From 9af77719d0ca10550632a405684c839a4a7e2d03 Mon Sep 17 00:00:00 2001 From: nargas-ritu Date: Tue, 30 May 2023 11:54:05 +0100 Subject: [PATCH] NOTICK: Corda OS 4.9.7 waivers --- .snyk | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000000..1d07fa8b7b --- /dev/null +++ b/.snyk @@ -0,0 +1,134 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-COMGOOGLEGUAVA-1015415: + - '*': + reason: >- + Guava’s Files.createTempDir() is used during integration tests only. + Users of Corda are advised not to use Guava’s Files.createTempDir() + when building applications on Corda. + expires: 2023-09-01T11:38:11.478Z + created: 2022-12-29T11:38:11.489Z + SNYK-JAVA-COMH2DATABASE-31685: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:39:26.763Z + created: 2022-12-29T11:39:26.775Z + SNYK-JAVA-COMH2DATABASE-2331071: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:41:05.707Z + created: 2022-12-29T11:41:05.723Z + SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044: + - '*': + reason: >- + The vulnerability in okhttp’s error handling is only exploitable in + services that receive and parse HTTP requests. Corda does not receive + HTTP requests and thus is not exposed to this issue. + expires: 2023-09-01T11:42:55.546Z + created: 2022-12-29T11:42:55.556Z + SNYK-JAVA-IONETTY-1042268: + - '*': + reason: >- + Corda does not rely on hostname verification in the P2P protocol to + identify a host, so is not impacted by this vulnerability. Corda uses + its own SSL identity check logic for the network model. Corda + validates based on the full X500 subject name and the fact that P2P + links use mutually authenticated TLS with the same trust roots. For + RPC SSL client connections Artemis is used which calls into netty. The + default value for verifyHost is true for Artemis client connectors so + verification of the host name in netty does occur. + expires: 2023-09-01T11:45:42.976Z + created: 2022-12-29T11:45:42.981Z + SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385: + - '*': + reason: >- + This is a build time vulnerability. It relates to the inability to + lock dependencies for Kotlin Multiplatform Gradle Projects. At build + time for Corda we do not use Multiplatform Gradle Projects so are not + affected by this vulnerability. In addition as it is a build time + vulnerability released artifacts are not affected. + expires: 2023-09-01T11:52:35.855Z + created: 2022-12-29T11:52:35.870Z + SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: + - '*': + reason: >- + This vulnerability relates to information exposure via creation of + temporary files (via Kotlin functions) with insecure permissions. + Corda does not use any of the vulnerable functions so it not + susceptible to this vulnerability. + expires: 2023-09-01T13:39:03.244Z + created: 2022-12-29T13:39:03.262Z + SNYK-JAVA-ORGLIQUIBASE-2419059: + - '*': + reason: >- + This component is used to upgrade the node database schema either at + node startup or via the database migration tool. The XML input for the + database migration is generated by Corda from either R3 supplied XML + files included in corda.jar or those XML files written by the CorDapp + author included in a CorDapp that is installed in the node CorDapps + directory. Contract CorDapps received over the network are not a + source of XML files for this generation step. An attacker trying to + exploit this vulnerability would need access to the server with the + XML input files, and specifically the access and ability to change JAR + files on the file system that make up the Corda installation. + expires: 2023-09-01T13:42:11.552Z + created: 2022-12-29T13:42:11.570Z + SNYK-JAVA-COMH2DATABASE-2348247: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:36:39.068Z + created: 2022-12-29T11:36:39.089Z + SNYK-JAVA-COMH2DATABASE-1769238: + - '*': + reason: >- + H2 is not invoked by Corda unless the node deployment configures an H2 + database. This is not a supported configuration in Production and so + this vulnerability should be irrelevant except during development on + Corda. Corda itself does not store XML data within the database so + Corda is not susceptible to this vulnerability. If CorDapp developers + store XML data to the database they need to ascertain themselves that + they are not susceptible. + expires: 2023-09-01T11:40:29.871Z + created: 2022-12-29T11:40:29.896Z + SNYK-JAVA-ORGYAML-3152153: + - '*': + reason: >- + There is a transitive dependency on snakeyaml from the third party + components jackson-dataformat-yaml and liquidbase-core. The + jackson-dataformat-yaml component does not use the snakeyaml + databinding layer. For liquidbase we use xml in the changelog files + not yaml. So given this Corda is not susceptible to this + vulnerability.Cordapp authors should exercise their own judgment if + using this library directly in their cordapp. + expires: 2023-09-01T11:35:04.385Z + created: 2023-01-04T11:35:04.414Z + SNYK-JAVA-COMH2DATABASE-3146851: + - '*': + reason: >- + Corda does not make use of the H2 web admin console, so it not + susceptible to this reported vulnerability + expires: 2023-09-01T11:45:11.295Z + created: 2023-01-04T11:45:11.322Z + SNYK-JAVA-ORGBOUNCYCASTLE-2841508: + - '*': + reason: >- + This vulnerability relates to weak key-hash message authentication + code due to an error within the BKS version 1 keystore files. Corda + does not use BKS-V1 for its keystore files so is not susceptible to + this vulnerability. + expires: 2023-09-01T11:32:38.120Z + created: 2022-09-21T11:32:38.125Z +patch: {}