Camel 3.1: dependency vulnerability in camel-main/headersmap

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Camel 3.1: dependency vulnerability in camel-main/headersmap

Remco Schoen
Hi,

Not sure if this the correct place for this, but I post it any way.

Our vulnerability scanner found a dependency vulnerability in camel-main and more specific in camel-headersmap:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A2.5<https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe:/:apache&cpe_product=cpe:/:apache:log4j&cpe_version=cpe:/:apache:log4j:2.5>

|    +--- org.apache.camel:camel-main:3.1.0
|    |    +--- org.apache.camel:camel-api:3.1.0 (*)
|    |    +--- org.apache.camel:camel-base:3.1.0 (*)
|    |    +--- org.apache.camel:camel-core-engine:3.1.0 (*)
|    |    +--- org.apache.camel:camel-management-api:3.1.0 (*)
|    |    +--- org.apache.camel:camel-support:3.1.0 (*)
|    |    +--- org.apache.camel:camel-util:3.1.0 (*)
|    |    +--- org.apache.camel:camel-caffeine-lrucache:3.1.0
|    |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
|    |    |    \--- com.github.ben-manes.caffeine:caffeine:2.8.1
|    |    \--- org.apache.camel:camel-headersmap:3.1.0
|    |         +--- org.apache.camel:camel-support:3.1.0 (*)
|    |         \--- com.cedarsoftware:java-util:1.40.0
|    |              \--- org.apache.logging.log4j:log4j-api:2.5

The resolved dependency is log4j-api and not log4j, about which the vulnerability is.

I registered an issue as well at the project, that has the dependency.

Kind regards,

Remco Schoen
Reply | Threaded
Open this post in threaded view
|

Re: Camel 3.1: dependency vulnerability in camel-main/headersmap

Andrea Cosentino-3
Hello Remco,

This is dependency tree of camel-headersmap in the current master, I don't
see any log4-api:2.5

[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
camel-headersmap ---
[INFO] org.apache.camel:camel-headersmap:jar:3.2.0-SNAPSHOT
[INFO] +- org.apache.camel:camel-support:jar:3.2.0-SNAPSHOT:compile
[INFO] |  +- org.apache.camel:camel-api:jar:3.2.0-SNAPSHOT:compile
[INFO] |  +-
org.apache.camel:camel-management-api:jar:3.2.0-SNAPSHOT:compile
[INFO] |  +- org.apache.camel:camel-util:jar:3.2.0-SNAPSHOT:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- com.cedarsoftware:java-util:jar:1.40.0:compile
[INFO] +- org.apache.camel:camel-test:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-core-engine:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-base:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-management:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-core-languages:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-bean:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-browse:jar:3.2.0-SNAPSHOT:test
[INFO] |  +-
org.apache.camel:camel-caffeine-lrucache:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- com.github.ben-manes.caffeine:caffeine:jar:2.8.1:test
[INFO] |  +- org.apache.camel:camel-controlbus:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-dataformat:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-dataset:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-direct:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-directvm:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-file:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  +- org.apache.camel:camel-cluster:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-core-catalog:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-language:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-log:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-ref:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-rest:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-tooling-model:jar:3.2.0-SNAPSHOT:test
[INFO] |  |     \- org.apache.camel:camel-util-json:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-saga:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-scheduler:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-seda:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-stub:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-timer:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-validator:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-xml-jaxp:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-vm:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-xpath:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-xslt:jar:3.2.0-SNAPSHOT:test
[INFO] |  \- org.assertj:assertj-core:jar:3.15.0:test
[INFO] +- org.apache.camel:camel-mock:jar:3.2.0-SNAPSHOT:test
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:test
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:test
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.13.1:test
[INFO] \- junit:junit:jar:4.13:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test

Il giorno gio 2 apr 2020 alle ore 17:53 Remco Schoen <[hidden email]>
ha scritto:

