corda/.snyk

232 lines
12 KiB
Plaintext
Raw Permalink Normal View History

2023-05-30 10:54:05 +00:00
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-JAVA-COMGOOGLEGUAVA-1015415:
- '*':
reason: >-
Guavas Files.createTempDir() is used during integration tests only.
Users of Corda are advised not to use Guavas Files.createTempDir()
when building applications on Corda.
expires: 2023-09-01T11:38:11.478Z
created: 2022-12-29T11:38:11.489Z
SNYK-JAVA-COMH2DATABASE-31685:
- '*':
reason: >-
H2 console is not enabled for any of the applications we are running.
When it comes to DB connectivity parameters, we do not allow changing
them as they are supplied by Corda Node configuration file.
expires: 2023-09-01T11:39:26.763Z
created: 2022-12-29T11:39:26.775Z
SNYK-JAVA-COMH2DATABASE-2331071:
- '*':
reason: >-
H2 console is not enabled for any of the applications we are running.
When it comes to DB connectivity parameters, we do not allow changing
them as they are supplied by Corda Node configuration file.
expires: 2023-09-01T11:41:05.707Z
created: 2022-12-29T11:41:05.723Z
SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044:
- '*':
reason: >-
The vulnerability in okhttps error handling is only exploitable in
services that receive and parse HTTP requests. Corda does not receive
HTTP requests and thus is not exposed to this issue.
expires: 2023-09-01T11:42:55.546Z
created: 2022-12-29T11:42:55.556Z
SNYK-JAVA-IONETTY-1042268:
- '*':
reason: >-
Corda does not rely on hostname verification in the P2P protocol to
identify a host, so is not impacted by this vulnerability. Corda uses
its own SSL identity check logic for the network model. Corda
validates based on the full X500 subject name and the fact that P2P
links use mutually authenticated TLS with the same trust roots. For
RPC SSL client connections Artemis is used which calls into netty. The
default value for verifyHost is true for Artemis client connectors so
verification of the host name in netty does occur.
expires: 2023-09-01T11:45:42.976Z
created: 2022-12-29T11:45:42.981Z
SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385:
- '*':
reason: >-
This is a build time vulnerability. It relates to the inability to
lock dependencies for Kotlin Multiplatform Gradle Projects. At build
time for Corda we do not use Multiplatform Gradle Projects so are not
affected by this vulnerability. In addition as it is a build time
vulnerability released artifacts are not affected.
expires: 2023-09-01T11:52:35.855Z
created: 2022-12-29T11:52:35.870Z
SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
- '*':
reason: >-
This vulnerability relates to information exposure via creation of
temporary files (via Kotlin functions) with insecure permissions.
Corda does not use any of the vulnerable functions so it not
susceptible to this vulnerability.
expires: 2023-09-01T13:39:03.244Z
created: 2022-12-29T13:39:03.262Z
SNYK-JAVA-ORGLIQUIBASE-2419059:
- '*':
reason: >-
This component is used to upgrade the node database schema either at
node startup or via the database migration tool. The XML input for the
database migration is generated by Corda from either R3 supplied XML
files included in corda.jar or those XML files written by the CorDapp
author included in a CorDapp that is installed in the node CorDapps
directory. Contract CorDapps received over the network are not a
source of XML files for this generation step. An attacker trying to
exploit this vulnerability would need access to the server with the
XML input files, and specifically the access and ability to change JAR
files on the file system that make up the Corda installation.
expires: 2023-09-01T13:42:11.552Z
created: 2022-12-29T13:42:11.570Z
SNYK-JAVA-COMH2DATABASE-2348247:
- '*':
reason: >-
H2 console is not enabled for any of the applications we are running.
