Giter Club home page Giter Club logo

money-transfer-project-template-java's Introduction

Money transfer project: Java

Learn how the pieces of a Temporal application work together. Follow the Run your first app tutorial to learn more about Temporal Workflows.

Note: This project uses Snipsync comment wrappers to automatically keep code snippets up to date within our documentation.

Building, cleaning, and other tasks

build:
    mvn clean install -Dorg.slf4j.simpleLogger.defaultLogLevel=info 2>/dev/null

clean:
    mvn clean -q -Dmaven.logging.level=0

worker:
    mvn compile exec:java -Dexec.mainClass="moneytransferapp.MoneyTransferWorker" -Dorg.slf4j.simpleLogger.defaultLogLevel=warn

run:
    mvn compile exec:java -Dexec.mainClass="moneytransferapp.TransferApp" -Dorg.slf4j.simpleLogger.defaultLogLevel=warn

serve:
    `command -v temporal` server start-dev --log-level=never &

stop-server:
    pkill temporal

money-transfer-project-template-java's People

Contributors

alexshtin avatar efortuna avatar fairlydurable avatar feedmeapples avatar flossypurse avatar maddymanu avatar spikhalskiy avatar tomwheeler avatar tsurdilo avatar vkoby avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

werewolf17 tsurdilo irondaeil lamplification spikhalskiy woonyung89 akkapongk alexrogalskiy udite5 kopipeng atlozada gujarats deftonelx librasoldier vangliana deploymental philipz vanducvo spancer isabella232 bmarchuk-stratio efortuna roopa-bhavana-bommisetty-db teckpro sjpark-dev ramith khoalan

money-transfer-project-template-java's Issues

temporal-sdk-1.3.1.jar: 5 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - temporal-sdk-1.3.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.12.5/725e364cc71b80e60fa450bd06d75cdea7fb2d59/jackson-core-2.12.5.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-41269 High 9.8 cron-utils-9.1.5.jar Transitive 1.5.0
WS-2021-0419 High 7.7 gson-2.8.8.jar Transitive 1.5.0
CVE-2020-36518 High 7.5 jackson-databind-2.12.5.jar Transitive 1.4.0
WS-2021-0616 Medium 5.9 multiple Transitive 1.4.0
CVE-2021-22569 Medium 5.5 protobuf-java-3.17.3.jar Transitive 1.6.0

Details

CVE-2021-41269

Vulnerable Library - cron-utils-9.1.5.jar

A Java library to parse, migrate and validate crons as well as describe them in human readable language

Library home page: http://cron-parser.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.cronutils/cron-utils/9.1.5/f8e751f72522f3a650dc0513bf8c3defa5ad89a5/cron-utils-9.1.5.jar

Dependency Hierarchy:

  • temporal-sdk-1.3.1.jar (Root Library)
    • cron-utils-9.1.5.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.

Publish Date: 2021-11-15

URL: CVE-2021-41269

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p9m8-27x8-rg87

Release Date: 2021-11-15

Fix Resolution (com.cronutils:cron-utils): 9.1.6

Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.5.0

⛑️ Automatic Remediation is available for this issue

WS-2021-0419

Vulnerable Library - gson-2.8.8.jar

Library home page: https://github.com/google/gson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.8/431fc3cbc0ff81abdbfde070062741089c3ba874/gson-2.8.8.jar

Dependency Hierarchy:

  • temporal-sdk-1.3.1.jar (Root Library)
    • gson-2.8.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9

Release Date: 2021-10-11

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.5.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-36518

Vulnerable Library - jackson-databind-2.12.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.5/b064cf057f23d3d35390328c5030847efeffedde/jackson-databind-2.12.5.jar

Dependency Hierarchy:

  • temporal-sdk-1.3.1.jar (Root Library)
    • jackson-databind-2.12.5.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2816

Release Date: 2022-03-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.4.0

⛑️ Automatic Remediation is available for this issue

WS-2021-0616

Vulnerable Libraries - jackson-databind-2.12.5.jar, jackson-core-2.12.5.jar

jackson-databind-2.12.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.5/b064cf057f23d3d35390328c5030847efeffedde/jackson-databind-2.12.5.jar

