Widely distributed vulnerabilities

[benjsmi]

Name	Found in Code	CVEs	Due Date	Status
json-20180813.jar	This is scattered throughout the https://github.com/hyperledger/fabric-chaincode-java repository as a dependency. The one being reported on is a direct dependency from here https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/build.gradle, but would suggest looking at search results because it is smattered throughout the example projects as well: https://github.com/search?q=repo%3Ahyperledger%2Ffabric-chaincode-java%2020180813&type=code	https://nvd.nist.gov/vuln/detail/CVE-2022-45688	Aug 21, 2023	Needs Update
junit-4.12.jar	fabric-chaincode-java includes jUnit v4.12 directly at https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L54. Also referenced here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/fabric-ledger-api/build.gradle#L22. And here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle. Also, fabric-chaincode-java refers to system-rules v1.17.0 here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L52, which refers to junit-dep v4.9 as shown in https://mvnrepository.com/artifact/com.github.stefanbirkner/system-rules/1.17.0, and junit-dep v4.9 has migrated to junit v4.11 as per https://mvnrepository.com/artifact/junit/junit-dep/4.11	https://nvd.nist.gov/vuln/detail/CVE-2020-15250	Oct 20, 2023	Partially addressed by #309... https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L54 still shows v4.12 as a testCompile dependency... not sure why
logback-classic-1.2.0.jar, logback-core-1.2.0.jar	This is included in the examples as well as the poms for several of the integration tests. Note that logback-classic v1.2.0 imports logback-core v1.2.0 at https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.0. Here's the locations: fabric-chaincode-java/examples/fabric-contract-example-maven/pom.xml Line 18 in 40126d0 <logback.version>1.2.0</logback.version> , fabric-chaincode-java/fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml Line 18 in 40126d0 <logback.version>1.2.0</logback.version> , fabric-chaincode-java/fabric-chaincode-integration-test/src/contracts/wrapper-maven/pom.xml Line 18 in 40126d0 <logback.version>1.2.0</logback.version>	https://nvd.nist.gov/vuln/detail/CVE-2021-42550	Aug 20, 2023	A lot has improved with many of the examples. One remains (https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-maven/pom.xml#L18). #315 fixed it in the examples. This is now resolved ✅
protobuf-java-3.19.4.jar	Check this entire repository for protobuf-java v3.19.4. The search results can be seen here: https://github.com/search?q=repo%3Ahyperledger%2Ffabric-chaincode-java%20protobuf-java&type=code. Examples include fabric-chaincode-java/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle Line 26 in 3b5b2cb implementation group: 'com.google.protobuf', name: 'protobuf-java', version: '3.4.0' and fabric-chaincode-java/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/build.gradle Line 26 in 3b5b2cb implementation group: 'com.google.protobuf', name: 'protobuf-java', version: '3.4.0' .	https://nvd.nist.gov/vuln/detail/CVE-2022-3509, https://nvd.nist.gov/vuln/detail/CVE-2022-3171, https://nvd.nist.gov/vuln/detail/CVE-2022-3510	Oct 20, 2023	The instance of protobuf-java-util at https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L55 has been addressed, but unfortunately, the vulnerability is about protobuf-java, not protobuf-java-util. However, the instances at https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle and https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/build.gradle have had protobuf-java completely removed, which is great work. This appears to be the only instance left in the project. Oddly, Mend scanning is still picking another one up, but I can't find it.
grpc-protobuf-1.45.4.jar, grpc-protobuf-1.46.0	One is included in fabric-chaincode-shim: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L55. Also got one in https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L44, which pulls in fabric-protos v0.2.0, which includes grpc-protobuf v1.45.1 as per https://mvnrepository.com/artifact/org.hyperledger.fabric/fabric-protos/0.2.0.	https://nvd.nist.gov/vuln/detail/CVE-2023-32731	Sep 8, 2023	Needs Update

[bestbeforetoday]

It is certainly good to keep test dependencies up-to-date but we don't ship them so I care much less about vulnerabilities there. The focus of vulnerability scanning should be on the published packages in Maven Central.

[benjsmi]

That's fair/legit. I would say though that this issue in particular has a lot of vulnerabilities in the examples and similar things that end up being used by customers/developers -- sometimes they even take the examples and push them into production environments. I know that's stupid and not fair, but that's what happens.

Also, do you have a list of the code repos that end up pushing packages into Maven Central? I ask because the scanning tool we use (Mend) is focused on source code scanning. Therefore, it will only pick these things up if we point it at the repositories that are used to build those packages.

[benjsmi]

Created a PR to address the remaining logback and json issues -- both of which are/were in the examples and such: #315

[benjsmi]

What's the deal with https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L54 -- JUnit v4.12 as a testCompileOnly dependency. Is this strictly required?

[bestbeforetoday]

What's the deal with https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L54 -- JUnit v4.12 as a testCompileOnly dependency. Is this strictly required?

I would be very happy for somebody to remove that and ensure all unit tests are using JUnit 5 natively.

[benjsmi]

@bestbeforetoday -- will you please review #316 and #317. This seems like some low-hanging fruit that we can easily fix. I've got some more PRs coming down the pike. Hopefully you'll just be able to review and merge. Thanks!

[bestbeforetoday]

I think all of these vulnerabilities have been addressed in the latest release version.