2022-12-29 11:50:07 +00:00
|
|
|
|
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
|
|
|
|
|
|
version: v1.25.0
|
|
|
|
|
|
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
|
|
|
|
|
|
ignore:
|
|
|
|
|
|
SNYK-JAVA-COMGOOGLEGUAVA-1015415:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Guava’s Files.createTempDir() is used during integration tests only.
|
|
|
|
|
|
Users of Corda are advised not to use Guava’s Files.createTempDir()
|
|
|
|
|
|
when building applications on Corda.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T11:38:11.478Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:38:11.489Z
|
|
|
|
|
|
SNYK-JAVA-COMH2DATABASE-31685:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
H2 console is not enabled for any of the applications we are running.
|
|
|
|
|
|
|
|
|
|
|
|
When it comes to DB connectivity parameters, we do not allow changing
|
|
|
|
|
|
them as they are supplied by Corda Node configuration file.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T11:39:26.763Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:39:26.775Z
|
|
|
|
|
|
SNYK-JAVA-COMH2DATABASE-2331071:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
H2 console is not enabled for any of the applications we are running.
|
|
|
|
|
|
|
|
|
|
|
|
When it comes to DB connectivity parameters, we do not allow changing
|
|
|
|
|
|
them as they are supplied by Corda Node configuration file.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T11:41:05.707Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:41:05.723Z
|
|
|
|
|
|
SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
The vulnerability in okhttp’s error handling is only exploitable in
|
|
|
|
|
|
services that receive and parse HTTP requests. Corda does not receive
|
|
|
|
|
|
HTTP requests and thus is not exposed to this issue.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T11:42:55.546Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:42:55.556Z
|
|
|
|
|
|
SNYK-JAVA-IONETTY-1042268:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Corda does not rely on hostname verification in the P2P protocol to
|
|
|
|
|
|
identify a host, so is not impacted by this vulnerability. Corda uses
|
|
|
|
|
|
its own SSL identity check logic for the network model. Corda
|
|
|
|
|
|
validates based on the full X500 subject name and the fact that P2P
|
|
|
|
|
|
links use mutually authenticated TLS with the same trust roots. For
|
|
|
|
|
|
RPC SSL client connections Artemis is used which calls into netty. The
|
|
|
|
|
|
default value for verifyHost is true for Artemis client connectors so
|
|
|
|
|
|
verification of the host name in netty does occur.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T11:45:42.976Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:45:42.981Z
|
|
|
|
|
|
SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
This is a build time vulnerability. It relates to the inability to
|
|
|
|
|
|
lock dependencies for Kotlin Multiplatform Gradle Projects. At build
|
|
|
|
|
|
time for Corda we do not use Multiplatform Gradle Projects so are not
|
|
|
|
|
|
affected by this vulnerability. In addition as it is a build time
|
|
|
|
|
|
vulnerability released artifacts are not affected.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T11:52:35.855Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:52:35.870Z
|
|
|
|
|
|
SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
This vulnerability relates to information exposure via creation of
|
|
|
|
|
|
temporary files (via Kotlin functions) with insecure permissions.
|
|
|
|
|
|
Corda does not use any of the vulnerable functions so it not
|
|
|
|
|
|
susceptible to this vulnerability.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T13:39:03.244Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T13:39:03.262Z
|
|
|
|
|
|
SNYK-JAVA-ORGYAML-3016888:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
|
|
|
|
|
|
Jackson for deserialization except in the optional shell which we
|
|
|
|
|
|
recommend using standalone. The Corda node itself is not exposed.
|
|
|
|
|
|
Corda does however provide mappings of Corda types to allow CorDapps
|
|
|
|
|
|
to use Jackson, and CorDapps using Jackson should make their own
|
|
|
|
|
|
assessment. Liquibase is used to apply the database migration changes.
