Dublin HOLMES Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
holmes-common | com.fasterxml.jackson.core | False Positive Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. holmes-common does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by msb-java-sdk. Also, the MSB team has declared this to be a false positive. | |
holmes-common | commons-codec | The dependency is introduced by org.apache.httpcomponents:httpclient:4.5.3 and is indispensable at the moment. The only solution is to replace the component with another. To fix it will cause a lot of changes in our code and bring unforeseeable problems. It may not be the best time to fix this at the moment because we're already at the RCx milestone. | Fix it in the E Release. |
holmes-engine-management | com.fasterxml.jackson.core | False Positive Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. holmes-engine-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core. To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard. From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes. | Need to update Dropwizard to check whether its new version has solved this problem. Otherwise, we have to switch to another framework. |
holmes-engine-management | commons-codec | Introduced by org.drools:drools-core:6.5.0.Final which is the core component of the engine management module. Will try to remove it and check whether this will cause any impact on existing funcs. If the answer is negative, we will remove it. Otherwise, we have to wait until the E Release to do further research on this. | |
holmes-rule-management | com.fasterxml.jackson.core | False Positive Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. holmes-rule-management does not use ObjectMapper for serialization/deserialization of JSON objects. Instead, Holmes uses GSON to avoid the vulnerability issues. The reason this is detected is that jackson-databind is introduced indirectly by dropwizard-core. To solve the problem, we have to replace the framework of Holmes or wait for updates from Dropwizard. From Homles perspective, we don't use Jackson for JSON data processing. So this is not a big deal for Holmes. | Need to update Dropwizard to check whether its new version has solved this problem. Otherwise, we have to switch to another framework. |
holmes-rule-management | commons-codec | The dependency is introduced by org.apache.httpcomponents:httpclient:4.5.6 and is indispensable at the moment. The only solution is to replace the component with another. To fix it will cause a lot of changes in our code and bring unforeseeable problems. It may not be the best time to fix this at the moment because we're already at the RCx milestone. | Fix it in the E Release. |