luisillobret2 / spring-petclinic Goto Github PK

View Code? Open in Web Editor NEW

This project forked from spring-projects/spring-petclinic

0.0 0.0 0.0 7.23 MB

A sample Spring-based application

License: Apache License 2.0

Java 27.03% CSS 64.90% HTML 5.35% Dockerfile 0.24% SCSS 2.47%

spring-petclinic's Introduction

Spring PetClinic Sample Application

Understanding the Spring Petclinic application with a few diagrams

See the presentation here

Running petclinic locally

Petclinic is a Spring Boot application built using Maven or Gradle. You can build a jar file and run it from the command line (it should work just as well with Java 17 or newer):

git clone https://github.com/spring-projects/spring-petclinic.git
cd spring-petclinic
./mvnw package
java -jar target/*.jar

You can then access petclinic at http://localhost:8080/

Or you can run it from Maven directly using the Spring Boot Maven plugin. If you do this, it will pick up changes that you make in the project immediately (changes to Java source files require a compile as well - most people use an IDE for this):

./mvnw spring-boot:run

NOTE: Windows users should set git config core.autocrlf true to avoid format assertions failing the build (use --global to set that flag globally).

NOTE: If you prefer to use Gradle, you can build the app using ./gradlew build and look for the jar file in build/libs.

Building a Container

There is no Dockerfile in this project. You can build a container image (if you have a docker daemon) using the Spring Boot build plugin:

./mvnw spring-boot:build-image

In case you find a bug/suggested improvement for Spring Petclinic

Our issue tracker is available here

Database configuration

In its default configuration, Petclinic uses an in-memory database (H2) which gets populated at startup with data. The h2 console is exposed at http://localhost:8080/h2-console, and it is possible to inspect the content of the database using the jdbc:h2:mem:testdb url.

A similar setup is provided for MySQL and PostgreSQL if a persistent database configuration is needed. Note that whenever the database type changes, the app needs to run with a different profile: spring.profiles.active=mysql for MySQL or spring.profiles.active=postgres for PostgreSQL.

You can start MySQL or PostgreSQL locally with whatever installer works for your OS or use docker:

docker run -e MYSQL_USER=petclinic -e MYSQL_PASSWORD=petclinic -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=petclinic -p 3306:3306 mysql:8.0

docker run -e POSTGRES_USER=petclinic -e POSTGRES_PASSWORD=petclinic -e POSTGRES_DB=petclinic -p 5432:5432 postgres:15.2

Further documentation is provided for MySQL and for PostgreSQL.

Compiling the CSS

There is a petclinic.css in src/main/resources/static/resources/css. It was generated from the petclinic.scss source, combined with the Bootstrap library. If you make changes to the scss, or upgrade Bootstrap, you will need to re-compile the CSS resources using the Maven profile "css", i.e. ./mvnw package -P css. There is no build profile for Gradle to compile the CSS.

Working with Petclinic in your IDE

Prerequisites

The following items should be installed in your system:

Java 17 or newer (full JDK, not a JRE).
git command line tool
Your preferred IDE
- Eclipse with the m2e plugin. Note: when m2e is available, there is an m2 icon in Help -> About dialog. If m2e is not there, follow the install process here
- Spring Tools Suite (STS)
- IntelliJ IDEA
- VS Code

Steps:

On the command line run:

git clone https://github.com/spring-projects/spring-petclinic.git

Inside Eclipse or STS:
```
File -> Import -> Maven -> Existing Maven project
```
Then either build on the command line ./mvnw generate-resources or use the Eclipse launcher (right click on project and Run As -> Maven install) to generate the css. Run the application main method by right-clicking on it and choosing Run As -> Java Application.
Inside IntelliJ IDEA In the main menu, choose File -> Open and select the Petclinic pom.xml. Click on the Open button.

CSS files are generated from the Maven build. You can build them on the command line ./mvnw generate-resources or right-click on the spring-petclinic project then Maven -> Generates sources and Update Folders.

A run configuration named PetClinicApplication should have been created for you if you're using a recent Ultimate version. Otherwise, run the application by right-clicking on the PetClinicApplication main class and choosing Run 'PetClinicApplication'.
Navigate to Petclinic

Visit http://localhost:8080 in your browser.

Looking for something in particular?

Spring Boot Configuration	Class or Java property files
The Main Class	PetClinicApplication
Properties Files	application.properties
Caching	CacheConfiguration

Interesting Spring Petclinic branches and forks

The Spring Petclinic "main" branch in the spring-projects GitHub org is the "canonical" implementation based on Spring Boot and Thymeleaf. There are quite a few forks in the GitHub org spring-petclinic. If you are interested in using a different technology stack to implement the Pet Clinic, please join the community there.

