temporalio / samples-java Goto Github PK

View Code? Open in Web Editor NEW

157.0 21.0 138.0 1.59 MB

Temporal Java SDK samples

Home Page: http://docs.temporal.io/docs/java-quick-start

License: Other

Java 95.97% Dockerfile 0.02% HTML 2.57% JavaScript 1.44%

java workflow-engine workflow-au java-samples

samples-java's Introduction

Temporal Java SDK Samples

This repository contains samples that demonstrate various capabilities of Temporal using the Java SDK.

It contains two modules:

Core: showcases many different SDK features.
SpringBoot: showcases SpringBoot autoconfig integration.
SpringBoot Basic: Minimal sample showing SpringBoot autoconfig integration without any extra external dependencies.

Learn more about Temporal and Java SDK

Requirements

Java 1.8+ for build and runtime of core samples
Java 1.8+ for build and runtime of SpringBoot samples when using SpringBoot 2
Java 1.17+ for build and runtime of Spring Boot samples when using SpringBoot 3
Local Temporal Server, easiest to get started would be using Temporal CLI. For more options see docs here.

Build and run tests

Clone this repository:

git clone https://github.com/temporalio/samples-java
cd samples-java

Build and run Tests
```
./gradlew build
```

Running Samples:

You can run both "Core" and "SpringBoot" samples from the main samples project directory. Details on how to run each sample can be found in following two sections. To skip to SpringBoot samples click here.

Running "Core" samples

See the README.md file in each main sample directory for cut/paste Gradle command to run specific example.

Hello samples

Hello: This sample includes a number of individual Workflows that can be executed independently. Each one demonstrates something specific.
- HelloAccumulator: Demonstrates a Workflow Definition that accumulates signals and continues as new.
- HelloActivity: Demonstrates a Workflow Definition that executes a single Activity.
- HelloActivityRetry: Demonstrates how to Retry an Activity Execution.
- HelloActivityExclusiveChoice: Demonstrates how to execute Activities based on dynamic input.
- HelloAsync: Demonstrates how to execute Activities asynchronously and wait for them using Promises.
- HelloAwait: Demonstrates how to use Await statement to wait for a condition.
- HelloParallelActivity: Demonstrates how to execute multiple Activities in parallel, asynchronously, and wait for them using Promise.allOf.
- HelloAsyncActivityCompletion: Demonstrates how to complete an Activity Execution asynchronously.
- HelloAsyncLambda: Demonstrates how to execute part of a Workflow asynchronously in a separate task (thread).
- HelloCancellationScope: Demonstrates how to explicitly cancel parts of a Workflow Execution.
- HelloCancellationScopeWithTimer: Demonstrates how to cancel activity when workflow timer fires and complete execution. This can prefered over using workflow run/execution timeouts.
- HelloDetachedCancellationScope: Demonstrates how to execute cleanup code after a Workflow Execution has been explicitly cancelled.
- HelloChild: Demonstrates how to execute a simple Child Workflow.
- HelloCron: Demonstrates how to execute a Workflow according to a cron schedule.
- HelloDynamic: Demonstrates how to use DynamicWorkflow and DynamicActivity interfaces.
- HelloPeriodic: Demonstrates the use of the Continue-As-New feature.
- HelloException: Demonstrates how to handle exception propagation and wrapping.
- HelloLocalActivity: Demonstrates the use of a Local Activity.
- HelloPolymorphicActivity: Demonstrates Activity Definitions that extend a common interface.
- HelloQuery: Demonstrates how to Query the state of a Workflow Execution.
- HelloSchedules: Demonstrates how to create and interact with a Schedule.
- HelloSignal: Demonstrates how to send and handle a Signal.
- HelloSaga: Demonstrates how to use the SAGA feature.
- HelloSearchAttributes: Demonstrates how to add custom Search Attributes to Workflow Executions.
- HelloSideEffect**: Demonstrates how to implement a Side Effect.
- HelloUpdate: Demonstrates how to create and interact with an Update.
- HelloDelayedStart: Demonstrates how to use delayed start config option when starting a Workflow Executions.
- HelloSignalWithTimer: Demonstrates how to use collect signals for certain amount of time and then process last one.

