Hi Team,
I am using Gradle 5.1.1 version to compile my spring boot applications in a docker container.
I am using JFROG as an artifactory to store all the artifact . It runs a JFROG artifact scan which is causing the issue .
Gradle 5.1.1 comes with a common-collection-3.2.2.jar in lib folder and bcprov-jdk15on-1.60.jar in lib/plugin folder . These JAR is causing the JFROG XRAY issue
These are vulnerabilities which is causing my build to fail
Expected Behavior
XRAY scan should pass
Current Behavior
XRAY scan is failing with the vulnerabilities attached
Context
Can you please let me know
- Is there any we can upgrade these 2 jar in gradle-5.1.1.
- I have tried directly replacing the jar with the upgraded version but then it is not able to compile my code.
Please let me know , as this issue is blocker.
JARS in which vulnerabilities are fixed in below version
bcprov-jdk15on-1.61.jar
commons-collections4-4.2.jar
Can you please let us know how can we update the pre existing jar in gradle package i.e. gradle-5.1.1-all.zip
NOTE: I want the jar to be updated in gradle package inside lib folder .
ERRORLOGS
"cglclouddev/clouddev-docker-registry-intake/drone-plugin-cgl-cxo-gradle/ef693a0/sha256__84b78ffa37872242bac49f5cc08e184c8678d32358b83a1f9e5a35be363c621d.tar.gz/usr/local/gradle/lib/commons-collections-3.2.2.jar"
159s
3156
],
159s
3157
“issue_type”: “security”,
159s
3158
“provider”: “JFrog”,
159s
3159
“severity”: “High”,
160s
3160
“summary”: “The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.”
160s
3161
},
160s
3162
{
160s
3163
“created”: “2017-11-19T00:00:00.124Z”,
160s
3164
“cves”: [
160s
3165
{
160s
3166
“cve”: “CVE-2016-4369”,
160s
3167
“cvss_v2”: “6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P”,
160s
3168
“cwe”: [
160s
3169
“CWE-284”
160s
3170
]
160s
3171
}
160s
3172
],
160s
3173
“description”: “HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.”,
160s
3174