Interaction with other open source projects

One of the best parts about working on the Spring Petclinic application is that we have the opportunity to work in direct contact with many Open Source projects. We found bugs/suggested improvements on various topics such as Spring, Spring Data, Bean Validation and even Eclipse! In many cases, they've been fixed/implemented in just a few days. Here is a list of them:

Name	Issue
Spring JDBC: simplify usage of NamedParameterJdbcTemplate	SPR-10256 and SPR-10257
Bean Validation / Hibernate Validator: simplify Maven dependencies and backward compatibility	HV-790 and HV-792
Spring Data: provide more flexibility when working with JPQL queries	DATAJPA-292

Contributing

The issue tracker is the preferred channel for bug reports, features requests and submitting pull requests.

For pull requests, editor preferences are available in the editor config for easy use in common text editors. Read more and download plugins at https://editorconfig.org. If you have not previously done so, please fill out and submit the Contributor License Agreement.

License

The Spring PetClinic sample application is released under version 2.0 of the Apache License.

spring-petclinic's People

Contributors

spring-petclinic's Issues

spring-boot-devtools-3.0.4.jar: 2 vulnerabilities (highest severity is: 8.7) - autoclosed

Vulnerable Library - spring-boot-devtools-3.0.4.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.0.4/spring-boot-3.0.4.jar

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-devtools version)	Remediation Possible**	Reachability
CVE-2023-20883	High	8.7	Not Defined	0.1%	spring-boot-autoconfigure-3.0.4.jar	Transitive	3.0.7	✅
CVE-2023-34055	High	7.1	Not Defined	0.0%	spring-boot-3.0.4.jar	Transitive	3.0.13	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-20883

Vulnerable Library - spring-boot-autoconfigure-3.0.4.jar

Spring Boot AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/3.0.4/spring-boot-autoconfigure-3.0.4.jar

Dependency Hierarchy:

spring-boot-devtools-3.0.4.jar (Root Library)
- ❌ spring-boot-autoconfigure-3.0.4.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: 2023-05-26

URL: CVE-2023-20883

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 3.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-34055

Vulnerable Library - spring-boot-3.0.4.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.0.4/spring-boot-3.0.4.jar

Dependency Hierarchy:

spring-boot-devtools-3.0.4.jar (Root Library)
- ❌ spring-boot-3.0.4.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Vulnerability Details

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

the application uses Spring MVC or Spring WebFlux
org.springframework.boot:spring-boot-actuator is on the classpath

Publish Date: 2023-11-28

URL: CVE-2023-34055

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (7.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34055

Release Date: 2023-11-28

Fix Resolution (org.springframework.boot:spring-boot): 3.0.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 3.0.13

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

Dockerfile - Ensure that a user for the container has been created

Violation detected in /Dockerfile:[1-13]

📃 File Type: dockerfile

⛔ Details - Ensure that a user for the container has been created

spring-boot-starter-thymeleaf-3.0.4.jar: 1 vulnerabilities (highest severity is: 7.7) unreachable

Vulnerable Library - spring-boot-starter-thymeleaf-3.0.4.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.thymeleaf/thymeleaf/3.1.1.RELEASE/374a129dfa5e7d7f1a46eacc4d49e594ca0cf26f/thymeleaf-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/3.1.1.RELEASE/thymeleaf-3.1.1.RELEASE.jar

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-starter-thymeleaf version)	Remediation Possible**	Reachability
CVE-2023-38286	High	7.7	Not Defined	0.1%	thymeleaf-3.1.1.RELEASE.jar	Transitive	N/A*	❌	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-38286

Vulnerable Library - thymeleaf-3.1.1.RELEASE.jar

Library home page: https://www.thymeleaf.org

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-thymeleaf-3.0.4.jar (Root Library)
- thymeleaf-spring6-3.1.1.RELEASE.jar
  - ❌ thymeleaf-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

Publish Date: 2023-07-14

URL: CVE-2023-38286

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7gj7-224w-vpr3

Release Date: 2023-07-14

Fix Resolution: de.codecentric:spring-boot-admin-server:3.1.2;rg.thymeleaf:thymeleaf:3.1.2.RELEASE

spring-boot-starter-actuator-3.0.4.jar: 7 vulnerabilities (highest severity is: 9.3) reachable

Vulnerable Library - spring-boot-starter-actuator-3.0.4.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/6.0.6/2006ee0e1be8380f05c29deb52a97d3a1e6812d7/spring-expression-6.0.6.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.6/spring-expression-6.0.6.jar

