-
Notifications
You must be signed in to change notification settings - Fork 2
/
.snyk
executable file
·261 lines (261 loc) · 13.8 KB
/
.snyk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-JAVA-IONETTY-1042268:
- '*':
reason: >-
Corda does not rely on hostname verification in the P2P protocol to
identify a host, so is not impacted by this vulnerability. Corda uses
its own SSL identity check logic for the network model. Corda
validates based on the full X500 subject name and the fact that P2P
links use mutually authenticated TLS with the same trust roots. For
RPC SSL client connections Artemis is used which calls into netty. The
default value for verifyHost is true for Artemis client connectors so
verification of the host name in netty does occur.
expires: 2023-03-21T11:45:42.976Z
created: 2022-12-13T11:45:42.981Z
SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385:
- '*':
reason: >-
This is a build time vulnerability. It relates to the inability to
lock dependencies for Kotlin Multiplatform Gradle Projects. At build
time for Corda we do not use Multiplatform Gradle Projects so are not
affected by this vulnerability. In addition as it is a build time
vulnerability released artifacts are not affected.
expires: 2023-03-21T11:52:35.855Z
created: 2022-12-13T11:52:35.870Z
SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
- '*':
reason: >-
This vulnerability relates to information exposure via creation of
temporary files (via Kotlin functions) with insecure permissions.
Corda does not use any of the vulnerable functions so it not
susceptible to this vulnerability.
expires: 2023-03-21T13:39:03.244Z
created: 2022-12-13T13:39:03.262Z
SNYK-JAVA-ORGYAML-3016888:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2023-03-21T13:39:49.450Z
created: 2022-12-13T13:39:49.470Z
SNYK-JAVA-ORGYAML-2806360:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson except in the optional shell which we recommend using
standalone. The Corda node itself is not exposed. Corda does however
provide mappings of Corda types to allow CorDapps to use Jackson, and
CorDapps using Jackson should make their own assessment. Liquibase is
used to apply the database migration changes. XML files are used here
to define the changes not YAML and therefore the Corda node itself is
not exposed to this DOS vulnerability.
expires: 2023-03-21T13:40:55.262Z
created: 2022-12-13T13:40:55.279Z
SNYK-JAVA-ORGLIQUIBASE-2419059:
- '*':
reason: >-
This component is used to upgrade the node database schema either at
node startup or via the database migration tool. The XML input for the
database migration is generated by Corda from either R3 supplied XML
files included in corda.jar or those XML files written by the CorDapp
author included in a CorDapp that is installed in the node CorDapps
directory. Contract CorDapps received over the network are not a
source of XML files for this generation step. An attacker trying to
exploit this vulnerability would need access to the server with the
XML input files, and specifically the access and ability to change JAR
files on the file system that make up the Corda installation.
expires: 2023-03-21T13:42:11.552Z
created: 2022-12-13T13:42:11.570Z
SNYK-JAVA-ORGYAML-3113851:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2024-04-30T00:00:00.000Z
created: 2022-12-13T14:55:03.623Z
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
- '*':
reason: >-
Corda does not use Jackson for deserialization except in the optional
shell which we recommend using standalone. The Corda node itself is
not exposed. Corda does however provide mappings of Corda types to
allow CorDapps to use Jackson, and CorDapps using Jackson should make
their own assessment. This vulnerability relates to deeply nested
untyped Object or Array values (3000 levels deep). Only CorDapps with
these types at this level of nesting are potentially susceptible.
expires: 2023-03-12T16:50:57.921Z
created: 2022-12-13T16:50:57.943Z
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424:
- '*':
reason: >-
Corda does not use Jackson for deserialization except in the optional
shell which we recommend using standalone. The Corda node itself is
not exposed. Corda does however provide mappings of Corda types to
allow CorDapps to use Jackson, and CorDapps using Jackson should make
their own assessment. This vulnerability relates to deeply nested
untyped Object or Array values (3000 levels deep). Only CorDapps with
these types at this level of nesting are potentially susceptible.
expires: 2023-03-12T16:52:30.722Z
created: 2022-12-13T16:52:30.747Z
SNYK-JAVA-ORGYAML-3016891:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2023-03-12T17:00:51.957Z
created: 2022-12-13T17:00:51.970Z
SNYK-JAVA-ORGYAML-3016889:
- '*':
reason: >-
Snakeyaml is being used by Jackson and liquidbase. Corda does not use
Jackson for deserialization except in the optional shell which we
recommend using standalone. The Corda node itself is not exposed.
Corda does however provide mappings of Corda types to allow CorDapps
to use Jackson, and CorDapps using Jackson should make their own
assessment. Liquibase is used to apply the database migration changes.