|
|
|
|
|
|
XML files are used here to define the changes not YAML and therefore
|
|
|
|
|
|
the Corda node itself is not exposed to this deserialisation
|
|
|
|
|
|
vulnerability.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T13:39:49.450Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T13:39:49.470Z
|
|
|
|
|
|
SNYK-JAVA-ORGYAML-2806360:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
|
|
|
|
|
|
Jackson except in the optional shell which we recommend using
|
|
|
|
|
|
standalone. The Corda node itself is not exposed. Corda does however
|
|
|
|
|
|
provide mappings of Corda types to allow CorDapps to use Jackson, and
|
|
|
|
|
|
CorDapps using Jackson should make their own assessment. Liquibase is
|
|
|
|
|
|
used to apply the database migration changes. XML files are used here
|
|
|
|
|
|
to define the changes not YAML and therefore the Corda node itself is
|
|
|
|
|
|
not exposed to this DOS vulnerability.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T13:40:55.262Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T13:40:55.279Z
|
|
|
|
|
|
SNYK-JAVA-ORGLIQUIBASE-2419059:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
This component is used to upgrade the node database schema either at
|
|
|
|
|
|
node startup or via the database migration tool. The XML input for the
|
|
|
|
|
|
database migration is generated by Corda from either R3 supplied XML
|
|
|
|
|
|
files included in corda.jar or those XML files written by the CorDapp
|
|
|
|
|
|
author included in a CorDapp that is installed in the node CorDapps
|
|
|
|
|
|
directory. Contract CorDapps received over the network are not a
|
|
|
|
|
|
source of XML files for this generation step. An attacker trying to
|
|
|
|
|
|
exploit this vulnerability would need access to the server with the
|
|
|
|
|
|
XML input files, and specifically the access and ability to change JAR
|
|
|
|
|
|
files on the file system that make up the Corda installation.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-21T13:42:11.552Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T13:42:11.570Z
|
|
|
|
|
|
SNYK-JAVA-ORGYAML-3113851:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
|
|
|
|
|
|
Jackson for deserialization except in the optional shell which we
|
|
|
|
|
|
recommend using standalone. The Corda node itself is not exposed.
|
|
|
|
|
|
Corda does however provide mappings of Corda types to allow CorDapps
|
|
|
|
|
|
to use Jackson, and CorDapps using Jackson should make their own
|
|
|
|
|
|
assessment. Liquibase is used to apply the database migration changes.
|
|
|
|
|
|
XML files are used here to define the changes not YAML and therefore
|
|
|
|
|
|
the Corda node itself is not exposed to this deserialisation
|
|
|
|
|
|
vulnerability.
|
|
|
|
|
|
expires: 2024-04-30T00:00:00.000Z
|
|
|
|
|
|
created: 2022-12-29T14:55:03.623Z
|
|
|
|
|
|
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Corda does not use Jackson for deserialization except in the optional
|
|
|
|
|
|
shell which we recommend using standalone. The Corda node itself is
|
|
|
|
|
|
not exposed. Corda does however provide mappings of Corda types to
|
|
|
|
|
|
allow CorDapps to use Jackson, and CorDapps using Jackson should make
|
|
|
|
|
|
their own assessment. This vulnerability relates to deeply nested
|
|
|
|
|
|
untyped Object or Array values (3000 levels deep). Only CorDapps with
|
|
|
|
|
|
these types at this level of nesting are potentially susceptible.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-12T16:50:57.921Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T16:50:57.943Z
|
|
|
|
|
|
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Corda does not use Jackson for deserialization except in the optional
|
|
|
|
|
|
shell which we recommend using standalone. The Corda node itself is
|
|
|
|
|
|
not exposed. Corda does however provide mappings of Corda types to
|
|
|
|
|
|
allow CorDapps to use Jackson, and CorDapps using Jackson should make
|
|
|
|
|
|
their own assessment. This vulnerability relates to deeply nested
|
|
|
|
|
|
untyped Object or Array values (3000 levels deep). Only CorDapps with
|
|
|
|
|
|
these types at this level of nesting are potentially susceptible.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-12T16:52:30.722Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T16:52:30.747Z
|
|
|
|
|
|
SNYK-JAVA-ORGYAML-3016891:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
|
|
|
|
|
|
Jackson for deserialization except in the optional shell which we
|
|
|
|
|
|
recommend using standalone. The Corda node itself is not exposed.
|
|
|
|
|
|
Corda does however provide mappings of Corda types to allow CorDapps
|
|
|
|
|
|
to use Jackson, and CorDapps using Jackson should make their own
|
|
|
|
|
|
assessment. Liquibase is used to apply the database migration changes.