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-starter-actuator version)	Remediation Possible**	Reachability
CVE-2023-20863	High	7.1	Not Defined	0.3%	spring-expression-6.0.6.jar	Transitive	3.0.7	✅	Reachable
CVE-2023-20861	High	7.1	Not Defined	0.1%	spring-expression-6.0.6.jar	Transitive	3.0.5	✅	Reachable
CVE-2023-34055	Medium	6.9	Not Defined	0.0%	spring-boot-3.0.4.jar	Transitive	3.0.13	✅	Reachable
CVE-2023-20873	Critical	9.3	Not Defined	0.70000005%	spring-boot-actuator-autoconfigure-3.0.4.jar	Transitive	3.0.7	✅	Unreachable
CVE-2023-20883	High	8.7	Not Defined	0.1%	spring-boot-autoconfigure-3.0.4.jar	Transitive	3.0.7	✅	Unreachable
CVE-2022-1471	High	8.7	Not Defined	2.1%	snakeyaml-1.33.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-6378	High	8.2	Not Defined	0.0%	logback-classic-1.4.5.jar	Transitive	3.0.7	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-20863

Vulnerable Library - spring-expression-6.0.6.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - spring-boot-3.0.4.jar
    - spring-context-6.0.6.jar
      - ❌ spring-expression-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.context.event.EventListenerMethodProcessor (Extension)
    ...
      -> org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
       -> org.springframework.expression.spel.standard.SpelExpression (Extension)
        -> ❌ org.springframework.expression.spel.SpelMessage (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 4 Score Details (7.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 6.0.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-20861

Vulnerable Library - spring-expression-6.0.6.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - spring-boot-3.0.4.jar
    - spring-context-6.0.6.jar
      - ❌ spring-expression-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.context.annotation.ComponentScan (Extension)
    -> org.springframework.context.support.AbstractApplicationContext (Extension)
    ...
      -> org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
       -> org.springframework.expression.spel.standard.InternalSpelExpressionParser (Extension)
        -> ❌ org.springframework.expression.spel.ast.OperatorMatches (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (7.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 6.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2023-34055

Vulnerable Library - spring-boot-3.0.4.jar

Spring Boot

Library home page: https://spring.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/3.0.4/spring-boot-3.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.0.4/27e5fceb2faf8ec399df70a2ff4e626a3423ae35/spring-boot-3.0.4.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - ❌ spring-boot-3.0.4.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> org.springframework.boot.SpringApplicationBannerPrinter (Extension)
    -> org.springframework.boot.SpringBootBanner (Extension)
     -> ❌ org.springframework.boot.ansi.AnsiOutput (Vulnerable Component)

Vulnerability Details

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

the application uses Spring MVC or Spring WebFlux
org.springframework.boot:spring-boot-actuator is on the classpath

Publish Date: 2023-11-28

URL: CVE-2023-34055

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (6.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34055

Release Date: 2023-11-28

Fix Resolution (org.springframework.boot:spring-boot): 3.0.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.0.13

In order to enable automatic remediation, please create workflow rules

CVE-2023-20873

Vulnerable Library - spring-boot-actuator-autoconfigure-3.0.4.jar

Spring Boot Actuator AutoConfigure

Library home page: https://spring.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/3.0.4/spring-boot-actuator-autoconfigure-3.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-actuator-autoconfigure/3.0.4/9ec4171920a6f1f825a221a0622e2333ea9d4ba8/spring-boot-actuator-autoconfigure-3.0.4.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- ❌ spring-boot-actuator-autoconfigure-3.0.4.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

Publish Date: 2023-04-20

URL: CVE-2023-20873

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

CVSS 4 Score Details (9.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20873

Release Date: 2023-04-20

Fix Resolution (org.springframework.boot:spring-boot-actuator-autoconfigure): 3.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-20883

Vulnerable Library - spring-boot-autoconfigure-3.0.4.jar

Spring Boot AutoConfigure

Library home page: https://spring.io

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/3.0.4/7eb11bff0f965807f1088da20bc169bff27d284/spring-boot-autoconfigure-3.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/3.0.4/spring-boot-autoconfigure-3.0.4.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - ❌ spring-boot-autoconfigure-3.0.4.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Publish Date: 2023-05-26

URL: CVE-2023-20883

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 3.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2022-1471

Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - ❌ snakeyaml-1.33.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.1%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2023-6378

Vulnerable Library - logback-classic-1.4.5.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.5/28e7dc0b208d6c3f15beefd73976e064b4ecfa9b/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - spring-boot-starter-logging-3.0.4.jar
    - ❌ logback-classic-1.4.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution (ch.qos.logback:logback-classic): 1.4.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.0.7

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

License Policy Violation detected in hibernate-core-6.1.7.Final.jar

Library - hibernate-core-6.1.7.Final.jar

Hibernate's core ORM functionality

Library home page: https://hibernate.org

Path to dependency file: /pom.xml

Path to library: /home/wss-scanner/.m2/repository/org/hibernate/orm/hibernate-core/6.1.7.Final/hibernate-core-6.1.7.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.hibernate.orm/hibernate-core/6.1.7.Final/343f47b34c96fe9c44bf9b219a7b3c5d6d2fc90e/hibernate-core-6.1.7.Final.jar

