From 6e066309808e065ae98cbfead063bce2de51df2c Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Thu, 18 May 2023 11:25:46 +0100 Subject: [PATCH 1/4] Upgraded sshd-common compile-time dependency --- testing/node-driver/build.gradle | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/testing/node-driver/build.gradle b/testing/node-driver/build.gradle index f958ea9a9a..772813c41b 100644 --- a/testing/node-driver/build.gradle +++ b/testing/node-driver/build.gradle @@ -27,8 +27,7 @@ sourceSets { dependencies { compile project(':test-utils') - compile group: 'org.apache.sshd', name: 'sshd-common', version: '2.3.0' -// integrationTestRuntime group: 'org.apache.sshd', name: 'sshd-common', version: '2.3.0' + compile group: 'org.apache.sshd', name: 'sshd-common', version: '2.9.2' // Integration test helpers testCompile "org.assertj:assertj-core:$assertj_version" From 9af77719d0ca10550632a405684c839a4a7e2d03 Mon Sep 17 00:00:00 2001 From: nargas-ritu Date: Tue, 30 May 2023 11:54:05 +0100 Subject: [PATCH 2/4] NOTICK: Corda OS 4.9.7 waivers --- .snyk | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000000..1d07fa8b7b --- /dev/null +++ b/.snyk @@ -0,0 +1,134 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-COMGOOGLEGUAVA-1015415: + - '*': + reason: >- + Guava’s Files.createTempDir() is used during integration tests only. + Users of Corda are advised not to use Guava’s Files.createTempDir() + when building applications on Corda. + expires: 2023-09-01T11:38:11.478Z + created: 2022-12-29T11:38:11.489Z + SNYK-JAVA-COMH2DATABASE-31685: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:39:26.763Z + created: 2022-12-29T11:39:26.775Z + SNYK-JAVA-COMH2DATABASE-2331071: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:41:05.707Z + created: 2022-12-29T11:41:05.723Z + SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044: + - '*': + reason: >- + The vulnerability in okhttp’s error handling is only exploitable in + services that receive and parse HTTP requests. Corda does not receive + HTTP requests and thus is not exposed to this issue. + expires: 2023-09-01T11:42:55.546Z + created: 2022-12-29T11:42:55.556Z + SNYK-JAVA-IONETTY-1042268: + - '*': + reason: >- + Corda does not rely on hostname verification in the P2P protocol to + identify a host, so is not impacted by this vulnerability. Corda uses + its own SSL identity check logic for the network model. Corda + validates based on the full X500 subject name and the fact that P2P + links use mutually authenticated TLS with the same trust roots. For + RPC SSL client connections Artemis is used which calls into netty. The + default value for verifyHost is true for Artemis client connectors so + verification of the host name in netty does occur. + expires: 2023-09-01T11:45:42.976Z + created: 2022-12-29T11:45:42.981Z + SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385: + - '*': + reason: >- + This is a build time vulnerability. It relates to the inability to + lock dependencies for Kotlin Multiplatform Gradle Projects. At build + time for Corda we do not use Multiplatform Gradle Projects so are not + affected by this vulnerability. In addition as it is a build time + vulnerability released artifacts are not affected. + expires: 2023-09-01T11:52:35.855Z + created: 2022-12-29T11:52:35.870Z + SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: + - '*': + reason: >- + This vulnerability relates to information exposure via creation of + temporary files (via Kotlin functions) with insecure permissions. + Corda does not use any of the vulnerable functions so it not + susceptible to this vulnerability. + expires: 2023-09-01T13:39:03.244Z + created: 2022-12-29T13:39:03.262Z + SNYK-JAVA-ORGLIQUIBASE-2419059: + - '*': + reason: >- + This component is used to upgrade the node database schema either at + node startup or via the database migration tool. The XML input for the + database migration is generated by Corda from either R3 supplied XML + files included in corda.jar or those XML files written by the CorDapp + author included in a CorDapp that is installed in the node CorDapps + directory. Contract CorDapps received over the network are not a + source of XML files for this generation step. An attacker trying to + exploit this vulnerability would need access to the server with the + XML input files, and specifically the access and ability to change JAR + files on the file