Conversation
![private-semgrep-app[bot]](https://avatars.githubusercontent.com/in/948798?s=60&v=4){kind=small}
| | | \- org.springframework:spring-jcl:jar:5.3.29:compile | ||
| | +- org.springframework:spring-test:jar:5.3.29:test | ||
| | \- org.xmlunit:xmlunit-core:jar:2.9.1:test | ||
| +- org.json:json:jar:20230227:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 130 lists a dependency (org.json:json) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.json:json are vulnerable to a denial of service (DoS) attack.
To resolve this comment:
Upgrade this dependency to at least version 20231013 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- io.netty:netty-resolver:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-common:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-buffer:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-handler:jar:4.1.94.Final:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 83 lists a dependency (io.netty:netty-handler) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 4.1.118.Final at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- io.netty:netty-codec:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-transport:jar:4.1.94.Final:compile | ||
| | | \- io.netty:netty-resolver:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-common:jar:4.1.94.Final:compile |
There was a problem hiding this comment.
Medium severity issue identified in one of your dependencies:
Line 81 lists a dependency (io.netty:netty-common) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 4.1.115.Final at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | | \- io.netty:netty-codec-dns:jar:4.1.94.Final:compile | ||
| | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.94.Final:compile | ||
| | | | \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.94.Final:compile | ||
| | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.34:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 160 lists a dependency (io.projectreactor.netty:reactor-netty-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.34:compile | ||
| | | \- io.netty:netty-handler-proxy:jar:4.1.94.Final:compile | ||
| | | \- io.netty:netty-codec-socks:jar:4.1.94.Final:compile | ||
| | \- org.springframework:spring-webflux:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 163 lists a dependency (org.springframework:spring-webflux) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 6.1.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile | ||
| | | \- org.springframework:spring-beans:jar:5.3.22:compile | ||
| | \- org.springframework:spring-webmvc:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 23 lists a dependency (org.springframework:spring-webmvc) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.14:compile | ||
| | | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile | ||
| | | | | \- ch.qos.logback:logback-core:jar:1.2.12:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
Medium severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat are vulnerable to Improper Input Validation. The vulnerability in Apache Tomcat involves a Denial of Service due to improper input validation in HTTP/2 requests, where if the request surpasses configured header limits, the corresponding HTTP/2 stream remains unreset until after all headers have been processed.
To resolve this comment:
Upgrade this dependency to at least version 9.0.86 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.3.34 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.3.32 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- org.springframework.boot:spring-boot:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.14:compile | ||
| | | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 8 lists a dependency (ch.qos.logback:logback-classic) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 9.0.106 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-catalina are vulnerable to Deserialization of Untrusted Data / Path Equivalence. This can lead to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
To resolve this comment:
Check if you have enabled write for the default servlet (disabled by default) and have support for partial PUT (enabled by default).
In addition to these conditions - a malicious user is able to view security sensitive files and/or inject content into files if -
1. a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads.
2. attacker knowledge of the names of security sensitive files being uploaded.
3. the security sensitive files also being uploaded via partial PUT.
A malicious user is able to perform remote code execution if -
1. application is using Tomcats file based session persistence with the default storage location.
2. application included a library that may be leveraged in a deserialization attack..
- If you're affected, upgrade this dependency to at least version 9.0.99 at maven_dep_tree.txt.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core, org.apache.tomcat:tomcat- catalina, and org.apache.tomcat:tomcat-embed-core are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. Apache Tomcat is susceptible to a TOCTOU race condition vulnerability. This occurs when running on a case insensitive file system with the default servlet write enabled, potentially allowing attackers to exploit misconfiguration or race conditions if the system property sun.io.useCanonCaches is not correctly set. Specific mitigations are necessary based on the Java version used, and failure to implement these could lead to unauthorized file writes or other security risks.
To resolve this comment:
Check if you run Tomcat on Windows and you do not explicitly set the system property sun.io.useCanonCaches to false (see advisory for more detailed mitigation).
- If you're affected, upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- software.amazon.awssdk:apache-client:jar:2.17.97:runtime | ||
| | \- software.amazon.awssdk:netty-nio-client:jar:2.17.97:runtime | ||
| | +- io.netty:netty-codec-http:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-codec-http2:jar:4.1.94.Final:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 77 lists a dependency (io.netty:netty-codec-http2) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of io.netty:netty-codec-http2 are vulnerable to Uncontrolled Resource Consumption. The vulnerability arises when a client issues frequent RST frames, potentially leading to server overload and facilitating a DDoS attack by imposing a significant load on the remote system.