Dependency Hierarchy:

spring-boot-starter-data-jpa-3.0.4.jar (Root Library)
- ❌ hibernate-core-6.1.7.Final.jar (Library containing License Policy Violation)

Found in base branch: main

📃 License Details

LGPL 2.1
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/9cec02c3-f4b0-45b5-b43f-85fbb1af4798

⛔ License Policy Violation - Block GPL

spring-boot-starter-web-3.0.4.jar: 18 vulnerabilities (highest severity is: 8.7) reachable

Vulnerable Library - spring-boot-starter-web-3.0.4.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.6/2916961032e54aaeb534a290530b7b69e297bfcc/spring-web-6.0.6.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.6/spring-web-6.0.6.jar

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**	Reachability
CVE-2024-22259	High	8.6	Not Defined	0.1%	spring-web-6.0.6.jar	Transitive	3.1.10	✅	Reachable
CVE-2024-22243	High	8.6	Not Defined	0.1%	spring-web-6.0.6.jar	Transitive	3.1.9	✅	Reachable
CVE-2023-34053	Medium	6.9	Not Defined	0.0%	spring-web-6.0.6.jar	Transitive	3.0.13	✅	Reachable
CVE-2023-28708	Medium	5.3	Not Defined	0.1%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.5	✅	Reachable
CVE-2024-24549	High	8.7	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2024-23672	High	8.7	Not Defined	0.0%	tomcat-embed-websocket-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2023-46589	High	8.7	Not Defined	0.5%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2023-28709	High	8.7	Not Defined	0.70000005%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2023-20860	High	8.7	Not Defined	0.1%	spring-webmvc-6.0.6.jar	Transitive	3.0.5	✅	Unreachable
CVE-2023-45648	Medium	6.9	Not Defined	0.2%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2023-44487	Medium	6.9	High	81.6%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2023-42795	Medium	6.9	Not Defined	1.0%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2023-41080	Medium	5.3	Not Defined	0.5%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅	Unreachable
CVE-2024-38816	High	8.7	Not Defined	0.0%	spring-webmvc-6.0.6.jar	Transitive	3.2.10	✅
CVE-2024-34750	High	8.7	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅
CVE-2024-22262	High	8.6	Not Defined	0.1%	spring-web-6.0.6.jar	Transitive	3.1.11	✅
CVE-2024-38809	Medium	6.9	Not Defined		spring-web-6.0.6.jar	Transitive	3.2.0	✅
CVE-2024-38286	Medium	5.5	Not Defined		tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-22259

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-json-3.0.4.jar
  - ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.web.util.UriComponentsBuilder (Application)
  -> org.springframework.web.util.WebUtils (Extension)
   -> org.springframework.web.context.request.ServletRequestAttributes (Extension)
    -> org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
    ...
      -> org.springframework.context.annotation.AnnotationConfigUtils (Extension)
       -> org.springframework.boot.SpringApplication (Extension)
        -> ❌ org.springframework.samples.petclinic.PetClinicApplication (Vulnerable Component)

Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution (org.springframework:spring-web): 6.0.18

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.10

In order to enable automatic remediation, please create workflow rules

CVE-2024-22243

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-json-3.0.4.jar
  - ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.web.util.UriComponentsBuilder (Application)
  -> org.springframework.web.util.WebUtils (Extension)
   -> org.springframework.web.context.request.ServletRequestAttributes (Extension)
    -> org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
    ...
      -> org.springframework.context.annotation.AnnotationConfigUtils (Extension)
       -> org.springframework.boot.SpringApplication (Extension)
        -> ❌ org.springframework.samples.petclinic.PetClinicApplication (Vulnerable Component)

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.

Publish Date: 2024-02-23

URL: CVE-2024-22243

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution (org.springframework:spring-web): 6.0.17

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.9

In order to enable automatic remediation, please create workflow rules

CVE-2023-34053

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-json-3.0.4.jar
  - ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.http.server.reactive.DefaultServerHttpRequestBuilder (Application)
  -> org.springframework.http.server.reactive.ServerHttpRequest (Extension)
   -> org.springframework.http.server.reactive.HttpHandler (Extension)
    -> org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
    ...
      -> org.springframework.context.annotation.AnnotationConfigUtils (Extension)
       -> org.springframework.boot.SpringApplication (Extension)
        -> ❌ org.springframework.samples.petclinic.PetClinicApplication (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

the application uses Spring MVC or Spring WebFlux
io.micrometer:micrometer-core is on the classpath
an ObservationRegistry is configured in the application to record observations