XML files are used here to define the changes not YAML and therefore
the Corda node itself is not exposed to this deserialisation
vulnerability.
expires: 2023-03-12T17:02:02.538Z
created: 2022-12-13T17:02:02.564Z
SNYK-JAVA-IONETTY-473694:
- '*':
reason: >-
Corda does not use Netty HTTP (and does not use HTTP in the P2P
protocol) . This is a transitive dependency of Netty comms library,
but it is not used in Corda, which uses a custom binary protocol
secured by mutually authenticated TLS. The vulnerability relating to
HTTP request smuggling is not exposed.
expires: 2023-03-28T11:16:29.187Z
created: 2022-12-29T11:16:29.207Z
SNYK-JAVA-IONETTY-3167773:
- '*':
reason: >-
Corda does not use Netty HTTP (and does not use HTTP in the P2P
protocol) . This is a transitive dependency of Netty comms library,
but it is not used in Corda, which uses a custom binary protocol
secured by mutually authenticated TLS. The vulnerability relating to
HTTP Response splitting is not exposed.
expires: 2023-03-03T12:12:52.060Z
created: 2023-01-04T12:12:52.066Z
SNYK-JAVA-ORGYAML-3152153:
- '*':
reason: >-
There is a transitive dependency on snakeyaml from the third party
components jackson-dataformat-yaml and liquidbase-core. The
jackson-dataformat-yaml component does not use the snakeyaml
databinding layer. For liquidbase we use xml in the changelog files
not yaml. So given this Corda is not susceptible to this
vulnerability.Cordapp authors should exercise their own judgment if
using this library directly in their cordapp.
expires: 2023-03-03T12:13:26.559Z
created: 2023-01-04T12:13:26.593Z
SNYK-JAVA-ORGAPACHECOMMONS-3043138:
- '*':
reason: >-
This vulnerability relates to the interpolation of configuration
properties performed by commons-text. This allows configuration
properties to be dynamically evaluated and expanded. The set of
default interpolators included with commons-text include ones that
could execute code and contact remote servers. In Corda, Apache
commons-text 1.9 is being used by Apache commons-configuration 2.8,
which is being used by Apache artemis 2.19.1. We do not use
configuration files with artemis. In addition commons-configuration
2.8 is already handling this vulnerability in that it removes from the
default list of interpolators in commons-text those interpolators that
can execute code or access a remote server. For these reasons Corda is
not susceptible to this vulnerability.
expires: 2023-03-03T13:59:15.928Z
created: 2023-01-04T13:59:15.940Z
SNYK-JAVA-ORGAPACHESSHD-1316688:
- '*':
reason: >-
Corda does not use the SFTP or port forwarding functionality of
sshd-core so is not susceptibleto this vulnerability.
expires: 2023-03-03T14:01:05.220Z
created: 2023-01-04T14:01:05.238Z
SNYK-JAVA-ORGCODEHAUSGROOVY-30076:
- '*':
reason: >-
Apache Groovy is used as part of Corda's in-built Shell. The Groovy
package's MethodClosure class uses the standard Java serialization
mechanism, and is vulnerable to arbitrary code execution and Denial of
Service (DoS) attacks. However, native Java serialisation is
explicitly disabled in Corda, and is not used in any capacity. This
vulnerability is therefore not exposed and does not pose a risk to
Corda.
expires: 2023-03-03T14:02:48.486Z
created: 2023-01-04T14:02:48.525Z
SNYK-JAVA-ORGCODEHAUSGROOVY-31510:
- '*':
reason: >-
Apache Groovy is used as part of Corda's in-built Shell. The Groovy
package's MethodClosure class uses the standard Java serialization
mechanism, and is vulnerable to arbitrary code execution and Denial of
Service (DoS) attacks. However, native Java serialisation is
explicitly disabled in Corda, and is not used in any capacity. This
vulnerability is therefore not exposed and does not pose a risk to
Corda.
expires: 2023-03-03T14:04:25.500Z
created: 2023-01-04T14:04:25.530Z
SNYK-JAVA-ORGAPACHECOMMONS-2944970:
- '*':
reason: >-
The corda shell is not susceptible to this vulnerability. This is
because the corda shell does not use the artemis server component
which is the component using commons-configuration2. The corda shell
uses artemis client. We aim to remove the artemis server component
from the shell in a future release.
expires: 2023-03-08T12:05:43.872Z
created: 2023-01-09T12:05:43.910Z
SNYK-JAVA-ORGAPACHESSHD-3121053:
- '*':
reason: >-
When the Corda shell is run embedded in the Corda Node the Corda Node
is not susceptible to this vulnerability because Java based
deserialisation is disabled within the node. In addition the class
with the vulnerability SimpleGeneratorHostKeyProvider is not called in
the shell or any of the transitive dependencies. For these reasons the
Corda shell is not susceptible to this vulnerability.
expires: 2023-03-08T12:02:56.296Z
created: 2023-01-09T12:02:56.319Z
SNYK-JAVA-CHQOSLOGBACK-1726923:
- '*':
reason: >-
The corda shell uses log4j not logback for its logging implementation,
so is not susceptible to this vulnerability.
expires: 2023-03-08T12:07:30.325Z
created: 2023-01-09T12:07:30.362Z
SNYK-JAVA-ORGAPACHECOMMONS-559327:
- '*':
reason: >-
The corda shell does not perform any database access via JDBC (or any
other means) and does not use any database connection pooling so is
not susceptible to this vulnerability
expires: 2023-03-08T12:08:51.553Z
created: 2023-01-09T12:08:51.571Z
patch: {}