system that make up the Corda installation. + expires: 2023-09-01T13:42:11.552Z + created: 2022-12-29T13:42:11.570Z + SNYK-JAVA-COMH2DATABASE-2348247: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:36:39.068Z + created: 2022-12-29T11:36:39.089Z + SNYK-JAVA-COMH2DATABASE-1769238: + - '*': + reason: >- + H2 is not invoked by Corda unless the node deployment configures an H2 + database. This is not a supported configuration in Production and so + this vulnerability should be irrelevant except during development on + Corda. Corda itself does not store XML data within the database so + Corda is not susceptible to this vulnerability. If CorDapp developers + store XML data to the database they need to ascertain themselves that + they are not susceptible. + expires: 2023-09-01T11:40:29.871Z + created: 2022-12-29T11:40:29.896Z + SNYK-JAVA-ORGYAML-3152153: + - '*': + reason: >- + There is a transitive dependency on snakeyaml from the third party + components jackson-dataformat-yaml and liquidbase-core. The + jackson-dataformat-yaml component does not use the snakeyaml + databinding layer. For liquidbase we use xml in the changelog files + not yaml. So given this Corda is not susceptible to this + vulnerability.Cordapp authors should exercise their own judgment if + using this library directly in their cordapp. + expires: 2023-09-01T11:35:04.385Z + created: 2023-01-04T11:35:04.414Z + SNYK-JAVA-COMH2DATABASE-3146851: + - '*': + reason: >- + Corda does not make use of the H2 web admin console, so it not + susceptible to this reported vulnerability + expires: 2023-09-01T11:45:11.295Z + created: 2023-01-04T11:45:11.322Z + SNYK-JAVA-ORGBOUNCYCASTLE-2841508: + - '*': + reason: >- + This vulnerability relates to weak key-hash message authentication + code due to an error within the BKS version 1 keystore files. Corda + does not use BKS-V1 for its keystore files so is not susceptible to + this vulnerability. + expires: 2023-09-01T11:32:38.120Z + created: 2022-09-21T11:32:38.125Z +patch: {} From c64ad75ee37a1350f781eaf724877fa274ab9b1f Mon Sep 17 00:00:00 2001 From: nargas-ritu Date: Tue, 30 May 2023 19:08:43 +0100 Subject: [PATCH 3/4] ENT-9108: Corda OS 4.9.7 remaining waivers --- .snyk | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/.snyk b/.snyk index 1d07fa8b7b..2b9605267a 100644 --- a/.snyk +++ b/.snyk @@ -131,4 +131,101 @@ ignore: this vulnerability. expires: 2023-09-01T11:32:38.120Z created: 2022-09-21T11:32:38.125Z +SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424: + - '*': + reason: >- + Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required + for this vulnerability. In addition Corda does not use Jackson for + deserialization except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. This + vulnerability relates to deeply nested untyped Object or Array values + (3000 levels deep). Only CorDapps with these types at this level of + nesting are potentially susceptible. + expires: 2023-09-01T12:04:40.180Z + created: 2023-02-09T12:04:40.209Z + SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426: + - '*': + reason: >- + Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required + for this vulnerability. In addition Corda does not use Jackson for + deserialization except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. This + vulnerability relates to deeply nested untyped Object or Array values + (3000 levels deep). Only CorDapps with these types at this level of + nesting are potentially susceptible. + expires: 2023-09-01T12:05:03.931Z + created: 2023-02-09T12:05:03.962Z + SNYK-JAVA-ORGYAML-2806360: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. Liquibase is + used to apply the database migration changes. XML files are used here + to define the changes not YAML and therefore the Corda node itself is + not exposed to this DOS vulnerability. + expires: 2023-09-01T13:40:55.262Z + created: 2022-09-21T13:40:55.279Z + SNYK-JAVA-ORGYAML-3016891: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T16:37:28.911Z + created: 2023-02-06T16:37:28.933Z + SNYK-JAVA-ORGYAML-3016888: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T13:39:49.450Z + created: 2022-09-21T13:39:49.470Z + SNYK-JAVA-ORGYAML-3016889: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T16:35:13.840Z + created: 2023-02-06T16:35:13.875Z + SNYK-JAVA-ORGYAML-3113851: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2024-04-01T00:00:00.000Z + created: 2022-11-29T14:55:03.623Z patch: {} From 25e7d2fdfd9a527eec8a39128ec632d8a4e33155 Mon Sep 17 00:00:00 2001 From: Connel McGovern <100574906+mcgovc@users.noreply.github.com> Date: Wed, 7 Jun 2023 09:58:41 +0100 Subject: [PATCH 4/4] ES-562: Updating .snyk YAML expiry & updating modules to scan on Snyk nightly (#7391) * ES-562: Updating .snyk YAML expiry & updating modules to scan on Snyk nightly --- .../nightly-regression/JenkinsfileSnykScan | 2 +- .ci/dev/regression/Jenkinsfile | 2 +- .github/workflows/check-pr-title.yml | 2 +- .snyk | 38 +++++++++---------- 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.ci/dev/nightly-regression/JenkinsfileSnykScan b/.ci/dev/nightly-regression/JenkinsfileSnykScan index 564bb516a9..6c0f81d698 100644 --- a/.ci/dev/nightly-regression/JenkinsfileSnykScan +++ b/.ci/dev/nightly-regression/JenkinsfileSnykScan @@ -3,5 +3,5 @@ cordaSnykScanPipeline ( snykTokenId: 'c4-os-snyk-api-token-secret', // specify the Gradle submodules to scan and monitor on snyk Server - modulesToScan: ['node', 'capsule', 'bridge', 'bridgecapsule'] + modulesToScan: ['node', 'capsule'] ) diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile index 02dc1a403d..4bab8e416c 100644 --- a/.ci/dev/regression/Jenkinsfile +++ b/.ci/dev/regression/Jenkinsfile @@ -92,7 +92,7 @@ pipeline { steps { script { // Invoke Snyk for each Gradle sub project we wish to scan - def modulesToScan = ['node', 'capsule', 'bridge', 'bridgecapsule'] + def modulesToScan = ['node', 'capsule'] modulesToScan.each { module -> snykSecurityScan("${env.SNYK_API_KEY}", "--sub-project=$module --configuration-matching='^runtimeClasspath\$' --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'") } diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml index 544a41c54c..96a9d7d8f5 100644 --- a/.github/workflows/check-pr-title.yml +++ b/.github/workflows/check-pr-title.yml @@ -9,6 +9,6 @@ jobs: steps: - uses: morrisoncole/pr-lint-action@v1.6.1 with: - title-regex: '^((CORDA|AG|EG|ENT|INFRA|NAAS)-\d+|NOTICK)(.*)' + title-regex: '^((CORDA|AG|EG|ENT|INFRA|NAAS|ES)-\d+|NOTICK)(.*)' on-failed-regex-comment: "PR title failed to match regex -> `%regex%`" repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.snyk b/.snyk index 5b57de995d..3970c56889 100755 --- a/.snyk +++ b/.snyk @@ -8,7 +8,7 @@ ignore: Guava’s Files.createTempDir() is used during integration tests only. Users of Corda are advised not to use Guava’s Files.createTempDir() when building applications on Corda. - expires: 2023-03-21T11:38:11.478Z + expires: 2023-07-21T11:38:11.478Z created: 2022-12-29T11:38:11.489Z SNYK-JAVA-COMH2DATABASE-31685: - '*': @@ -17,7 +17,7 @@ ignore: When it comes to DB connectivity parameters, we do not allow changing them as they are supplied by Corda Node configuration file. - expires: 2023-03-21T11:39:26.763Z + expires: 2023-07-21T11:39:26.763Z created: 2022-12-29T11:39:26.775Z SNYK-JAVA-COMH2DATABASE-2331071: - '*': @@ -26,7 +26,7 @@ ignore: When it comes to DB connectivity parameters, we do not allow changing them as they are supplied by Corda Node configuration file. - expires: 2023-03-21T11:41:05.707Z + expires: 2023-07-21T11:41:05.707Z created: 2022-12-29T11:41:05.723Z SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044: - '*': @@ -34,7 +34,7 @@ ignore: The vulnerability in okhttp’s error handling is only exploitable in services that receive and parse HTTP requests. Corda does not receive HTTP requests and thus is not exposed to this issue. - expires: 2023-03-21T11:42:55.546Z + expires: 2023-07-21T11:42:55.546Z created: 2022-12-29T11:42:55.556Z SNYK-JAVA-IONETTY-1042268: - '*': @@ -47,7 +47,7 @@ ignore: RPC SSL client connections Artemis is used which calls into netty. The default value for verifyHost is true for Artemis client connectors so verification of the host name in netty does occur. - expires: 2023-03-21T11:45:42.976Z + expires: 2023-07-21T11:45:42.976Z created: 2022-12-29T11:45:42.981Z SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385: - '*': @@ -57,7 +57,7 @@ ignore: time for Corda we do not use Multiplatform Gradle Projects so are not affected by this vulnerability. In addition as it is a build time vulnerability released artifacts are not affected. - expires: 2023-03-21T11:52:35.855Z + expires: 2023-07-21T11:52:35.855Z created: 2022-12-29T11:52:35.870Z SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: - '*': @@ -66,7 +66,7 @@ ignore: temporary files (via Kotlin functions) with insecure permissions. Corda does not use any of the vulnerable functions so it not susceptible to this vulnerability. - expires: 2023-03-21T13:39:03.244Z + expires: 2023-07-21T13:39:03.244Z created: 2022-12-29T13:39:03.262Z SNYK-JAVA-ORGYAML-3016888: - '*': @@ -80,7 +80,7 @@ ignore: XML files are used here to define the changes not YAML and therefore the Corda node itself is not exposed to this deserialisation vulnerability. - expires: 2023-03-21T13:39:49.450Z + expires: 2023-07-21T13:39:49.450Z created: 2022-12-29T13:39:49.470Z SNYK-JAVA-ORGYAML-2806360: - '*': @@ -93,7 +93,7 @@ ignore: used to apply the database migration changes. XML files are used here to define the changes not YAML and therefore the Corda node itself is not exposed to this DOS vulnerability. - expires: 2023-03-21T13:40:55.262Z + expires: 2023-07-21T13:40:55.262Z created: 2022-12-29T13:40:55.279Z SNYK-JAVA-ORGLIQUIBASE-2419059: - '*': @@ -108,7 +108,7 @@ ignore: exploit this vulnerability would need access to the server with the XML input files, and specifically the access and ability to change JAR files on the file system that make up the Corda installation. - expires: 2023-03-21T13:42:11.552Z + expires: 2023-07-21T13:42:11.552Z created: 2022-12-29T13:42:11.570Z SNYK-JAVA-ORGYAML-3113851: - '*': @@ -134,7 +134,7 @@ ignore: their own assessment. This vulnerability relates to deeply nested untyped Object or Array values (3000 levels deep). Only CorDapps with these types at this level of nesting are potentially susceptible. - expires: 2023-03-12T16:50:57.921Z + expires: 2023-07-12T16:50:57.921Z created: 2022-12-29T16:50:57.943Z SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424: - '*': @@ -146,7 +146,7 @@ ignore: their own assessment. This vulnerability relates to deeply nested untyped Object or Array values (3000 levels deep). Only CorDapps with these types at this level of nesting are potentially susceptible. - expires: 2023-03-12T16:52:30.722Z + expires: 2023-07-12T16:52:30.722Z created: 2022-12-29T16:52:30.747Z SNYK-JAVA-ORGYAML-3016891: - '*': @@ -160,7 +160,7 @@ ignore: XML files are used here to define the changes not YAML and therefore the Corda node itself is not exposed to this deserialisation vulnerability. - expires: 2023-03-12T17:00:51.957Z + expires: 2023-07-12T17:00:51.957Z created: 2022-12-29T17:00:51.970Z SNYK-JAVA-ORGYAML-3016889: - '*': @@ -174,7 +174,7 @@ ignore: XML files are used here to define the changes not YAML and therefore the Corda node itself is not exposed to this deserialisation vulnerability. - expires: 2023-03-12T17:02:02.538Z + expires: 2023-07-12T17:02:02.538Z created: 2022-12-29T17:02:02.564Z SNYK-JAVA-COMH2DATABASE-2348247: - '*': @@ -182,7 +182,7 @@ ignore: H2 console is not enabled for any of the applications we are running. When it comes to DB connectivity parameters, we do not allow changing them as they are supplied by Corda Node configuration file. - expires: 2023-03-28T11:36:39.068Z + expires: 2023-07-28T11:36:39.068Z created: 2022-12-29T11:36:39.089Z SNYK-JAVA-COMH2DATABASE-1769238: - '*': @@ -194,7 +194,7 @@ ignore: Corda is not susceptible to this vulnerability. If CorDapp developers store XML data to the database they need to ascertain themselves that they are not susceptible. - expires: 2023-03-28T11:40:29.871Z + expires: 2023-07-28T11:40:29.871Z created: 2022-12-29T11:40:29.896Z SNYK-JAVA-ORGYAML-3152153: - '*': @@ -206,7 +206,7 @@ ignore: not yaml. So given this Corda is not susceptible to this vulnerability.Cordapp authors should exercise their own judgment if using this library directly in their cordapp. - expires: 2023-03-03T11:35:04.385Z + expires: 2023-07-03T11:35:04.385Z created: 2023-01-04T11:35:04.414Z SNYK-JAVA-IONETTY-3167773: - '*': @@ -216,13 +216,13 @@ ignore: but it is not used in Corda, which uses a custom binary protocol secured by mutually authenticated TLS. The vulnerability relating to HTTP Response splitting is not exposed. - expires: 2023-03-03T11:40:51.456Z + expires: 2023-07-03T11:40:51.456Z created: 2023-01-04T11:40:51.467Z SNYK-JAVA-COMH2DATABASE-3146851: - '*': reason: >- Corda does not make use of the H2 web admin console, so it not susceptible to this reported vulnerability - expires: 2023-03-03T11:45:11.295Z + expires: 2023-07-03T11:45:11.295Z created: 2023-01-04T11:45:11.322Z patch: {}