Scenario-based samples

File Processing Sample: Demonstrates how to route tasks to specific Workers. This sample has a set of Activities that download a file, processes it, and uploads the result to a destination. Any Worker can execute the first Activity. However, the second and third Activities must be executed on the same host as the first one.
Booking SAGA: Demonstrates Temporals take on the Camunda BPMN "trip booking" example.
Synchronous Booking SAGA: Demonstrates low latency SAGA with potentially long compensations.
Money Transfer: Demonstrates the use of a dedicated Activity Worker.
Money Batch: Demonstrates a situation where a single deposit should be initiated for multiple withdrawals. For example, a seller might want to be paid once per fixed number of transactions. This sample can be easily extended to perform a payment based on more complex criteria, such as at a specific time or an accumulated amount. The sample also demonstrates how to Signal the Workflow when it executes (Signal with start). If the Workflow is already executing, it just receives the Signal. If it is not executing, then the Workflow executes first, and then the Signal is delivered to it. Signal with start is a "lazy" way to execute Workflows when Signaling them.
Domain-Specific-Language - Define sequence of steps in JSON: Demonstrates using domain specific language (DSL) defined in JSON to specify sequence of steps to be performed in our workflow.
Polling Services: Recommended implementation of an activity that needs to periodically poll an external resource waiting its successful completion
Heartbeating Activity Batch: Batch job implementation using a heartbeating activity.
Iterator Batch: Batch job implementation using the workflow iterator pattern.
Sliding Window Batch: A batch implementation that maintains a configured number of child workflows during processing.

API demonstrations

Async Untyped Child Workflow: Demonstrates how to invoke an untyped child workflow async, that can complete after parent workflow is already completed.
Updatable Timer: Demonstrates the use of a helper class which relies on Workflow.await to implement a blocking sleep that can be updated at any moment.
Workflow Count Interceptor: Demonstrates how to create and register a simple Workflow Count Interceptor.
Workflow Retry On Signal Interceptor: Demonstrates how to create and register an interceptor that retries an activity on a signal.
List Workflows: Demonstrates the use of custom search attributes and ListWorkflowExecutionsRequest with custom queries.
Payload Converter - CloudEvents: Demonstrates the use of a custom payload converter for CloudEvents.
Payload Converter - Crypto: Demonstrates the use of a custom payload converter using jackson-json-crypto.
Async Child Workflow: Demonstrates how to invoke a child workflow async, that can complete after parent workflow is already completed.
Terminate Workflow: Demonstrates how to terminate a workflow using client API.
Get Workflow Results Async: Demonstrates how to start and get workflow results in async manner.
Per Activity Type Options: Demonstrates how to set per Activity type options.
Configure WorkflowClient to use mTLS: Demonstrates how to configure WorkflowClient when using mTLS.
Payload Codec: Demonstrates how to use simple codec to encode/decode failure messages.
Exclude Workflow/ActivityTypes from Interceptors: Demonstrates how to exclude certain workflow / activity types from interceptors.

SDK Metrics

Set up SDK metrics: Demonstrates how to set up and scrape SDK metrics.

Tracing Support

Set up OpenTracing and/or OpenTelemetry with Jaeger: Demonstrates how to set up OpenTracing and/or OpenTelemetry and view traces using Jaeger.

Running SpringBoot Samples

These samples use SpringBoot 2 by default. To switch to using SpringBoot 3 look at the gradle.properties file and follow simple instructions there.

Start SpringBoot from main repo dir:
```
./gradlew :springboot:bootRun
```

To run the basic sample run

   ./gradlew :springboot-basic:bootRun

Navigate to localhost:3030
Select which sample you want to run

More info on each sample:

Hello: Invoke simple "Hello" workflow from a GET endpoint
SDK Metrics: Learn how to set up SDK Metrics
Synchronous Update: Learn how to use Synchronous Update feature with this purchase sample
Kafka Request / Reply: Sample showing possible integration with event streaming platforms such as Kafka
Customize Options: Sample showing how to customize options such as WorkerOptions, WorkerFactoryOptions, etc (see options config here)
Apache Camel Route: Sample showing how to start Workflow execution from a Camel Route
Custom Actuator Endpoint: Sample showing how to create a custom Actuator endpoint that shows registered Workflow and Activity impls per task queue.

Temporal Cloud

To run any of the SpringBoot samples in your Temporal Cloud namespace:

Edit the application-tc.yaml to set your namespace and client certificates.

Start SpringBoot from main repo dir with the tc profile:

./gradlew bootRun --args='--spring.profiles.active=tc'

Follow the previous section from step 2

samples-java's People

Contributors

Stargazers

Watchers

Forkers

mfateev darewreck54 meetchandan samarabbas chipola fossabot sullis chaithanyagk yoyoyolic mastermanu skrul sergeybykov jonsie ahumblefool vitarb tuanng-cognite wolfy-j greyteardrop dnotero shubhsingh robholland yasin3061 tsurdilo abbccdda deciderwill jaikumar-1996 ardagan vkoby spikhalskiy simranjitkaurmaan nagl-stripe joebowbeer alexrogalskiy keerath emcrisostomo mincong-h gpaglia grupo2ag-cloud shshwtkhr yux0 ilsid haca125 k-jay-c asteriosk chenjianjx ajay-bhosle lorensr rohankumardubey zenobiuszeto jpkosuri myarlagadda cmendenhall-square techisantosh3000 linasabboula cameronbriar luciano-fiandesio ftntming nataliemonique111 tchugh09 nancy-chauhan corey-tock mremondi joshchoo asamoal ant-1 antmendoza lmingxie spancer say2memohitverma shuo jverce manas-jain-groww rclin geirhoe voidmani5 edmondop hardikphalet damodaran013 meticulous-maverick daveyboy57 voigtstep taonic ogomaemmanuel tallam-hemanth sowmya-yubi credavenue grantmike pheikkila taylor840326 longquanzheng favalos zcw888 steveandroulakis sameemcodes aymalla dinhngoctu saurav-k federicoluppi quinn-with-two-ns elanhasson