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

Publish Date: 2023-11-28

URL: CVE-2023-34053

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (6.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34053

Release Date: 2023-11-28

Fix Resolution (org.springframework:spring-web): 6.0.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.13

In order to enable automatic remediation, please create workflow rules

CVE-2023-28708

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

jakarta.servlet.ServletContextEvent (Application)
  -> jakarta.servlet.ServletContextListener (Extension)
   -> org.springframework.boot.web.servlet.ServletListenerRegistrationBean (Extension)
    -> org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
    ...
      -> org.springframework.context.annotation.AnnotationConfigUtils (Extension)
       -> org.springframework.boot.SpringApplication (Extension)
        -> ❌ org.springframework.samples.petclinic.PetClinicApplication (Vulnerable Component)

Vulnerability Details

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Publish Date: 2023-03-22

URL: CVE-2023-28708

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

Release Date: 2023-03-22

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2024-24549

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Publish Date: 2024-03-13

URL: CVE-2024-24549

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg

Release Date: 2024-03-13

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2024-23672

Vulnerable Library - tomcat-embed-websocket-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.5/14529cbd593571dc9029272ddc9166b5ef113fc2/tomcat-embed-websocket-10.1.5.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/10.1.5/tomcat-embed-websocket-10.1.5.jar

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-websocket-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Publish Date: 2024-03-13

URL: CVE-2024-23672

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-03-13

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-websocket): 10.1.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-46589

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Publish Date: 2023-11-28

URL: CVE-2023-46589

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2023-11-28

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.16

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-28709

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Publish Date: 2023-05-22

URL: CVE-2023-28709

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Release Date: 2023-05-22

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.9

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-20860

Vulnerable Library - spring-webmvc-6.0.6.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/6.0.6/spring-webmvc-6.0.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.6/302580efc981ad6797a85814ea0996e2149bb420/spring-webmvc-6.0.6.jar

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- ❌ spring-webmvc-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution (org.springframework:spring-webmvc): 6.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.5

In order to enable automatic remediation, please create workflow rules

CVE-2023-45648

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

Publish Date: 2023-10-10

URL: CVE-2023-45648

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 4 Score Details (6.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-45648

Release Date: 2023-10-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-44487

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

Threat Assessment

Exploit Maturity: High

EPSS: 81.6%

CVSS 4 Score Details (6.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-42795

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

Publish Date: 2023-10-10

URL: CVE-2023-42795

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.0%

CVSS 4 Score Details (6.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42795

Release Date: 2023-10-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2023-41080

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.

The vulnerability is limited to the ROOT (default) web application.

Publish Date: 2023-08-25

URL: CVE-2023-41080

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

CVSS 4 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f

Release Date: 2023-08-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2024-38816

Vulnerable Library - spring-webmvc-6.0.6.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- ❌ spring-webmvc-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Specifically, an application is vulnerable when both of the following are true:

the web application uses RouterFunctions to serve static resources
resource handling is explicitly configured with a FileSystemResource location

However, malicious requests are blocked and rejected when any of the following is true:

the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use
the application runs on Tomcat or Jetty

Publish Date: 2024-09-13

URL: CVE-2024-38816

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38816

Release Date: 2024-09-13

Fix Resolution (org.springframework:spring-webmvc): 6.1.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.10

In order to enable automatic remediation, please create workflow rules

CVE-2024-34750

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-tomcat-3.0.4.jar
  - ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Vulnerability Details

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Publish Date: 2024-07-03

URL: CVE-2024-34750

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l

Release Date: 2024-07-03

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

In order to enable automatic remediation, please create workflow rules

CVE-2024-22262

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-json-3.0.4.jar
  - ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Vulnerability Details

This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution (org.springframework:spring-web): 6.0.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.11

In order to enable automatic remediation, please create workflow rules

CVE-2024-38809

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Dependency Hierarchy:

spring-boot-starter-web-3.0.4.jar (Root Library)
- spring-boot-starter-json-3.0.4.jar
  - ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Vulnerability Details

Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.

Publish Date: 2024-09-24

URL: CVE-2024-38809

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 4 Score Details (6.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38809

Release Date: 2024-06-20

Fix Resolution (org.springframework:spring-web): 6.0.23

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.0

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

postgresql-42.5.4.jar: 1 vulnerabilities (highest severity is: 10.0) unreachable

Vulnerable Library - postgresql-42.5.4.jar

PostgreSQL JDBC Driver Postgresql

Library home page: https://jdbc.postgresql.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/postgresql/postgresql/42.5.4/postgresql-42.5.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.postgresql/postgresql/42.5.4/15015a54f15e340a9a8a6a2c5457429cb1176b8/postgresql-42.5.4.jar