To resolve this comment:
Upgrade this dependency to at least version 4.1.100.Final at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.14:compile | ||
| | | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile | ||
| | | | | \- ch.qos.logback:logback-core:jar:1.2.12:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| +- com.amazonaws:aws-java-sdk-secretsmanager:jar:1.12.173:compile | ||
| | +- com.amazonaws:aws-java-sdk-core:jar:1.12.173:compile | ||
| | | +- commons-logging:commons-logging:jar:1.1.3:compile | ||
| | | +- software.amazon.ion:ion-java:jar:1.0.2:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 98 lists a dependency (software.amazon.ion:ion-java) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency as soon as a patched version is available.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.3.33 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 21 lists a dependency (org.springframework:spring-web) with a known Critical severity vulnerability.
ℹ️ Why this matters
org.springframework:spring-web versions before 6.0.0 are vulnerable to Deserialization Of Untrusted Data. The readRemoteInvocation method in HttpInvokerServiceExporter.class doesn't properly validate untrusted objects prior to deserialization. An attacker can exploit this by sending malicious requests with crafted objects, leading to arbitrary code execution on the vulnerable system.
To resolve this comment:
Check if you rely on Java deserialization for untrusted data.
- If you're affected, upgrade this dependency to at least version 6.0.0 at maven_dep_tree.txt.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-coyote are vulnerable to Improper Handling of Exceptional Conditions / Uncontrolled Resource Consumption.
To resolve this comment:
Upgrade this dependency to at least version 9.0.90 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| +- com.finfare:cache:jar:0.0.2-SNAPSHOT:compile | ||
| +- org.springframework.boot:spring-boot-starter-web:jar:2.7.14:compile | ||
| | +- org.springframework.boot:spring-boot-starter:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot:jar:2.7.14:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 5 lists a dependency (org.springframework.boot:spring-boot) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 3.3.11 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| +- org.springframework.boot:spring-boot-starter-test:jar:2.7.14:test | ||
| | +- org.springframework.boot:spring-boot-test:jar:2.7.14:test | ||
| | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.14:test | ||
| | +- com.jayway.jsonpath:json-path:jar:2.7.0:test |
There was a problem hiding this comment.
Medium severity issue identified in one of your dependencies:
Line 105 lists a dependency (com.jayway.jsonpath:json-path) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 2.9.0 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| +- org.springframework.boot:spring-boot-starter-security:jar:2.7.14:compile | ||
| | +- org.springframework:spring-aop:jar:5.3.29:compile | ||
| | +- org.springframework.security:spring-security-config:jar:5.7.10:compile | ||
| | | \- org.springframework.security:spring-security-core:jar:5.7.10:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 202 lists a dependency (org.springframework.security:spring-security-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.7.12 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework:spring-aop:jar:5.3.29:compile | ||
| | +- org.springframework.security:spring-security-config:jar:5.7.10:compile | ||
| | | \- org.springframework.security:spring-security-core:jar:5.7.10:compile | ||
| | \- org.springframework.security:spring-security-web:jar:5.7.10:compile |
There was a problem hiding this comment.
Critical severity issue identified in one of your dependencies:
Line 203 lists a dependency (org.springframework.security:spring-security-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.7.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.34:compile | ||
| | | \- io.netty:netty-handler-proxy:jar:4.1.94.Final:compile | ||
| | | \- io.netty:netty-codec-socks:jar:4.1.94.Final:compile | ||
| | \- org.springframework:spring-webflux:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 163 lists a dependency (org.springframework:spring-webflux) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| +- org.apache.commons:commons-csv:jar:1.8:compile | ||
| +- org.springframework.boot:spring-boot-starter-webflux:jar:2.7.14:compile | ||
| | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.7.14:compile | ||
| | | \- io.projectreactor.netty:reactor-netty-http:jar:1.0.34:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 155 lists a dependency (io.projectreactor.netty:reactor-netty-http) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.apache.tomcat:tomcat-catalina are vulnerable to Improper Input Validation / Inconsistent Interpretation Of Http Requests ('Http Request/Response Smuggling'). The vulnerability arises from the improper parsing of HTTP trailer headers, leading to the potential treatment of a single request as multiple requests, thereby enabling request smuggling, particularly when operating behind a reverse proxy.