|
|
|
|
|
|
XML files are used here to define the changes not YAML and therefore
|
|
|
|
|
|
the Corda node itself is not exposed to this deserialisation
|
2023-05-30 18:08:43 +00:00
|
|
|
|
vulnerability.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-12T17:00:51.957Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T17:00:51.970Z
|
|
|
|
|
|
SNYK-JAVA-ORGYAML-3016889:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
|
|
|
|
|
|
Jackson for deserialization except in the optional shell which we
|
|
|
|
|
|
recommend using standalone. The Corda node itself is not exposed.
|
|
|
|
|
|
Corda does however provide mappings of Corda types to allow CorDapps
|
|
|
|
|
|
to use Jackson, and CorDapps using Jackson should make their own
|
|
|
|
|
|
assessment. Liquibase is used to apply the database migration changes.
|
|
|
|
|
|
XML files are used here to define the changes not YAML and therefore
|
|
|
|
|
|
the Corda node itself is not exposed to this deserialisation
|
|
|
|
|
|
vulnerability.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-12T17:02:02.538Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T17:02:02.564Z
|
|
|
|
|
|
SNYK-JAVA-COMH2DATABASE-2348247:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
H2 console is not enabled for any of the applications we are running.
|
2023-07-13 09:53:30 +00:00
|
|
|
|
When it comes to DB connectivity parameters, we do not allow changing
|
2022-12-29 11:50:07 +00:00
|
|
|
|
them as they are supplied by Corda Node configuration file.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-28T11:36:39.068Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:36:39.089Z
|
|
|
|
|
|
SNYK-JAVA-COMH2DATABASE-1769238:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
H2 is not invoked by Corda unless the node deployment configures an H2
|
|
|
|
|
|
database. This is not a supported configuration in Production and so
|
|
|
|
|
|
this vulnerability should be irrelevant except during development on
|
|
|
|
|
|
Corda. Corda itself does not store XML data within the database so
|
|
|
|
|
|
Corda is not susceptible to this vulnerability. If CorDapp developers
|
|
|
|
|
|
store XML data to the database they need to ascertain themselves that
|
|
|
|
|
|
they are not susceptible.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-28T11:40:29.871Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
created: 2022-12-29T11:40:29.896Z
|
2023-01-04 11:56:03 +00:00
|
|
|
|
SNYK-JAVA-ORGYAML-3152153:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
There is a transitive dependency on snakeyaml from the third party
|
|
|
|
|
|
components jackson-dataformat-yaml and liquidbase-core. The
|
|
|
|
|
|
jackson-dataformat-yaml component does not use the snakeyaml
|
|
|
|
|
|
databinding layer. For liquidbase we use xml in the changelog files
|
|
|
|
|
|
not yaml. So given this Corda is not susceptible to this
|
|
|
|
|
|
vulnerability.Cordapp authors should exercise their own judgment if
|
|
|
|
|
|
using this library directly in their cordapp.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-03T11:35:04.385Z
|
2023-01-04 11:56:03 +00:00
|
|
|
|
created: 2023-01-04T11:35:04.414Z
|
|
|
|
|
|
SNYK-JAVA-IONETTY-3167773:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Corda does not use Netty HTTP (and does not use HTTP in the P2P
|
|
|
|
|
|
protocol) . This is a transitive dependency of Netty comms library,
|
|
|
|
|
|
but it is not used in Corda, which uses a custom binary protocol
|
|
|
|
|
|
secured by mutually authenticated TLS. The vulnerability relating to
|
|
|
|
|
|
HTTP Response splitting is not exposed.
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-03T11:40:51.456Z
|
2023-01-04 11:56:03 +00:00
|
|
|
|
created: 2023-01-04T11:40:51.467Z
|
|
|
|
|
|
SNYK-JAVA-COMH2DATABASE-3146851:
|
|
|
|
|
|
- '*':
|
|
|
|
|
|
reason: >-
|
|
|
|
|
|
Corda does not make use of the H2 web admin console, so it not
|
|
|
|
|
|
susceptible to this reported vulnerability
|
2023-06-07 08:58:41 +00:00
|
|
|
|
expires: 2023-07-03T11:45:11.295Z
|
2023-01-04 11:56:03 +00:00
|
|
|
|
created: 2023-01-04T11:45:11.322Z
|
2022-12-29 11:50:07 +00:00
|
|
|
|
patch: {}
|