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (postgresql version)	Remediation Possible**	Reachability
CVE-2024-1597	Critical	10.0	Not Defined	0.1%	postgresql-42.5.4.jar	Direct	42.5.5	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-1597

Vulnerable Library - postgresql-42.5.4.jar

PostgreSQL JDBC Driver Postgresql

Library home page: https://jdbc.postgresql.org/

Path to dependency file: /pom.xml

Dependency Hierarchy:

❌ postgresql-42.5.4.jar (Vulnerable Library)

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

Publish Date: 2024-02-19

URL: CVE-2024-1597

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-1597

Release Date: 2024-02-19

Fix Resolution: 42.5.5

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

[NEUTRAL] Update dependency com.gitlab.haynes:libsass-maven-plugin to v0.3.1
[NEUTRAL] Update spring boot to v3.3.4 (org.springframework.boot:spring-boot-starter-parent, org.springframework.boot)
🔐 Create all pending approval PRs at once 🔐

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

Update eclipse-temurin Docker tag to v21
Update mcr.microsoft.com/vscode/devcontainers/java Docker tag to v1
Update mysql Docker tag to v9
Update postgres Docker tag to v16
🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

docker-compose

docker-compose.yml

mysql 8.0

postgres 15.2

dockerfile

.devcontainer/Dockerfile

mcr.microsoft.com/vscode/devcontainers/java 0-17-bullseye

Dockerfile

docker/dockerfile 1

eclipse-temurin 17-jdk-jammy

github-actions

.github/workflows/build.yaml

actions/checkout v2

actions/setup-java v1

actions/cache v1

actions/cache v1

.github/workflows/maven-build.yml

actions/checkout v3

actions/setup-java v2

.github/workflows/sonarqube.yml

SonarSource/sonarqube-scan-action 7295e71c9583053f5bf40e9d4068a0c974603ec8

gradle

settings.gradle

build.gradle

org.springframework.boot 3.0.4

io.spring.dependency-management 1.1.0

org.graalvm.buildtools.native 0.9.20

org.webjars.npm:bootstrap 5.2.3

org.webjars.npm:font-awesome 4.7.0

gradle-wrapper

gradle/wrapper/gradle-wrapper.properties

gradle 7.6.1

maven

pom.xml

org.springframework.boot:spring-boot-starter-parent 3.0.4

org.webjars.npm:bootstrap 5.2.3

org.webjars.npm:font-awesome 4.7.0

io.spring.javaformat:spring-javaformat-maven-plugin 0.0.38

org.apache.maven.plugins:maven-checkstyle-plugin 3.2.1

com.puppycrawl.tools:checkstyle 10.8.1

io.spring.nohttp:nohttp-checkstyle 0.0.11

org.jacoco:jacoco-maven-plugin 0.8.8

org.webjars.npm:bootstrap 5.2.3

com.gitlab.haynes:libsass-maven-plugin 0.2.29

maven-wrapper

.mvn/wrapper/maven-wrapper.properties

maven 3.8.7

maven-wrapper 3.1.1

License Policy Violation detected in hibernate-commons-annotations-6.0.6.Final.jar

Library - hibernate-commons-annotations-6.0.6.Final.jar

Common reflection code used in support of annotation processing

Library home page: http://hibernate.org

Path to dependency file: /build.gradle

Path to library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.hibernate.common/hibernate-commons-annotations/6.0.6.Final/77a5f94b56d49508e0ee334751db5b78e5ccd50c/hibernate-commons-annotations-6.0.6.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/common/hibernate-commons-annotations/6.0.6.Final/hibernate-commons-annotations-6.0.6.Final.jar

Dependency Hierarchy:

spring-boot-starter-data-jpa-3.0.4.jar (Root Library)
- hibernate-core-6.1.7.Final.jar
  - ❌ hibernate-commons-annotations-6.0.6.Final.jar (Library containing License Policy Violation)

Found in base branch: main

📃 License Details

LGPL 2.1
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/9cec02c3-f4b0-45b5-b43f-85fbb1af4798

⛔ License Policy Violation - Block GPL

h2-2.1.214.jar: 1 vulnerabilities (highest severity is: 8.6) unreachable

Vulnerable Library - h2-2.1.214.jar

H2 Database Engine

Library home page: https://h2database.com

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.h2database/h2/2.1.214/d5c2005c9e3279201e12d4776c948578b16bf8b2/h2-2.1.214.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/2.1.214/h2-2.1.214.jar

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (h2 version)	Remediation Possible**	Reachability
CVE-2022-45868	High	8.6	Not Defined	0.0%	h2-2.1.214.jar	Direct	2.2.220	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-45868

Vulnerable Library - h2-2.1.214.jar

H2 Database Engine

Library home page: https://h2database.com

Path to dependency file: /build.gradle

Dependency Hierarchy:

❌ h2-2.1.214.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Publish Date: 2022-11-23