Dependency Hierarchy:

  • temporal-sdk-1.3.1.jar (Root Library)
    • jackson-databind-2.12.5.jar (Vulnerable Library)

jackson-core-2.12.5.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.12.5/725e364cc71b80e60fa450bd06d75cdea7fb2d59/jackson-core-2.12.5.jar

Dependency Hierarchy:

  • temporal-sdk-1.3.1.jar (Root Library)
    • jackson-datatype-jsr310-2.12.5.jar
      • jackson-core-2.12.5.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#3328

Release Date: 2021-11-20

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6

Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.4.0

Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.12.6

Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.4.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-22569

Vulnerable Library - protobuf-java-3.17.3.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.17.3/313b1861fa9312dd71e1033a77c2e64fb1a94dd3/protobuf-java-3.17.3.jar

Dependency Hierarchy:

  • temporal-sdk-1.3.1.jar (Root Library)
    • temporal-serviceclient-1.3.1.jar
      • protobuf-java-util-3.17.3.jar
        • protobuf-java-3.17.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-10

URL: CVE-2021-22569

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution (com.google.protobuf:protobuf-java): 3.18.2

Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.6.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

temporal-sdk-1.18.1.jar: 1 vulnerabilities (highest severity is: 7.1)

Vulnerable Library - temporal-sdk-1.18.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-android/9222c47cc3ae890f07f7c961bbb3cb69050fe4aa/guava-31.1-android.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (temporal-sdk version) Remediation Possible**
CVE-2023-2976 High 7.1 detected in multiple dependencies Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-2976

Vulnerable Libraries - guava-31.1-jre.jar, guava-31.1-android.jar

guava-31.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar

Dependency Hierarchy:

  • temporal-sdk-1.18.1.jar (Root Library)
    • guava-31.1-jre.jar (Vulnerable Library)

guava-31.1-android.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-android/9222c47cc3ae890f07f7c961bbb3cb69050fe4aa/guava-31.1-android.jar

Dependency Hierarchy:

  • temporal-sdk-1.18.1.jar (Root Library)
    • grpc-bom-1.52.1.pom
      • grpc-stub-1.52.1.jar
        • guava-31.1-android.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre

logback-classic-1.2.6.jar: 1 vulnerabilities (highest severity is: 6.6) - autoclosed

Vulnerable Library - logback-classic-1.2.6.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.6/25be1abb32e870ff042e698a799b56587e0dca9a/logback-core-1.2.6.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-42550 Medium 6.6 multiple Transitive 1.2.8

Details

CVE-2021-42550

Vulnerable Libraries - logback-core-1.2.6.jar, logback-classic-1.2.6.jar

logback-core-1.2.6.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.6/25be1abb32e870ff042e698a799b56587e0dca9a/logback-core-1.2.6.jar

Dependency Hierarchy:

  • logback-classic-1.2.6.jar (Root Library)
    • logback-core-1.2.6.jar (Vulnerable Library)

logback-classic-1.2.6.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /-2.1/ch.qos.logback/logback-classic/1.2.6/b09efa852337fa0dd9859614389eec58dc287116/logback-classic-1.2.6.jar

Dependency Hierarchy:

  • logback-classic-1.2.6.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-core): 1.2.8

Direct dependency fix Resolution (ch.qos.logback:logback-classic): 1.2.8

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

logback-classic-1.2.11.jar: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - logback-classic-1.2.11.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.11/4741689214e9d1e8408b206506cbe76d1c6a7d60/logback-classic-1.2.11.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (logback-classic version) Remediation Possible**
CVE-2023-6481 High 7.5 logback-core-1.2.11.jar Transitive 1.3.0
CVE-2023-6378 High 7.5 logback-classic-1.2.11.jar Direct 1.3.12

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6481

Vulnerable Library - logback-core-1.2.11.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.11/a01230df5ca5c34540cdaa3ad5efb012f1f1f792/logback-core-1.2.11.jar

