Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

reporting vulnerabilities in dependencies

See original GitHub issue

I am looking to integrate this library in to my application that I scan with trivy. Trivy has reported some vulns with the jetty libraries that are included. I’m on Javalin 4.6.3.

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+--------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |      FIXED VERSION       |                TITLE                 |
+--------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+
| org.eclipse.jetty:jetty-http   | CVE-2022-2047    | LOW      | 9.4.46.v20220331  | 11.0.10, 10.0.10, 9.4.47 | Invalid URI parsing may produce      |
| (ipsummarizer.jar)             |                  |          |                   |                          | invalid HttpURI.authority            |
|                                |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2022-2047 |
+--------------------------------+------------------+----------+                   +--------------------------+--------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2022-2191    | HIGH     |                   | 11.0.10, 10.0.10         | SslConnection does not release       |
| (ipsummarizer.jar)             |                  |          |                   |                          | pooled ByteBuffers in case of errors |
|                                |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2022-2191 |
+--------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+

Issue Analytics

State:
Created a year ago
Comments:6 (5 by maintainers)

Top GitHub Comments

1reaction

Playacemcommented, Jul 11, 2022

@ajsutton 9.4.x is not affected. See here: https://github.com/eclipse/jetty.project/issues/8161

1reaction

tipsycommented, Jul 8, 2022

Yes, it usually takes a few hours. mvnrepository is actually not the official page, https://search.maven.org is. You can find the artifact here: https://search.maven.org/artifact/io.javalin/javalin/4.6.4/jar, but it’s also not searchable there yet.

Top Results From Across the Web

Vulnerabilities in Dependencies: What You Need to Know

You want to collect as much information as possible from different sources about potential vulnerabilities. This includes, e.g., all vulnerabilities reported as ...

OWASP Dependency-Check

Dependency -Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's ...

13 tools for checking the security risk of open-source ...

It also provides tools that scan for dependencies and find vulnerabilities using public vulnerability databases such as the NIST National Vulnerability ...

What are Vulnerable Dependencies?

When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...

Auditing package dependencies for security vulnerabilities

The npm audit command submits a description of the dependencies configured in your package to your default registry and asks for a report...