> Hi,
>
> Not sure if this the correct place for this, but I post it any way.
>
> Our vulnerability scanner found a dependency vulnerability in camel-main
> and more specific in camel-headersmap:
>
>
> https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A2.5
> <
> https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe:/:apache&cpe_product=cpe:/:apache:log4j&cpe_version=cpe:/:apache:log4j:2.5
> >
>
> |    +--- org.apache.camel:camel-main:3.1.0
> |    |    +--- org.apache.camel:camel-api:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-base:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-core-engine:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-management-api:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-util:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-caffeine-lrucache:3.1.0
> |    |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
> |    |    |    \--- com.github.ben-manes.caffeine:caffeine:2.8.1
> |    |    \--- org.apache.camel:camel-headersmap:3.1.0
> |    |         +--- org.apache.camel:camel-support:3.1.0 (*)
> |    |         \--- com.cedarsoftware:java-util:1.40.0
> |    |              \--- org.apache.logging.log4j:log4j-api:2.5
>
> The resolved dependency is log4j-api and not log4j, about which the
> vulnerability is.
>
> I registered an issue as well at the project, that has the dependency.
>
> Kind regards,
>
> Remco Schoen
>
Reply | Threaded
Open this post in threaded view
|

Re: Camel 3.1: dependency vulnerability in camel-main/headersmap

Remco Schoen
Hi Andrea,

Could it be, that it is overruled by the test dependencies?
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:test
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:test

I already see an exclusion for log4j-core as well:

        <dependency>
            <groupId>com.cedarsoftware</groupId>
            <artifactId>java-util</artifactId>
            <version>${java-util-version}</version>
            <exclusions>
                <exclusion>
                    <groupId>org.apache.logging.log4j</groupId>
                    <artifactId>log4j-core</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

Kind regards,

Remco

Op 2 apr. 2020, om 18:13 heeft Andrea Cosentino <[hidden email]<mailto:[hidden email]>> het volgende geschreven:

Hello Remco,

This is dependency tree of camel-headersmap in the current master, I don't
see any log4-api:2.5

[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
camel-headersmap ---
[INFO] org.apache.camel:camel-headersmap:jar:3.2.0-SNAPSHOT
[INFO] +- org.apache.camel:camel-support:jar:3.2.0-SNAPSHOT:compile
[INFO] |  +- org.apache.camel:camel-api:jar:3.2.0-SNAPSHOT:compile
[INFO] |  +-
org.apache.camel:camel-management-api:jar:3.2.0-SNAPSHOT:compile
[INFO] |  +- org.apache.camel:camel-util:jar:3.2.0-SNAPSHOT:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- com.cedarsoftware:java-util:jar:1.40.0:compile
[INFO] +- org.apache.camel:camel-test:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-core-engine:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-base:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-management:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-core-languages:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-bean:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-browse:jar:3.2.0-SNAPSHOT:test
[INFO] |  +-
org.apache.camel:camel-caffeine-lrucache:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- com.github.ben-manes.caffeine:caffeine:jar:2.8.1:test
[INFO] |  +- org.apache.camel:camel-controlbus:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-dataformat:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-dataset:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-direct:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-directvm:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-file:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  +- org.apache.camel:camel-cluster:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-core-catalog:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-language:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-log:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-ref:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-rest:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-tooling-model:jar:3.2.0-SNAPSHOT:test
[INFO] |  |     \- org.apache.camel:camel-util-json:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-saga:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-scheduler:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-seda:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-stub:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-timer:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-validator:jar:3.2.0-SNAPSHOT:test
[INFO] |  |  \- org.apache.camel:camel-xml-jaxp:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-vm:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-xpath:jar:3.2.0-SNAPSHOT:test
[INFO] |  +- org.apache.camel:camel-xslt:jar:3.2.0-SNAPSHOT:test
[INFO] |  \- org.assertj:assertj-core:jar:3.15.0:test
[INFO] +- org.apache.camel:camel-mock:jar:3.2.0-SNAPSHOT:test
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:test
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:test
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.13.1:test
[INFO] \- junit:junit:jar:4.13:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test

Il giorno gio 2 apr 2020 alle ore 17:53 Remco Schoen <[hidden email]<mailto:[hidden email]>>
ha scritto:

Hi,

Not sure if this the correct place for this, but I post it any way.