Dependency Hierarchy:

  • logback-classic-1.2.11.jar (Root Library)
    • logback-core-1.2.11.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution (ch.qos.logback:logback-core): 1.3.0-alpha0

Direct dependency fix Resolution (ch.qos.logback:logback-classic): 1.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-6378

Vulnerable Library - logback-classic-1.2.11.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.11/4741689214e9d1e8408b206506cbe76d1c6a7d60/logback-classic-1.2.11.jar

Dependency Hierarchy:

  • logback-classic-1.2.11.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution: 1.3.12

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

[Bug/Feature] Gradle 8.0 incompatibility

What are you really trying to do?

  • Newbie installing and running this tutorial

Describe the bug

  • See attached screenshots; these error messages appear during project build as well as workflow execution
  • Not sure if this is a bug, could be a feature request as well

Minimal Reproduction

  • Install and run from scratch

Environment/Versions

  • OS and processor: x86 Windows 11 Pro
  • IntelliJ 2022.1.13
  • Java JDK 18.0.1

Additional context

  • (1)
    Screenshot 2022-06-26 180623

  • (2)
    Screenshot 2022-06-26 181258

  • (3)
    Screenshot 2022-06-26 180907

[Bug] Build fails when using OpenJDK 21

What are you really trying to do?

This project's README.md file instructs the reader to run ./gradlew build in the directory in which this repo was cloned. Using JDK 21.0.1, that command failed with an error that includes the text Unsupported class file major version 65.

Describe the bug

As a Java developer, I recognize that text (which was buried in a much longer message included below) as a telltale sign of version conflict.

Gradle's compatibility matrix indicates that the 7.6 version of Gradle referenced in gradle/wrapper/gradle-wrapper.properties isn't compatible with JDK 20 or higher.

Minimal Reproduction

Run ./gradlew build with JDK version 20 or 21 and observe the error message when the build fails.

Environment/Versions

OpenJDK 21 running on an M2 Mac, although this problem is not specific to the OS or architecture.

Additional context

Gradle's compatibility matrix indicates that version 8.5 of Gradle supports versions of Java up to and including 21. Therefore, modifying line 3 in gradle/wrapper/gradle-wrapper.properties to change the Gradle version number from 7.6 to 8.5 will solve the problem.

Alternatively, replacing Gradle with Maven would also solve this problem and would make this tutorial better align with our Java-based training courses, which also use Maven.

Here's more of the error message.

BUILD FAILED in 342ms
$ ./gradlew --stacktrace build

FAILURE: Build failed with an exception.

* What went wrong:
Could not open settings generic class cache for settings file '/Users/twheeler/temp/money-transfer-project-template-java/settings.gradle' (/Users/twheeler/.gradle/caches/7.6/scripts/29p5cw352mhzod8g8ulc96cvg).
> BUG! exception in phase 'semantic analysis' in source unit '_BuildScript_' Unsupported class file major version 65

* Try:
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Exception is:
org.gradle.cache.CacheOpenException: Could not open settings generic class cache for settings file '/Users/twheeler/temp/money-transfer-project-template-java/settings.gradle' (/Users/twheeler/.gradle/caches/7.6/scripts/29p5cw352mhzod8g8ulc96cvg).
... (remainder of message omitted for brevity) ...

temporal-testing-1.18.1.jar: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - temporal-testing-1.18.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.7.0/f9d7d9659f2694e61142046ff8a216c047f263e8/json-path-2.7.0.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (temporal-testing version) Remediation Possible**
CVE-2023-51074 Medium 5.5 json-path-2.7.0.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-51074

Vulnerable Library - json-path-2.7.0.jar

Java port of Stefan Goessner JsonPath.

Library home page: https://github.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.7.0/f9d7d9659f2694e61142046ff8a216c047f263e8/json-path-2.7.0.jar

Dependency Hierarchy:

  • temporal-testing-1.18.1.jar (Root Library)
    • json-path-2.7.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

Publish Date: 2023-12-27

URL: CVE-2023-51074

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.