From 6e066309808e065ae98cbfead063bce2de51df2c Mon Sep 17 00:00:00 2001 From: Chris Cochrane Date: Thu, 18 May 2023 11:25:46 +0100 Subject: [PATCH 1/3] Upgraded sshd-common compile-time dependency --- testing/node-driver/build.gradle | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/testing/node-driver/build.gradle b/testing/node-driver/build.gradle index f958ea9a9a..772813c41b 100644 --- a/testing/node-driver/build.gradle +++ b/testing/node-driver/build.gradle @@ -27,8 +27,7 @@ sourceSets { dependencies { compile project(':test-utils') - compile group: 'org.apache.sshd', name: 'sshd-common', version: '2.3.0' -// integrationTestRuntime group: 'org.apache.sshd', name: 'sshd-common', version: '2.3.0' + compile group: 'org.apache.sshd', name: 'sshd-common', version: '2.9.2' // Integration test helpers testCompile "org.assertj:assertj-core:$assertj_version" From 9af77719d0ca10550632a405684c839a4a7e2d03 Mon Sep 17 00:00:00 2001 From: nargas-ritu Date: Tue, 30 May 2023 11:54:05 +0100 Subject: [PATCH 2/3] NOTICK: Corda OS 4.9.7 waivers --- .snyk | 134 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000000..1d07fa8b7b --- /dev/null +++ b/.snyk @@ -0,0 +1,134 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-COMGOOGLEGUAVA-1015415: + - '*': + reason: >- + Guava’s Files.createTempDir() is used during integration tests only. + Users of Corda are advised not to use Guava’s Files.createTempDir() + when building applications on Corda. + expires: 2023-09-01T11:38:11.478Z + created: 2022-12-29T11:38:11.489Z + SNYK-JAVA-COMH2DATABASE-31685: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:39:26.763Z + created: 2022-12-29T11:39:26.775Z + SNYK-JAVA-COMH2DATABASE-2331071: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:41:05.707Z + created: 2022-12-29T11:41:05.723Z + SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044: + - '*': + reason: >- + The vulnerability in okhttp’s error handling is only exploitable in + services that receive and parse HTTP requests. Corda does not receive + HTTP requests and thus is not exposed to this issue. + expires: 2023-09-01T11:42:55.546Z + created: 2022-12-29T11:42:55.556Z + SNYK-JAVA-IONETTY-1042268: + - '*': + reason: >- + Corda does not rely on hostname verification in the P2P protocol to + identify a host, so is not impacted by this vulnerability. Corda uses + its own SSL identity check logic for the network model. Corda + validates based on the full X500 subject name and the fact that P2P + links use mutually authenticated TLS with the same trust roots. For + RPC SSL client connections Artemis is used which calls into netty. The + default value for verifyHost is true for Artemis client connectors so + verification of the host name in netty does occur. + expires: 2023-09-01T11:45:42.976Z + created: 2022-12-29T11:45:42.981Z + SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385: + - '*': + reason: >- + This is a build time vulnerability. It relates to the inability to + lock dependencies for Kotlin Multiplatform Gradle Projects. At build + time for Corda we do not use Multiplatform Gradle Projects so are not + affected by this vulnerability. In addition as it is a build time + vulnerability released artifacts are not affected. + expires: 2023-09-01T11:52:35.855Z + created: 2022-12-29T11:52:35.870Z + SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: + - '*': + reason: >- + This vulnerability relates to information exposure via creation of + temporary files (via Kotlin functions) with insecure permissions. + Corda does not use any of the vulnerable functions so it not + susceptible to this vulnerability. + expires: 2023-09-01T13:39:03.244Z + created: 2022-12-29T13:39:03.262Z + SNYK-JAVA-ORGLIQUIBASE-2419059: + - '*': + reason: >- + This component is used to upgrade the node database schema either at + node startup or via the database migration tool. The XML input for the + database migration is generated by Corda from either R3 supplied XML + files included in corda.jar or those XML files written by the CorDapp + author included in a CorDapp that is installed in the node CorDapps + directory. Contract CorDapps received over the network are not a + source of XML files for this generation step. An attacker trying to + exploit this vulnerability would need access to the server with the + XML input files, and specifically the access and ability to change JAR + files on the file system that make up the Corda installation. + expires: 2023-09-01T13:42:11.552Z + created: 2022-12-29T13:42:11.570Z + SNYK-JAVA-COMH2DATABASE-2348247: + - '*': + reason: >- + H2 console is not enabled for any of the applications we are running. + When it comes to DB connectivity parameters, we do not allow changing + them as they are supplied by Corda Node configuration file. + expires: 2023-09-01T11:36:39.068Z + created: 2022-12-29T11:36:39.089Z + SNYK-JAVA-COMH2DATABASE-1769238: + - '*': + reason: >- + H2 is not invoked by Corda unless the node deployment configures an H2 + database. This is not a supported configuration in Production and so + this vulnerability should be irrelevant except during development on + Corda. Corda itself does not store XML data within the database so + Corda is not susceptible to this vulnerability. If CorDapp developers + store XML data to the database they need to ascertain themselves that + they are not susceptible. + expires: 2023-09-01T11:40:29.871Z + created: 2022-12-29T11:40:29.896Z + SNYK-JAVA-ORGYAML-3152153: + - '*': + reason: >- + There is a transitive dependency on snakeyaml from the third party + components jackson-dataformat-yaml and liquidbase-core. The + jackson-dataformat-yaml component does not use the snakeyaml + databinding layer. For liquidbase we use xml in the changelog files + not yaml. So given this Corda is not susceptible to this + vulnerability.Cordapp authors should exercise their own judgment if + using this library directly in their cordapp. + expires: 2023-09-01T11:35:04.385Z + created: 2023-01-04T11:35:04.414Z + SNYK-JAVA-COMH2DATABASE-3146851: + - '*': + reason: >- + Corda does not make use of the H2 web admin console, so it not + susceptible to this reported vulnerability + expires: 2023-09-01T11:45:11.295Z + created: 2023-01-04T11:45:11.322Z + SNYK-JAVA-ORGBOUNCYCASTLE-2841508: + - '*': + reason: >- + This vulnerability relates to weak key-hash message authentication + code due to an error within the BKS version 1 keystore files. Corda + does not use BKS-V1 for its keystore files so is not susceptible to + this vulnerability. + expires: 2023-09-01T11:32:38.120Z + created: 2022-09-21T11:32:38.125Z +patch: {} From c64ad75ee37a1350f781eaf724877fa274ab9b1f Mon Sep 17 00:00:00 2001 From: nargas-ritu Date: Tue, 30 May 2023 19:08:43 +0100 Subject: [PATCH 3/3] ENT-9108: Corda OS 4.9.7 remaining waivers --- .snyk | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/.snyk b/.snyk index 1d07fa8b7b..2b9605267a 100644 --- a/.snyk +++ b/.snyk @@ -131,4 +131,101 @@ ignore: this vulnerability. expires: 2023-09-01T11:32:38.120Z created: 2022-09-21T11:32:38.125Z +SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424: + - '*': + reason: >- + Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required + for this vulnerability. In addition Corda does not use Jackson for + deserialization except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. This + vulnerability relates to deeply nested untyped Object or Array values + (3000 levels deep). Only CorDapps with these types at this level of + nesting are potentially susceptible. + expires: 2023-09-01T12:04:40.180Z + created: 2023-02-09T12:04:40.209Z + SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426: + - '*': + reason: >- + Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required + for this vulnerability. In addition Corda does not use Jackson for + deserialization except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. This + vulnerability relates to deeply nested untyped Object or Array values + (3000 levels deep). Only CorDapps with these types at this level of + nesting are potentially susceptible. + expires: 2023-09-01T12:05:03.931Z + created: 2023-02-09T12:05:03.962Z + SNYK-JAVA-ORGYAML-2806360: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. Liquibase is + used to apply the database migration changes. XML files are used here + to define the changes not YAML and therefore the Corda node itself is + not exposed to this DOS vulnerability. + expires: 2023-09-01T13:40:55.262Z + created: 2022-09-21T13:40:55.279Z + SNYK-JAVA-ORGYAML-3016891: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T16:37:28.911Z + created: 2023-02-06T16:37:28.933Z + SNYK-JAVA-ORGYAML-3016888: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T13:39:49.450Z + created: 2022-09-21T13:39:49.470Z + SNYK-JAVA-ORGYAML-3016889: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T16:35:13.840Z + created: 2023-02-06T16:35:13.875Z + SNYK-JAVA-ORGYAML-3113851: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2024-04-01T00:00:00.000Z + created: 2022-11-29T14:55:03.623Z patch: {}