When it comes to DB connectivity parameters, we do not allow changing
them as they are supplied by Corda Node configuration file.
expires: 2023-09-01T11:36:39.068Z
created: 2022-12-29T11:36:39.089Z
SNYK-JAVA-COMH2DATABASE-1769238:
- '*':
reason: >-
H2 is not invoked by Corda unless the node deployment configures an H2
database. This is not a supported configuration in Production and so
this vulnerability should be irrelevant except during development on
Corda. Corda itself does not store XML data within the database so
Corda is not susceptible to this vulnerability. If CorDapp developers
store XML data to the database they need to ascertain themselves that
they are not susceptible.
expires: 2023-09-01T11:40:29.871Z
created: 2022-12-29T11:40:29.896Z
SNYK-JAVA-ORGYAML-3152153:
- '*':
reason: >-
There is a transitive dependency on snakeyaml from the third party
components jackson-dataformat-yaml and liquidbase-core. The
jackson-dataformat-yaml component does not use the snakeyaml
databinding layer. For liquidbase we use xml in the changelog files
not yaml. So given this Corda is not susceptible to this
vulnerability.Cordapp authors should exercise their own judgment if
using this library directly in their cordapp.
expires: 2023-09-01T11:35:04.385Z
created: 2023-01-04T11:35:04.414Z
SNYK-JAVA-COMH2DATABASE-3146851:
- '*':
reason: >-
Corda does not make use of the H2 web admin console, so it not
susceptible to this reported vulnerability
expires: 2023-09-01T11:45:11.295Z
created: 2023-01-04T11:45:11.322Z
SNYK-JAVA-ORGBOUNCYCASTLE-2841508:
- '*':
reason: >-
This vulnerability relates to weak key-hash message authentication
code due to an error within the BKS version 1 keystore files. Corda
does not use BKS-V1 for its keystore files so is not susceptible to
this vulnerability.
expires: 2023-09-01T11:32:38.120Z
created: 2022-09-21T11:32:38.125Z
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424:
- '*':
reason: >-
Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required
for this vulnerability. In addition Corda does not use Jackson for
deserialization except in the optional shell which we recommend using
standalone. The Corda node itself is not exposed. Corda does however
provide mappings of Corda types to allow CorDapps to use Jackson, and
CorDapps using Jackson should make their own assessment. This
vulnerability relates to deeply nested untyped Object or Array values
(3000 levels deep). Only CorDapps with these types at this level of
nesting are potentially susceptible.
expires: 2023-09-01T12:04:40.180Z
created: 2023-02-09T12:04:40.209Z
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
- '*':
reason: >-
Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required
for this vulnerability. In addition Corda does not use Jackson for
deserialization except in the optional shell which we recommend using
standalone. The Corda node itself is not exposed. Corda does however
provide mappings of Corda types to allow CorDapps to use Jackson, and
CorDapps using Jackson should make their own assessment. This
vulnerability relates to deeply nested untyped Object or Array values
(3000 levels deep). Only CorDapps with these types at this level of
nesting are potentially susceptible.
expires: 2023-09-01T12:05:03.931Z
created: 2023-02-09T12:05:03.962Z
SNYK-JAVA-ORGYAML-2806360:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson except in the optional shell which we recommend using
standalone. The Corda node itself is not exposed. Corda does however
provide mappings of Corda types to allow CorDapps to use Jackson, and
CorDapps using Jackson should make their own assessment. Liquibase is
used to apply the database migration changes. XML files are used here
to define the changes not YAML and therefore the Corda node itself is
not exposed to this DOS vulnerability.
expires: 2023-09-01T13:40:55.262Z
created: 2022-09-21T13:40:55.279Z
SNYK-JAVA-ORGYAML-3016891:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2023-09-01T16:37:28.911Z
created: 2023-02-06T16:37:28.933Z
SNYK-JAVA-ORGYAML-3016888:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2023-09-01T13:39:49.450Z
created: 2022-09-21T13:39:49.470Z
SNYK-JAVA-ORGYAML-3016889:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2023-09-01T16:35:13.840Z
created: 2023-02-06T16:35:13.875Z
SNYK-JAVA-ORGYAML-3113851:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2024-04-01T00:00:00.000Z
created: 2022-11-29T14:55:03.623Z
2023-05-30 10:54:05 +00:00
patch: {}