Our vulnerability scanner found a dependency vulnerability in camel-main
and more specific in camel-headersmap:


https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A2.5
<
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe:/:apache&cpe_product=cpe:/:apache:log4j&cpe_version=cpe:/:apache:log4j:2.5


|    +--- org.apache.camel:camel-main:3.1.0
|    |    +--- org.apache.camel:camel-api:3.1.0 (*)
|    |    +--- org.apache.camel:camel-base:3.1.0 (*)
|    |    +--- org.apache.camel:camel-core-engine:3.1.0 (*)
|    |    +--- org.apache.camel:camel-management-api:3.1.0 (*)
|    |    +--- org.apache.camel:camel-support:3.1.0 (*)
|    |    +--- org.apache.camel:camel-util:3.1.0 (*)
|    |    +--- org.apache.camel:camel-caffeine-lrucache:3.1.0
|    |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
|    |    |    \--- com.github.ben-manes.caffeine:caffeine:2.8.1
|    |    \--- org.apache.camel:camel-headersmap:3.1.0
|    |         +--- org.apache.camel:camel-support:3.1.0 (*)
|    |         \--- com.cedarsoftware:java-util:1.40.0
|    |              \--- org.apache.logging.log4j:log4j-api:2.5

The resolved dependency is log4j-api and not log4j, about which the
vulnerability is.

I registered an issue as well at the project, that has the dependency.

Kind regards,

Remco Schoen


Reply | Threaded
Open this post in threaded view
|

Re: Camel 3.1: dependency vulnerability in camel-main/headersmap

Andrea Cosentino-3
I'll verify :-)

Il giorno gio 2 apr 2020 alle ore 18:26 Remco Schoen <[hidden email]>
ha scritto:

> Hi Andrea,
>
> Could it be, that it is overruled by the test dependencies?
> [INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:test
> [INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:test
>
> I already see an exclusion for log4j-core as well:
>
>         <dependency>
>             <groupId>com.cedarsoftware</groupId>
>             <artifactId>java-util</artifactId>
>             <version>${java-util-version}</version>
>             <exclusions>
>                 <exclusion>
>                     <groupId>org.apache.logging.log4j</groupId>
>                     <artifactId>log4j-core</artifactId>
>                 </exclusion>
>             </exclusions>
>         </dependency>
>
> Kind regards,
>
> Remco
>
> Op 2 apr. 2020, om 18:13 heeft Andrea Cosentino <[hidden email]<mailto:
> [hidden email]>> het volgende geschreven:
>
> Hello Remco,
>
> This is dependency tree of camel-headersmap in the current master, I don't
> see any log4-api:2.5
>
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
> camel-headersmap ---
> [INFO] org.apache.camel:camel-headersmap:jar:3.2.0-SNAPSHOT
> [INFO] +- org.apache.camel:camel-support:jar:3.2.0-SNAPSHOT:compile
> [INFO] |  +- org.apache.camel:camel-api:jar:3.2.0-SNAPSHOT:compile
> [INFO] |  +-
> org.apache.camel:camel-management-api:jar:3.2.0-SNAPSHOT:compile
> [INFO] |  +- org.apache.camel:camel-util:jar:3.2.0-SNAPSHOT:compile
> [INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
> [INFO] +- com.cedarsoftware:java-util:jar:1.40.0:compile
> [INFO] +- org.apache.camel:camel-test:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-core-engine:jar:3.2.0-SNAPSHOT:test
> [INFO] |  |  \- org.apache.camel:camel-base:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-management:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-core-languages:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-bean:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-browse:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +-
> org.apache.camel:camel-caffeine-lrucache:jar:3.2.0-SNAPSHOT:test
> [INFO] |  |  \- com.github.ben-manes.caffeine:caffeine:jar:2.8.1:test
> [INFO] |  +- org.apache.camel:camel-controlbus:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-dataformat:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-dataset:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-direct:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-directvm:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-file:jar:3.2.0-SNAPSHOT:test
> [INFO] |  |  +- org.apache.camel:camel-cluster:jar:3.2.0-SNAPSHOT:test
> [INFO] |  |  \- org.apache.camel:camel-core-catalog:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-language:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-log:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-ref:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-rest:jar:3.2.0-SNAPSHOT:test
> [INFO] |  |  \-
> org.apache.camel:camel-tooling-model:jar:3.2.0-SNAPSHOT:test
> [INFO] |  |     \- org.apache.camel:camel-util-json:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-saga:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-scheduler:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-seda:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-stub:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-timer:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-validator:jar:3.2.0-SNAPSHOT:test
> [INFO] |  |  \- org.apache.camel:camel-xml-jaxp:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-vm:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-xpath:jar:3.2.0-SNAPSHOT:test
> [INFO] |  +- org.apache.camel:camel-xslt:jar:3.2.0-SNAPSHOT:test
> [INFO] |  \- org.assertj:assertj-core:jar:3.15.0:test
> [INFO] +- org.apache.camel:camel-mock:jar:3.2.0-SNAPSHOT:test
> [INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:test
> [INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:test
> [INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.13.1:test
> [INFO] \- junit:junit:jar:4.13:test
> [INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test
>
> Il giorno gio 2 apr 2020 alle ore 17:53 Remco Schoen <[hidden email]
> <mailto:[hidden email]>>
> ha scritto:
>
> Hi,
>
> Not sure if this the correct place for this, but I post it any way.
>
> Our vulnerability scanner found a dependency vulnerability in camel-main
> and more specific in camel-headersmap:
>
>
>
> https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A2.5
> <
>
> https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe:/:apache&cpe_product=cpe:/:apache:log4j&cpe_version=cpe:/:apache:log4j:2.5
>
>
> |    +--- org.apache.camel:camel-main:3.1.0
> |    |    +--- org.apache.camel:camel-api:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-base:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-core-engine:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-management-api:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-util:3.1.0 (*)
> |    |    +--- org.apache.camel:camel-caffeine-lrucache:3.1.0
> |    |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
> |    |    |    \--- com.github.ben-manes.caffeine:caffeine:2.8.1
> |    |    \--- org.apache.camel:camel-headersmap:3.1.0
> |    |         +--- org.apache.camel:camel-support:3.1.0 (*)
> |    |         \--- com.cedarsoftware:java-util:1.40.0
> |    |              \--- org.apache.logging.log4j:log4j-api:2.5
>
> The resolved dependency is log4j-api and not log4j, about which the
> vulnerability is.
>
> I registered an issue as well at the project, that has the dependency.
>
> Kind regards,
>
> Remco Schoen
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Camel 3.1: dependency vulnerability in camel-main/headersmap

Claus Ibsen-2
Hi

I have excluded all the logging dependencies, and we are only using
the fast case insensitive map that dont use any logging, so there are
no problems.

On Thu, Apr 2, 2020 at 6:55 PM Andrea Cosentino <[hidden email]> wrote:

