Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address vulns #1415

Open
metametadata opened this issue Oct 11, 2024 · 1 comment
Open

Address vulns #1415

metametadata opened this issue Oct 11, 2024 · 1 comment

Comments

@metametadata
Copy link
Contributor

cdxgen is installed via npm install -g @cyclonedx/[email protected]

Vulns detected by Grype:

NAME                                                  INSTALLED                FIXED-IN  TYPE          VULNERABILITY        SEVERITY
commons-io                                            2.7                      2.14.0    java-archive  GHSA-78wr-2p64-hpwj  High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/commons-io.commons-io-2.7.jar
org.eclipse.platform.org.eclipse.equinox.app          1.7.100                            java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.app-1.7.100.jar
org.eclipse.platform.org.eclipse.equinox.common       3.19.100                           java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.common-3.19.100.jar
org.eclipse.platform.org.eclipse.equinox.preferences  3.11.100                           java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.preferences-3.11.100.jar
org.eclipse.platform.org.eclipse.equinox.registry     3.12.100                           java-archive  CVE-2021-41033       High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/org.eclipse.platform.org.eclipse.equinox.registry-3.12.100.jar
protobuf-java                                         3.21.7                   3.25.5    java-archive  GHSA-735f-pc8j-v9w8  High
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/com.google.protobuf.protobuf-java-3.21.7.jar
protobuf-java                                         3.21.7                             java-archive  CVE-2024-7254        Unknown
  * usr/lib/node_modules/@cyclonedx/cdxgen/node_modules/@appthreat/atom/plugins/lib/com.google.protobuf.protobuf-java-3.21.7.jar

The paths after * are the locations of the reported vulns.
@metametadata metametadata changed the title Address vulns detected in the binary Address vulns Oct 11, 2024
@prabhu
Copy link
Contributor

prabhu commented Oct 12, 2024

Probably must be filled under the atom or chen repo. Needs triaging since I doubt many of the CVEs reported especially the eclipse ones are even valid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
cdxgen top issues
Status: Seeking sponsors
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prabhu @metametadata