samples-java's Issues

Testing Workflow with mock ChildWorkflow - TestChild

Hi
I am looking at writing test on a Workflow which has ChildWorkflows, mock the ChildWorkflow and test the main workflow.
This sample here is ignored - https://github.com/temporalio/samples-java/blob/master/src/test/java/io/temporal/samples/hello/HelloChildTest.java#L92

Could you please give a sample for the above scenario?

error_prone_core-2.17.0.jar: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - error_prone_core-2.17.0.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Found in HEAD commit: 0ade1545d69021916664431f8cf731166474ac9a

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (error_prone_core version)	Remediation Available
CVE-2022-3510	High	7.5	protobuf-java-3.19.2.jar	Transitive	N/A*	❌
CVE-2022-3509	High	7.5	protobuf-java-3.19.2.jar	Transitive	N/A*	❌
CVE-2022-3171	High	7.5	protobuf-java-3.19.2.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-3510

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

error_prone_core-2.17.0.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in HEAD commit: 0ade1545d69021916664431f8cf731166474ac9a

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3510

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gg5-vx3j-xwc7

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.21.7,3.20.3,3.19.6,3.16.3

CVE-2022-3509

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

error_prone_core-2.17.0.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in HEAD commit: 0ade1545d69021916664431f8cf731166474ac9a

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

CVE-2022-3171

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

error_prone_core-2.17.0.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in HEAD commit: 0ade1545d69021916664431f8cf731166474ac9a

Found in base branch: main

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

[Feature Request] Add more examples for DSL use case

Is your feature request related to a problem? Please describe.

please add more DSL related java examples similar to https://github.com/temporalio/samples-java/blob/main/src/main/resources/dsl/customerapplication.yml which covers following actions in a workflow
1)Passing input and getting results from activites
2)Executing child workflows
3)Parallel execution
4)passing results from an activity to another sequential activity

A samle DSL for the below

Describe the solution you'd like

Please add more examples for "how to write specific DSL code for serverless workflow dsl in java?"
please explain " How to use DynamicActivity in java?"

Additional context

Please make a video of "how to write DSL Code for a new serverless workflow DSL in java?" if possible
It will be good if we have a generic DSL java Code which will work for any kind of serverless workflow dsl

Migrate tests to start using TestWorkflowRule

Take advantage of a new rule that can start a worker more easily and clean up our test code boilerplate.

Add OpenTracing sample

Add OpenTracing sample.
Related Java SDK request: temporalio/sdk-java#950

spring-boot-starter-web-2.7.9.jar: 1 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - spring-boot-starter-web-2.7.9.jar

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.71/adaed61b4eaa5b52448336c0881fcd828fd51a2f/tomcat-embed-core-9.0.71.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**
CVE-2023-41080	Medium	6.1	tomcat-embed-core-9.0.71.jar	Transitive	2.7.16	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-41080

Vulnerable Library - tomcat-embed-core-9.0.71.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.71/adaed61b4eaa5b52448336c0881fcd828fd51a2f/tomcat-embed-core-9.0.71.jar

Dependency Hierarchy:

spring-boot-starter-web-2.7.9.jar (Root Library)
- spring-boot-starter-tomcat-2.7.9.jar
  - ❌ tomcat-embed-core-9.0.71.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.

The vulnerability is limited to the ROOT (default) web application.

Publish Date: 2023-08-25

URL: CVE-2023-41080

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f

Release Date: 2023-08-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.80

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.16

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Add Authorizer+Claims Mapper sample

Add Authorizer sample similar to
https://github.com/temporalio/samples-server/tree/main/extensibility/authorizer

jackson-json-crypto-1.1.0.jar: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jackson-json-crypto-1.1.0.jar

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.hibernate/hibernate-validator/5.3.0.Final/fe2600d905fc7ca8294044310c3b2a72e98ec27e/hibernate-validator-5.3.0.Final.jar

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jackson-json-crypto version)	Remediation Possible**
CVE-2023-1932	Medium	6.1	hibernate-validator-5.3.0.Final.jar	Transitive	2.1.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-1932

Vulnerable Library - hibernate-validator-5.3.0.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /core/build.gradle

Dependency Hierarchy:

jackson-json-crypto-1.1.0.jar (Root Library)
- ❌ hibernate-validator-5.3.0.Final.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

A vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.