URL: CVE-2022-45868

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-22wj-vf5f-wrvj

Release Date: 2022-11-23

Fix Resolution: 2.2.220

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

License Policy Violation detected in jakarta.transaction-api-2.0.1.jar

Library - jakarta.transaction-api-2.0.1.jar

Jakarta Transactions

Library home page: https://github.com/eclipse-ee4j

Path to dependency file: /build.gradle

Path to library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/jakarta.transaction/jakarta.transaction-api/2.0.1/51a520e3fae406abb84e2e1148e6746ce3f80a1a/jakarta.transaction-api-2.0.1.jar,/home/wss-scanner/.m2/repository/jakarta/transaction/jakarta.transaction-api/2.0.1/jakarta.transaction-api-2.0.1.jar

Dependency Hierarchy:

spring-boot-starter-data-jpa-3.0.4.jar (Root Library)
- hibernate-core-6.1.7.Final.jar
  - ❌ jakarta.transaction-api-2.0.1.jar (Library containing License Policy Violation)

Found in base branch: main

📃 License Details

Eclipse 2.0
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/9941c477-e78f-4c89-a4cb-783c6f7cb3f6

GPL 2.0 Classpath
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/493e2b39-3aad-4c39-9220-50f83cb66b5e

⛔ License Policy Violation - Block GPL

spring-boot-dependencies-3.0.4.pom: 1 vulnerabilities (highest severity is: 8.2) unreachable

Vulnerable Library - spring-boot-dependencies-3.0.4.pom

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-dependencies version)	Remediation Possible**	Reachability
CVE-2023-1370	High	8.2	Not Defined	0.1%	json-smart-2.4.8.jar	Transitive	N/A*	❌	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-1370

Vulnerable Library - json-smart-2.4.8.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: https://urielch.github.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar

Dependency Hierarchy:

spring-boot-dependencies-3.0.4.pom (Root Library)
- ❌ json-smart-2.4.8.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Json-smart is a performance focused, JSON processor lib.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.

It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Publish Date: 2023-03-13

URL: CVE-2023-1370

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-22

Fix Resolution: net.minidev:json-smart:2.4.9

License Policy Violation detected in mysql-connector-j-8.0.32.jar

Library - mysql-connector-j-8.0.32.jar

JDBC Type 4 driver for MySQL.

Library home page: https://www.oracle.com/

Path to dependency file: /build.gradle

Path to library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.mysql/mysql-connector-j/8.0.32/41ec3f8cdaccf6c46a47d7cd628eeb59a926d9d4/mysql-connector-j-8.0.32.jar,/home/wss-scanner/.m2/repository/com/mysql/mysql-connector-j/8.0.32/mysql-connector-j-8.0.32.jar

Dependency Hierarchy:

❌ mysql-connector-j-8.0.32.jar (Library containing License Policy Violation)

Found in base branch: main

📃 License Details

GPL 2.0 FOSS
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/25c85e30-22e7-4a99-a005-ff5825e264e8

⛔ License Policy Violation - Block GPL

maven-build.yml - Ensure top-level permissions are not set to write-all

Violation detected in /.github/workflows/maven-build.yml:[0-1]

📃 File Type: github_actions

⛔ Details - Ensure top-level permissions are not set to write-all

mysql-connector-j-8.0.32.jar: 1 vulnerabilities (highest severity is: 9.0) unreachable

Vulnerable Library - mysql-connector-j-8.0.32.jar

JDBC Type 4 driver for MySQL.

Library home page: https://www.oracle.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.mysql/mysql-connector-j/8.0.32/41ec3f8cdaccf6c46a47d7cd628eeb59a926d9d4/mysql-connector-j-8.0.32.jar,/home/wss-scanner/.m2/repository/com/mysql/mysql-connector-j/8.0.32/mysql-connector-j-8.0.32.jar

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (mysql-connector-j version)	Remediation Possible**	Reachability
CVE-2023-22102	Critical	9.0	Not Defined	0.1%	mysql-connector-j-8.0.32.jar	Direct	8.2.0	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-22102

Vulnerable Library - mysql-connector-j-8.0.32.jar

JDBC Type 4 driver for MySQL.