>
> I'll verify :-)
>
> Il giorno gio 2 apr 2020 alle ore 18:26 Remco Schoen <[hidden email]>
> ha scritto:
>
> > Hi Andrea,
> >
> > Could it be, that it is overruled by the test dependencies?
> > [INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:test
> > [INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:test
> >
> > I already see an exclusion for log4j-core as well:
> >
> >         <dependency>
> >             <groupId>com.cedarsoftware</groupId>
> >             <artifactId>java-util</artifactId>
> >             <version>${java-util-version}</version>
> >             <exclusions>
> >                 <exclusion>
> >                     <groupId>org.apache.logging.log4j</groupId>
> >                     <artifactId>log4j-core</artifactId>
> >                 </exclusion>
> >             </exclusions>
> >         </dependency>
> >
> > Kind regards,
> >
> > Remco
> >
> > Op 2 apr. 2020, om 18:13 heeft Andrea Cosentino <[hidden email]<mailto:
> > [hidden email]>> het volgende geschreven:
> >
> > Hello Remco,
> >
> > This is dependency tree of camel-headersmap in the current master, I don't
> > see any log4-api:2.5
> >
> > [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
> > camel-headersmap ---
> > [INFO] org.apache.camel:camel-headersmap:jar:3.2.0-SNAPSHOT
> > [INFO] +- org.apache.camel:camel-support:jar:3.2.0-SNAPSHOT:compile
> > [INFO] |  +- org.apache.camel:camel-api:jar:3.2.0-SNAPSHOT:compile
> > [INFO] |  +-
> > org.apache.camel:camel-management-api:jar:3.2.0-SNAPSHOT:compile
> > [INFO] |  +- org.apache.camel:camel-util:jar:3.2.0-SNAPSHOT:compile
> > [INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
> > [INFO] +- com.cedarsoftware:java-util:jar:1.40.0:compile
> > [INFO] +- org.apache.camel:camel-test:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-core-engine:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  |  \- org.apache.camel:camel-base:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-management:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-core-languages:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-bean:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-browse:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +-
> > org.apache.camel:camel-caffeine-lrucache:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  |  \- com.github.ben-manes.caffeine:caffeine:jar:2.8.1:test
> > [INFO] |  +- org.apache.camel:camel-controlbus:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-dataformat:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-dataset:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-direct:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-directvm:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-file:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  |  +- org.apache.camel:camel-cluster:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  |  \- org.apache.camel:camel-core-catalog:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-language:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-log:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-ref:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-rest:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  |  \-
> > org.apache.camel:camel-tooling-model:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  |     \- org.apache.camel:camel-util-json:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-saga:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-scheduler:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-seda:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-stub:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-timer:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-validator:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  |  \- org.apache.camel:camel-xml-jaxp:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-vm:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-xpath:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  +- org.apache.camel:camel-xslt:jar:3.2.0-SNAPSHOT:test
> > [INFO] |  \- org.assertj:assertj-core:jar:3.15.0:test
> > [INFO] +- org.apache.camel:camel-mock:jar:3.2.0-SNAPSHOT:test
> > [INFO] +- org.apache.logging.log4j:log4j-api:jar:2.13.1:test
> > [INFO] +- org.apache.logging.log4j:log4j-core:jar:2.13.1:test
> > [INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.13.1:test
> > [INFO] \- junit:junit:jar:4.13:test
> > [INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test
> >
> > Il giorno gio 2 apr 2020 alle ore 17:53 Remco Schoen <[hidden email]
> > <mailto:[hidden email]>>
> > ha scritto:
> >
> > Hi,
> >
> > Not sure if this the correct place for this, but I post it any way.
> >
> > Our vulnerability scanner found a dependency vulnerability in camel-main
> > and more specific in camel-headersmap:
> >
> >
> >
> > https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A2.5
> > <
> >
> > https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe:/:apache&cpe_product=cpe:/:apache:log4j&cpe_version=cpe:/:apache:log4j:2.5
> >
> >
> > |    +--- org.apache.camel:camel-main:3.1.0
> > |    |    +--- org.apache.camel:camel-api:3.1.0 (*)
> > |    |    +--- org.apache.camel:camel-base:3.1.0 (*)
> > |    |    +--- org.apache.camel:camel-core-engine:3.1.0 (*)
> > |    |    +--- org.apache.camel:camel-management-api:3.1.0 (*)
> > |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
> > |    |    +--- org.apache.camel:camel-util:3.1.0 (*)
> > |    |    +--- org.apache.camel:camel-caffeine-lrucache:3.1.0
> > |    |    |    +--- org.apache.camel:camel-support:3.1.0 (*)
> > |    |    |    \--- com.github.ben-manes.caffeine:caffeine:2.8.1
> > |    |    \--- org.apache.camel:camel-headersmap:3.1.0
> > |    |         +--- org.apache.camel:camel-support:3.1.0 (*)
> > |    |         \--- com.cedarsoftware:java-util:1.40.0
> > |    |              \--- org.apache.logging.log4j:log4j-api:2.5
> >
> > The resolved dependency is log4j-api and not log4j, about which the
> > vulnerability is.
> >
> > I registered an issue as well at the project, that has the dependency.
> >
> > Kind regards,
> >
> > Remco Schoen
> >
> >
> >



--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2