Publish Date: 2023-04-07

URL: CVE-2023-1932

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1809444

Release Date: 2023-04-07

Fix Resolution (org.hibernate:hibernate-validator): 6.2.0.CR1

Direct dependency fix Resolution (com.codingrodent:jackson-json-crypto): 2.1.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Issues with running HelloActivty sample

I'm trying to run the HelloWorld example and getting the following error. Wonder is there something i'm missing in the setup.

Steps I did:

git clone https://github.com/temporalio/temporal-java-samples
cd temporal-java-samples
./gradlew build
curl -L https://github.com/temporalio/temporal/releases/latest/download/docker.tar.gz | tar -xz --strip-components 1 docker/docker-compose.yml
docker-compose up
validated the temporal site is up on localhost:8088
./gradlew -q execute -PmainClass=io.temporal.samples.hello.HelloActivity. I think get the following error below.

20:45:17.827 [Workflow Executor taskQueue="HelloActivity", namespace="default": 1] WARN  i.t.internal.common.GrpcRetryer - Retrying after failure
io.grpc.StatusRuntimeException: INTERNAL: grpc: error unmarshalling request: proto: wrong wireType = 0 for field ScheduleToCloseTimeout
        at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:244)
        at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:225)
        at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:142)
        at io.temporal.api.workflowservice.v1.WorkflowServiceGrpc$WorkflowServiceBlockingStub.respondWorkflowTaskCompleted(WorkflowServiceGrpc.java:2653)
        at io.temporal.internal.worker.WorkflowWorker$TaskHandlerImpl.lambda$sendReply$0(WorkflowWorker.java:353)
        at io.temporal.internal.common.GrpcRetryer.lambda$retry$0(GrpcRetryer.java:109)
        at io.temporal.internal.common.GrpcRetryer.retryWithResult(GrpcRetryer.java:127)
        at io.temporal.internal.common.GrpcRetryer.retry(GrpcRetryer.java:106)
        at io.temporal.internal.worker.WorkflowWorker$TaskHandlerImpl.sendReply(WorkflowWorker.java:346)
        at io.temporal.internal.worker.WorkflowWorker$TaskHandlerImpl.handle(WorkflowWorker.java:304)
        at io.temporal.internal.worker.WorkflowWorker$TaskHandlerImpl.handle(WorkflowWorker.java:273)
        at io.temporal.internal.worker.PollTaskExecutor.lambda$process$0(PollTaskExecutor.java:73)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar: 16 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (temporal-spring-boot-starter-alpha version)	Remediation Available
CVE-2022-1471	Critical	9.8	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2023-20873	Critical	9.8	spring-boot-actuator-autoconfigure-2.7.9.jar	Transitive	N/A*	❌
CVE-2016-1000027	Critical	9.8	spring-web-5.3.25.jar	Transitive	N/A*	❌
CVE-2022-25857	High	7.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2023-1370	High	7.5	json-smart-2.4.8.jar	Transitive	N/A*	❌
CVE-2023-28709	High	7.5	tomcat-embed-core-9.0.71.jar	Transitive	N/A*	❌
CVE-2023-20883	High	7.5	spring-boot-autoconfigure-2.7.9.jar	Transitive	N/A*	❌
CVE-2023-20860	High	7.5	spring-webmvc-5.3.25.jar	Transitive	N/A*	❌
CVE-2022-41854	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2023-20861	Medium	6.5	spring-expression-5.3.25.jar	Transitive	N/A*	❌
CVE-2022-38752	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38751	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2023-20863	Medium	6.5	spring-expression-5.3.25.jar	Transitive	N/A*	❌
CVE-2022-38749	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38750	Medium	5.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2023-28708	Medium	4.3	tomcat-embed-core-9.0.71.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-1471

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2023-20873

Vulnerable Library - spring-boot-actuator-autoconfigure-2.7.9.jar

Spring Boot Actuator AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-actuator-autoconfigure/2.7.9/6f76c8a416d9f803e72fcead4b1683823ce6d663/spring-boot-actuator-autoconfigure-2.7.9.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ spring-boot-actuator-autoconfigure-2.7.9.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

Publish Date: 2023-04-20

URL: CVE-2023-20873

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20873

Release Date: 2023-04-20

Fix Resolution: org.springframework.boot:spring-boot-actuator-autoconfigure:2.7.11,3.0.6

CVE-2016-1000027

Vulnerable Library - spring-web-5.3.25.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.25/c69815e7931cd3ce7f19cc8028fd1c36626120d6/spring-web-5.3.25.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ spring-web-5.3.25.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution: org.springframework:spring-web:6.0.0

CVE-2022-25857

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2023-1370

Vulnerable Library - json-smart-2.4.8.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: https://urielch.github.io/

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ json-smart-2.4.8.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Json-smart is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Publish Date: 2023-03-22

URL: CVE-2023-1370

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-22

Fix Resolution: net.minidev:json-smart:2.4.9

CVE-2023-28709

Vulnerable Library - tomcat-embed-core-9.0.71.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.71/adaed61b4eaa5b52448336c0881fcd828fd51a2f/tomcat-embed-core-9.0.71.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ tomcat-embed-core-9.0.71.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Publish Date: 2023-05-22