Library home page: https://www.oracle.com/

Path to dependency file: /build.gradle

Dependency Hierarchy:

❌ mysql-connector-j-8.0.32.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Publish Date: 2023-10-17

URL: CVE-2023-22102

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (9.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-22102

Release Date: 2023-10-17

Fix Resolution: 8.2.0

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

License Policy Violation detected in logback-core-1.4.5.jar

Library - logback-core-1.4.5.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.4.5/e9bb2ea70f84401314da4300343b0a246c8954da/logback-core-1.4.5.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - spring-boot-starter-logging-3.0.4.jar
    - logback-classic-1.4.5.jar
      - ❌ logback-core-1.4.5.jar (Library containing License Policy Violation)

Found in base branch: main

📃 License Details

Eclipse 1.0
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/b9e4c56e-814e-4af2-8c30-59c383db4920

LGPL 2.1
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/9cec02c3-f4b0-45b5-b43f-85fbb1af4798

⛔ License Policy Violation - Block GPL

spring-boot-starter-test-3.0.4.jar: 2 vulnerabilities (highest severity is: 6.3)

Vulnerable Library - spring-boot-starter-test-3.0.4.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.7.0/f9d7d9659f2694e61142046ff8a216c047f263e8/json-path-2.7.0.jar

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-starter-test version)	Remediation Possible**	Reachability
CVE-2023-51074	Medium	6.3	Not Defined	0.0%	json-path-2.7.0.jar	Transitive	3.1.9	✅	Unreachable
CVE-2024-31573	Medium	6.3	Not Defined		xmlunit-core-2.9.1.jar	Transitive	N/A*	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-51074

Vulnerable Library - json-path-2.7.0.jar

Java port of Stefan Goessner JsonPath.

Library home page: https://github.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.7.0/f9d7d9659f2694e61142046ff8a216c047f263e8/json-path-2.7.0.jar

Dependency Hierarchy:

spring-boot-starter-test-3.0.4.jar (Root Library)
- ❌ json-path-2.7.0.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

Publish Date: 2023-12-27

URL: CVE-2023-51074

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51074

Release Date: 2023-12-27

Fix Resolution (com.jayway.jsonpath:json-path): 2.9.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.1.9

In order to enable automatic remediation, please create workflow rules

CVE-2024-31573

Vulnerable Library - xmlunit-core-2.9.1.jar

XMLUnit for Java

Library home page: https://www.xmlunit.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar

Dependency Hierarchy:

spring-boot-starter-test-3.0.4.jar (Root Library)
- ❌ xmlunit-core-2.9.1.jar (Vulnerable Library)

Found in HEAD commit: 91b014d1f41bab3e303efcbb708f31d39ed89e84

Found in base branch: main

Vulnerability Details

When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.

Publish Date: 2024-04-05

URL: CVE-2024-31573

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 4 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-chfm-68vv-pvw5

Release Date: 2024-04-05

Fix Resolution: org.xmlunit:xmlunit-core:2.10.0

In order to enable automatic remediation for this issue, please create workflow rules

build.yaml - Ensure top-level permissions are not set to write-all

Violation detected in /.github/workflows/build.yaml:[0-1]

📃 File Type: github_actions

⛔ Details - Ensure top-level permissions are not set to write-all

License Policy Violation detected in logback-classic-1.4.5.jar

Library - logback-classic-1.4.5.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /build.gradle

Path to library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.5/28e7dc0b208d6c3f15beefd73976e064b4ecfa9b/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - spring-boot-starter-logging-3.0.4.jar
    - ❌ logback-classic-1.4.5.jar (Library containing License Policy Violation)

Found in base branch: main

📃 License Details

Eclipse 1.0
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/b9e4c56e-814e-4af2-8c30-59c383db4920

LGPL 2.1
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/9cec02c3-f4b0-45b5-b43f-85fbb1af4798

⛔ License Policy Violation - Block GPL

Dockerfile - Ensure that HEALTHCHECK instructions have been added to container images

Violation detected in /Dockerfile:[1-13]

📃 File Type: dockerfile

⛔ Details - Ensure that HEALTHCHECK instructions have been added to container images

License Policy Violation detected in jakarta.annotation-api-2.1.1.jar

Library - jakarta.annotation-api-2.1.1.jar

Jakarta Annotations API

Library home page: https://www.eclipse.org

Path to dependency file: /build.gradle

Path to library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/jakarta.annotation/jakarta.annotation-api/2.1.1/48b9bda22b091b1f48b13af03fe36db3be6e1ae3/jakarta.annotation-api-2.1.1.jar,/home/wss-scanner/.m2/repository/jakarta/annotation/jakarta.annotation-api/2.1.1/jakarta.annotation-api-2.1.1.jar

Dependency Hierarchy:

spring-boot-starter-actuator-3.0.4.jar (Root Library)
- spring-boot-starter-3.0.4.jar
  - ❌ jakarta.annotation-api-2.1.1.jar (Library containing License Policy Violation)

Found in base branch: main

📃 License Details

Eclipse 2.0
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/9941c477-e78f-4c89-a4cb-783c6f7cb3f6

GPL 2.0 Classpath
License Reference File: https://index.mend.io/gri/app/reader/resource/content/asString/493e2b39-3aad-4c39-9220-50f83cb66b5e

⛔ License Policy Violation - Block GPL