To resolve this comment:
Upgrade this dependency to at least version 9.0.83 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| +- org.springframework.boot:spring-boot-starter-security:jar:2.7.14:compile | ||
| | +- org.springframework:spring-aop:jar:5.3.29:compile | ||
| | +- org.springframework.security:spring-security-config:jar:5.7.10:compile | ||
| | | \- org.springframework.security:spring-security-core:jar:5.7.10:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 202 lists a dependency (org.springframework.security:spring-security-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.7.12 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| +- org.apache.commons:commons-csv:jar:1.8:compile | ||
| +- org.springframework.boot:spring-boot-starter-webflux:jar:2.7.14:compile | ||
| | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.7.14:compile | ||
| | | \- io.projectreactor.netty:reactor-netty-http:jar:1.0.34:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 155 lists a dependency (io.projectreactor.netty:reactor-netty-http) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 9.0.106 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-catalina are vulnerable to Deserialization of Untrusted Data / Path Equivalence. This can lead to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
To resolve this comment:
Check if you have enabled write for the default servlet (disabled by default) and have support for partial PUT (enabled by default).
In addition to these conditions - a malicious user is able to view security sensitive files and/or inject content into files if -
1. a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads.
2. attacker knowledge of the names of security sensitive files being uploaded.
3. the security sensitive files also being uploaded via partial PUT.
A malicious user is able to perform remote code execution if -
1. application is using Tomcats file based session persistence with the default storage location.
2. application included a library that may be leveraged in a deserialization attack..
- If you're affected, upgrade this dependency to at least version 9.0.99 at maven_dep_tree.txt.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core, org.apache.tomcat:tomcat- catalina, and org.apache.tomcat:tomcat-embed-core are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. Apache Tomcat is susceptible to a TOCTOU race condition vulnerability. This occurs when running on a case insensitive file system with the default servlet write enabled, potentially allowing attackers to exploit misconfiguration or race conditions if the system property sun.io.useCanonCaches is not correctly set. Specific mitigations are necessary based on the Java version used, and failure to implement these could lead to unauthorized file writes or other security risks.
To resolve this comment:
Check if you run Tomcat on Windows and you do not explicitly set the system property sun.io.useCanonCaches to false (see advisory for more detailed mitigation).
- If you're affected, upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
Medium severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat are vulnerable to Improper Input Validation. The vulnerability in Apache Tomcat involves a Denial of Service due to improper input validation in HTTP/2 requests, where if the request surpasses configured header limits, the corresponding HTTP/2 stream remains unreset until after all headers have been processed.
To resolve this comment:
Upgrade this dependency to at least version 9.0.86 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| +- com.finfare:cache:jar:0.0.2-SNAPSHOT:compile | ||
| +- org.springframework.boot:spring-boot-starter-web:jar:2.7.14:compile | ||
| | +- org.springframework.boot:spring-boot-starter:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot:jar:2.7.14:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 5 lists a dependency (org.springframework.boot:spring-boot) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 3.3.11 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile | ||
| | | \- org.springframework:spring-beans:jar:5.3.22:compile | ||
| | \- org.springframework:spring-webmvc:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 23 lists a dependency (org.springframework:spring-webmvc) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- io.github.openfeign.form:feign-form-spring:jar:3.8.0:compile | ||
| | | \- io.github.openfeign.form:feign-form:jar:3.8.0:compile | ||
| | +- org.springframework.cloud:spring-cloud-commons:jar:3.1.3:compile | ||
| | | \- org.springframework.security:spring-security-crypto:jar:5.7.10:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 174 lists a dependency (org.springframework.security:spring-security-crypto) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.7.16 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.14:compile | ||
| | | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile | ||
| | | | | \- ch.qos.logback:logback-core:jar:1.2.12:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.3.32 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework:spring-aop:jar:5.3.29:compile | ||
| | +- org.springframework.security:spring-security-config:jar:5.7.10:compile | ||
| | | \- org.springframework.security:spring-security-core:jar:5.7.10:compile | ||
| | \- org.springframework.security:spring-security-web:jar:5.7.10:compile |
There was a problem hiding this comment.
Critical severity issue identified in one of your dependencies:
Line 203 lists a dependency (org.springframework.security:spring-security-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.7.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.14:compile | ||
| | | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile | ||
| | | | | \- ch.qos.logback:logback-core:jar:1.2.12:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| +- com.amazonaws:aws-java-sdk-secretsmanager:jar:1.12.173:compile | ||
| | +- com.amazonaws:aws-java-sdk-core:jar:1.12.173:compile | ||
| | | +- commons-logging:commons-logging:jar:1.1.3:compile | ||
| | | +- software.amazon.ion:ion-java:jar:1.0.2:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 98 lists a dependency (software.amazon.ion:ion-java) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency as soon as a patched version is available.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | | \- io.netty:netty-codec-dns:jar:4.1.94.Final:compile | ||
| | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.94.Final:compile | ||
| | | | \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.94.Final:compile | ||
| | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.34:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 160 lists a dependency (io.projectreactor.netty:reactor-netty-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework:spring-aop:jar:5.3.29:compile | ||
| | +- org.springframework.security:spring-security-config:jar:5.7.10:compile | ||
| | | \- org.springframework.security:spring-security-core:jar:5.7.10:compile | ||
| | \- org.springframework.security:spring-security-web:jar:5.7.10:compile |
There was a problem hiding this comment.