URL: CVE-2023-28709

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Release Date: 2023-05-22

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:8.5.88,9.0.74,10.1.8 ,11.0.0-M5;org.apache.tomcat:tomcat-coyote:8.5.88,9.0.74,10.1.8 ,11.0.0-M5

CVE-2023-20883

Vulnerable Library - spring-boot-autoconfigure-2.7.9.jar

Spring Boot AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/2.7.9/849b238dd024101cad8d107b4a8b0906f75003d5/spring-boot-autoconfigure-2.7.9.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- temporal-spring-boot-autoconfigure-alpha-1.20.0-SNAPSHOT.jar
  - ❌ spring-boot-autoconfigure-2.7.9.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: 2023-05-26

URL: CVE-2023-20883

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution: org.springframework.boot:spring-boot-autoconfigure:2.5.12,2.6.12,2.7.12,3.0.7

CVE-2023-20860

Vulnerable Library - spring-webmvc-5.3.25.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.25/62a8258bcc4f7a58dd69af5140481b64653c90/spring-webmvc-5.3.25.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ spring-webmvc-5.3.25.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution: org.springframework:spring-webmvc:5.3.26,6.0.7

CVE-2022-41854

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2023-20861

Vulnerable Library - spring-expression-5.3.25.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.3.25/d681cdb86611f03d8ef29654edde219fe5afef1d/spring-expression-5.3.25.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ spring-expression-5.3.25.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7

CVE-2022-38752

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2022-38751

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2023-20863

Vulnerable Library - spring-expression-5.3.25.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.3.25/d681cdb86611f03d8ef29654edde219fe5afef1d/spring-expression-5.3.25.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ spring-expression-5.3.25.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8

CVE-2022-38749

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-38750

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2023-28708

Vulnerable Library - tomcat-embed-core-9.0.71.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.71/adaed61b4eaa5b52448336c0881fcd828fd51a2f/tomcat-embed-core-9.0.71.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.20.0-SNAPSHOT.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ tomcat-embed-core-9.0.71.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Publish Date: 2023-03-22

URL: CVE-2023-28708

CVSS 3 Score Details (4.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

Release Date: 2023-03-22

Fix Resolution: org.apache.tomcat:tomcat-catalina:8.5.86,9.0.72,10.1.6;org.apache.tomcat.embed/tomcat-embed-core:8.5.86,9.0.72,10.1.6

Add new payload converter sample using jackson-json-crypto

Add new sample for encrypting/decrypting json payloads
that uses jackson-json-crypto module

temporal-spring-boot-starter-alpha-1.19.1.jar: 7 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - temporal-spring-boot-starter-alpha-1.19.1.jar

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (temporal-spring-boot-starter-alpha version)	Remediation Available
CVE-2022-1471	Critical	9.8	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-25857	High	7.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-41854	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38749	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38752	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38751	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38750	Medium	5.5	snakeyaml-1.30.jar	Transitive	N/A*	❌

Details

CVE-2022-1471

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.19.1.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2022-25857

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.19.1.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-41854

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.19.1.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2022-38749

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.19.1.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-38752

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.19.1.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2022-38751

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.19.1.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-38750

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

temporal-spring-boot-starter-alpha-1.19.1.jar (Root Library)
- spring-boot-dependencies-2.7.9.pom
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

spring-boot-starter-actuator-2.7.9.jar: 9 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - spring-boot-starter-actuator-2.7.9.jar

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-actuator version)	Remediation Available
CVE-2022-1471	Critical	9.8	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2023-20873	Critical	9.8	spring-boot-actuator-autoconfigure-2.7.9.jar	Transitive	2.7.12	✅
CVE-2022-25857	High	7.5	snakeyaml-1.30.jar	Transitive	3.1.0	✅
CVE-2023-20883	High	7.5	spring-boot-autoconfigure-2.7.9.jar	Transitive	2.7.12	✅
CVE-2022-41854	Medium	6.5	snakeyaml-1.30.jar	Transitive	3.1.0	✅
CVE-2022-38749	Medium	6.5	snakeyaml-1.30.jar	Transitive	3.1.0	✅
CVE-2022-38752	Medium	6.5	snakeyaml-1.30.jar	Transitive	3.1.0	✅
CVE-2022-38751	Medium	6.5	snakeyaml-1.30.jar	Transitive	3.1.0	✅
CVE-2022-38750	Medium	5.5	snakeyaml-1.30.jar	Transitive	3.1.0	✅

Details

CVE-2022-1471

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-starter-2.7.9.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2023-20873

Vulnerable Library - spring-boot-actuator-autoconfigure-2.7.9.jar

Spring Boot Actuator AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /springboot/build.gradle

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- ❌ spring-boot-actuator-autoconfigure-2.7.9.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2023-04-20

