.0.0-rc.3 Jul 5, 2024

petermetz closed this as not planned Won't fix, can't repro, duplicate, stale Jul 12, 2024

github-project-automation bot moved this from Blocked to Done in Cacti_Scrum_Project_v2_Release Jul 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(security): vulnerabilities found in corda-4-8-all-in-one #2064

fix(security): vulnerabilities found in corda-4-8-all-in-one #2064

zondervancalvez commented Jun 1, 2022 •

edited by jagpreetsinghsasan

Loading

petermetz commented Jun 2, 2022

charellesandig commented Oct 5, 2022

aldousalvarez commented Sep 1, 2023

github-actions bot commented Sep 1, 2023

adrianbatuto commented Sep 21, 2023

petermetz commented Nov 7, 2023

petermetz commented Jul 12, 2024

fix(security): vulnerabilities found in corda-4-8-all-in-one #2064

fix(security): vulnerabilities found in corda-4-8-all-in-one #2064

Comments

zondervancalvez commented Jun 1, 2022 • edited by jagpreetsinghsasan Loading

petermetz commented Jun 2, 2022

charellesandig commented Oct 5, 2022

aldousalvarez commented Sep 1, 2023

github-actions bot commented Sep 1, 2023

adrianbatuto commented Sep 21, 2023

petermetz commented Nov 7, 2023

petermetz commented Jul 12, 2024

zondervancalvez commented Jun 1, 2022 •

edited by jagpreetsinghsasan

Loading