Critical severity issue identified in one of your dependencies:
Line 203 lists a dependency (org.springframework.security:spring-security-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.7.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.3.34 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| +- org.springframework.boot:spring-boot-starter-test:jar:2.7.14:test | ||
| | +- org.springframework.boot:spring-boot-test:jar:2.7.14:test | ||
| | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.14:test | ||
| | +- com.jayway.jsonpath:json-path:jar:2.7.0:test |
There was a problem hiding this comment.
Medium severity issue identified in one of your dependencies:
Line 105 lists a dependency (com.jayway.jsonpath:json-path) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 2.9.0 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 21 lists a dependency (org.springframework:spring-web) with a known Critical severity vulnerability.
ℹ️ Why this matters
org.springframework:spring-web versions before 6.0.0 are vulnerable to Deserialization Of Untrusted Data. The readRemoteInvocation method in HttpInvokerServiceExporter.class doesn't properly validate untrusted objects prior to deserialization. An attacker can exploit this by sending malicious requests with crafted objects, leading to arbitrary code execution on the vulnerable system.
To resolve this comment:
Check if you rely on Java deserialization for untrusted data.
- If you're affected, upgrade this dependency to at least version 6.0.0 at maven_dep_tree.txt.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- org.springframework:spring-jcl:jar:5.3.29:compile | ||
| | +- org.springframework:spring-test:jar:5.3.29:test | ||
| | \- org.xmlunit:xmlunit-core:jar:2.9.1:test | ||
| +- org.json:json:jar:20230227:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 130 lists a dependency (org.json:json) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.json:json are vulnerable to a denial of service (DoS) attack.
To resolve this comment:
Upgrade this dependency to at least version 20231013 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile | ||
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 5.3.33 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | +- software.amazon.awssdk:apache-client:jar:2.17.97:runtime | ||
| | \- software.amazon.awssdk:netty-nio-client:jar:2.17.97:runtime | ||
| | +- io.netty:netty-codec-http:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-codec-http2:jar:4.1.94.Final:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 77 lists a dependency (io.netty:netty-codec-http2) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of io.netty:netty-codec-http2 are vulnerable to Uncontrolled Resource Consumption. The vulnerability arises when a client issues frequent RST frames, potentially leading to server overload and facilitating a DDoS attack by imposing a significant load on the remote system.
To resolve this comment:
Upgrade this dependency to at least version 4.1.100.Final at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.34:compile | ||
| | | \- io.netty:netty-handler-proxy:jar:4.1.94.Final:compile | ||
| | | \- io.netty:netty-codec-socks:jar:4.1.94.Final:compile | ||
| | \- org.springframework:spring-webflux:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 163 lists a dependency (org.springframework:spring-webflux) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-coyote are vulnerable to Improper Handling of Exceptional Conditions / Uncontrolled Resource Consumption.
To resolve this comment:
Upgrade this dependency to at least version 9.0.90 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- org.springframework.boot:spring-boot:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.14:compile | ||
| | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.14:compile | ||
| | | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 8 lists a dependency (ch.qos.logback:logback-classic) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- io.netty:netty-resolver:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-common:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-buffer:jar:4.1.94.Final:compile | ||
| | +- io.netty:netty-handler:jar:4.1.94.Final:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 83 lists a dependency (io.netty:netty-handler) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 4.1.118.Final at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
| | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile | ||
| | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile | ||
| | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile | ||
| | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of org.apache.tomcat:tomcat-catalina are vulnerable to Improper Input Validation / Inconsistent Interpretation Of Http Requests ('Http Request/Response Smuggling'). The vulnerability arises from the improper parsing of HTTP trailer headers, leading to the potential treatment of a single request as multiple requests, thereby enabling request smuggling, particularly when operating behind a reverse proxy.
To resolve this comment:
Upgrade this dependency to at least version 9.0.83 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile | ||
| | +- org.springframework:spring-web:jar:5.3.29:compile | ||
| | | \- org.springframework:spring-beans:jar:5.3.22:compile | ||
| | \- org.springframework:spring-webmvc:jar:5.3.29:compile |
There was a problem hiding this comment.
High severity issue identified in one of your dependencies:
Line 23 lists a dependency (org.springframework:spring-webmvc) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.
To resolve this comment:
Upgrade this dependency to at least version 6.1.13 at maven_dep_tree.txt.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.
1 participant
No description provided.