URL: CVE-2023-20873

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20873

Release Date: 2023-04-20

Fix Resolution (org.springframework.boot:spring-boot-actuator-autoconfigure): 2.7.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.7.12

⛑️ Automatic Remediation is available for this issue

CVE-2022-25857

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-starter-2.7.9.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2023-20883

Vulnerable Library - spring-boot-autoconfigure-2.7.9.jar

Spring Boot AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /springboot/build.gradle

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-actuator-autoconfigure-2.7.9.jar
  - ❌ spring-boot-autoconfigure-2.7.9.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2023-05-26

URL: CVE-2023-20883

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 2.7.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.7.12

⛑️ Automatic Remediation is available for this issue

CVE-2022-41854

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-starter-2.7.9.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-38749

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-starter-2.7.9.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-38752

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-starter-2.7.9.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-38751

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-starter-2.7.9.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-38750

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-actuator-2.7.9.jar (Root Library)
- spring-boot-starter-2.7.9.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 3.1.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

temporal-sdk-1.16.0.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - temporal-sdk-1.16.0.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.21.5/82f0d4bc703c7850cdf5e2c728f464cf4dff0b3d/protobuf-java-3.21.5.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (temporal-sdk version)	Remediation Available
CVE-2022-3171	High	7.5	protobuf-java-3.21.5.jar	Transitive	N/A*	❌

Details

CVE-2022-3171

Vulnerable Library - protobuf-java-3.21.5.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.21.5/82f0d4bc703c7850cdf5e2c728f464cf4dff0b3d/protobuf-java-3.21.5.jar

Dependency Hierarchy:

temporal-sdk-1.16.0.jar (Root Library)
- temporal-serviceclient-1.16.0.jar
  - protobuf-java-util-3.21.5.jar
    - ❌ protobuf-java-3.21.5.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: Oct 12, 2022 11:15:00 PM

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: Oct 12, 2022 11:15:00 PM

opentelemetry-bom-1.15.0.pom: 1 vulnerabilities (highest severity is: 5.3) - autoclosed

Vulnerable Library - opentelemetry-bom-1.15.0.pom

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar

Found in HEAD commit: 1b4e64ec1f1469efe2c6d0d8c545bccdbf2e806b

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-24329	Medium	5.3	kotlin-stdlib-1.4.10.jar	Transitive	N/A	❌

Details

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.4.10.jar

Kotlin Standard Library for JVM

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar

Dependency Hierarchy:

opentelemetry-bom-1.15.0.pom (Root Library)
- opentelemetry-exporter-otlp-common-1.15.0.jar
  - okhttp-4.9.3.jar
    - ❌ kotlin-stdlib-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: 1b4e64ec1f1469efe2c6d0d8c545bccdbf2e806b

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

Add an example of Spring usage with Temporal

Samples should have an example of Spring wiring, which can be used as a reference for our users.

We most likely also should have a related documentation section.

This example also will be used as a driver for discussions and improvements in Dependency Injection.

bootstrap-4.1.0.min.js: 4 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (bootstrap version)	Remediation Available
CVE-2019-8331	Medium	6.1	bootstrap-4.1.0.min.js	Direct	bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1	❌
CVE-2018-14041	Medium	6.1	bootstrap-4.1.0.min.js	Direct	org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2	❌
CVE-2018-14040	Medium	6.1	bootstrap-4.1.0.min.js	Direct	org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0	❌
CVE-2018-14042	Medium	6.1	bootstrap-4.1.0.min.js	Direct	org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0	❌

Details

CVE-2019-8331

Vulnerable Library - bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

CVE-2018-14041

Vulnerable Library - bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

Publish Date: 2018-07-13

URL: CVE-2018-14041

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2

CVE-2018-14040

Vulnerable Library - bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

CVE-2018-14042

Vulnerable Library - bootstrap-4.1.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.0/js/bootstrap.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ bootstrap-4.1.0.min.js (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

error_prone_core-2.20.0.jar: 1 vulnerabilities (highest severity is: 8.8) - autoclosed

Vulnerable Library - error_prone_core-2.20.0.jar

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jgit/org.eclipse.jgit/4.4.1.201607150455-r/63998ced66e425d9e8bcd0c59f710c98f0c021ff/org.eclipse.jgit-4.4.1.201607150455-r.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jgit/org.eclipse.jgit/4.4.1.201607150455-r/63998ced66e425d9e8bcd0c59f710c98f0c021ff/org.eclipse.jgit-4.4.1.201607150455-r.jar

Found in HEAD commit: be9c49ce53e967babe24356ce2a4bc1a1956609a

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (error_prone_core version)	Remediation Possible**
CVE-2023-4759	High	8.8	org.eclipse.jgit-4.4.1.201607150455-r.jar	Transitive	2.22.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-4759

Vulnerable Library - org.eclipse.jgit-4.4.1.201607150455-r.jar

Repository access and algorithms

Library home page: http://www.eclipse.org/jgit/

Path to dependency file: /core/build.gradle

Dependency Hierarchy:

error_prone_core-2.20.0.jar (Root Library)
- error_prone_check_api-2.20.0.jar
  - java-diff-utils-4.0.jar
    - ❌ org.eclipse.jgit-4.4.1.201607150455-r.jar (Vulnerable Library)

Found in HEAD commit: be9c49ce53e967babe24356ce2a4bc1a1956609a

Found in base branch: main

Vulnerability Details

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ .

The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

Publish Date: 2023-09-12

URL: CVE-2023-4759

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-4759

Release Date: 2023-09-12

Fix Resolution (org.eclipse.jgit:org.eclipse.jgit): 6.6.1.202309021850-r

Direct dependency fix Resolution (com.google.errorprone:error_prone_core): 2.22.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

[Feature Request] Add use of continueAsNew to DSL sample

We need to look into adding use of continueAsNew in dsl sample.
Add concrete sample dsl that invokes a large number of async activities and see how continueAsNew can be called "safely"

jackson-databind-2.13.4.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - jackson-databind-2.13.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-42003	High	7.5	jackson-databind-2.13.4.jar	Direct	N/A	❌

Details

CVE-2022-42003

Vulnerable Library - jackson-databind-2.13.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Dependency Hierarchy:

❌ jackson-databind-2.13.4.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

error_prone_core-2.16.jar: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - error_prone_core-2.16.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (error_prone_core version)	Remediation Available
CVE-2022-3510	High	7.5	protobuf-java-3.19.2.jar	Transitive	N/A*	❌
CVE-2022-3509	High	7.5	protobuf-java-3.19.2.jar	Transitive	N/A*	❌
CVE-2022-3171	High	7.5	protobuf-java-3.19.2.jar	Transitive	N/A*	❌

Details

CVE-2022-3510

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

error_prone_core-2.16.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

Publish Date: 2022-12-12

URL: CVE-2022-3510

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gg5-vx3j-xwc7

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.21.7,3.20.3,3.19.6,3.16.3

CVE-2022-3509

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

error_prone_core-2.16.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

CVE-2022-3171

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

error_prone_core-2.16.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

HelloSearchAttributes broken

7:33:50 PM: Executing task 'HelloSearchAttributes.main()'...

:googleJavaFormat NO-SOURCE
:compileJava UP-TO-DATE
:processResources UP-TO-DATE
:classes UP-TO-DATE
:HelloSearchAttributes.main()Exception in thread "main" io.grpc.StatusRuntimeException: INVALID_ARGUMENT: 2020-05-22T19:33:51.841 is not a valid search attribute value for key CustomDatetimeField
	at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:244)
	at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:225)
	at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:142)
	at io.temporal.proto.workflowservice.WorkflowServiceGrpc$WorkflowServiceBlockingStub.startWorkflowExecution(WorkflowServiceGrpc.java:2601)
	at io.temporal.internal.external.GenericWorkflowClientExternalImpl.lambda$startWorkflowInternal$0(GenericWorkflowClientExternalImpl.java:155)
	at io.temporal.internal.common.GrpcRetryer.retryWithResult(GrpcRetryer.java:127)
	at io.temporal.internal.external.GenericWorkflowClientExternalImpl.startWorkflowInternal(GenericWorkflowClientExternalImpl.java:153)
	at io.temporal.internal.external.GenericWorkflowClientExternalImpl.startWorkflow(GenericWorkflowClientExternalImpl.java:88)
	at io.temporal.internal.sync.WorkflowStubImpl.startWithOptions(WorkflowStubImpl.java:130)
	at io.temporal.internal.sync.WorkflowStubImpl.start(WorkflowStubImpl.java:217)
	at io.temporal.internal.sync.WorkflowInvocationHandler.startWorkflow(WorkflowInvocationHandler.java:185)
	at io.temporal.internal.sync.WorkflowInvocationHandler.access$300(WorkflowInvocationHandler.java:45)
	at io.temporal.internal.sync.WorkflowInvocationHandler$SyncWorkflowInvocationHandler.startWorkflow(WorkflowInvocationHandler.java:306)
	at io.temporal.internal.sync.WorkflowInvocationHandler$SyncWorkflowInvocationHandler.invoke(WorkflowInvocationHandler.java:262)
	at io.temporal.internal.sync.WorkflowInvocationHandler.invoke(WorkflowInvocationHandler.java:172)
	at com.sun.proxy.$Proxy5.getGreeting(Unknown Source)
	at io.temporal.samples.hello.HelloSearchAttributes.main(HelloSearchAttributes.java:122)
7:34:03 PM: Task execution finished 'HelloSearchAttributes.main()'.

Update comments across all "hello" samples

A number of suggested changes in #114
apply to all of the "hello" samples.

Use those comments and apply them across all "hello" samples.

serverlessworkflow-api-4.0.3.Final.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - serverlessworkflow-api-4.0.3.Final.jar

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20200518/41a767de4bde8f01d53856b905c49b2db8862f13/json-20200518.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (serverlessworkflow-api version)	Remediation Available
CVE-2022-45688	High	7.5	json-20200518.jar	Transitive	N/A*	❌

Details

CVE-2022-45688

Vulnerable Library - json-20200518.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20200518/41a767de4bde8f01d53856b905c49b2db8862f13/json-20200518.jar

Dependency Hierarchy:

serverlessworkflow-api-4.0.3.Final.jar (Root Library)
- ❌ json-20200518.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Publish Date: 2022-12-13

URL: CVE-2022-45688

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3vqj-43w4-2q58

Release Date: 2022-12-13

Fix Resolution: org.json:json:20230227

[Feature Request] Add more samples to denote exception and failure handling scenarios for Java SDK

Is your feature request related to a problem? Please describe.

Please add more samples to show how exceptions need to be thrown from Activities. Also, need to understand handling of exceptions in workflow code and scenarios where based on certain exception, need the workflow/activity to fail and halt retry execution.

Describe the solution you'd like

Additional context

Add listWorkflowExecutions call to the HelloSearchAttributes example.

Is your feature request related to a problem? Please describe.

HelloSearchAttributes example only demonstrates insertion of search attributes, but doesn't demonstrate listing workflows by those attributes.

Describe the solution you'd like

Change the example to create a few workflows and list them using the gRPC API.

[Feature Request] sample for schedule

Is your feature request related to a problem? Please describe.

Add sample for schedule

This example can be used as a reference https://github.com/temporalio/samples-go/tree/main/schedule

Describe the solution you'd like

Additional context

[DISCUSSION] Ideas for new samples

This Issue is used to brainstorm new samples ideas for the Java SDK that we want to add.

If you have any ideas/suggestions feel free to add a comment - thanks!

Sample for new search attributes APIs

JavaSDK 1.9.0 comes with a bunch of new APIs for search attributes and an ability to register search attributes in tests.
We should refresh the Search Attributes sample and show these new APIs that now should be preferred over the old methods.

jaeger-client-1.8.1.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jaeger-client-1.8.1.jar

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.8.0/49b64e09d81c0cc84b267edd0c2fd7df5a64c78c/okio-jvm-2.8.0.jar

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jaeger-client version)	Remediation Possible**
CVE-2023-3635	High	7.5	okio-2.8.0.jar	Transitive	N/A*	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-3635

Vulnerable Library - okio-2.8.0.jar

A modern I/O API for Java

Library home page: https://github.com/square/okio/

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.8.0/49b64e09d81c0cc84b267edd0c2fd7df5a64c78c/okio-jvm-2.8.0.jar

Dependency Hierarchy:

jaeger-client-1.8.1.jar (Root Library)
- jaeger-thrift-1.8.1.jar
  - okhttp-4.9.3.jar
    - ❌ okio-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution: com.squareup.okio:okio-jvm:3.4.0

json-path-2.7.0.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - json-path-2.7.0.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.7/8d7f4c1530c07c54930935f3da85f48b83b3c109/json-smart-2.4.7.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (json-path version)	Remediation Available
CVE-2023-1370	High	7.5	json-smart-2.4.7.jar	Transitive	2.8.0	✅

Details

CVE-2023-1370

Vulnerable Library - json-smart-2.4.7.jar

Library home page: https://urielch.github.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.7/8d7f4c1530c07c54930935f3da85f48b83b3c109/json-smart-2.4.7.jar

Dependency Hierarchy:

json-path-2.7.0.jar (Root Library)
- ❌ json-smart-2.4.7.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2023-03-22

URL: CVE-2023-1370

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-22

Fix Resolution (net.minidev:json-smart): 2.4.9

Direct dependency fix Resolution (com.jayway.jsonpath:json-path): 2.8.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

[Bug] MoneyBatch

Describe the bug

The count and balance should be cleared after this line:

https://github.com/temporalio/samples-java/blame/master/src/main/java/io/temporal/samples/moneybatch/AccountTransferWorkflowImpl.java#L51

To Reproduce

Run two batches in succession and notice that the second batch is never deposited.

[Feature Request] Add metrics sample

Requested via Slack community channel.

Add metrics sample similar to: https://github.com/temporalio/samples-go/tree/main/metrics

Helpful forum post: https://community.temporal.io/t/how-to-enable-metrics-support-using-java-sdk/366

temporal-sdk-1.20.0-SNAPSHOT.jar: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - temporal-sdk-1.20.0-SNAPSHOT.jar

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (temporal-sdk version)	Remediation Available
CVE-2023-2976	Medium	5.5	guava-31.1-jre.jar	Transitive	N/A*	❌

Details

CVE-2023-2976

Vulnerable Library - guava-31.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Path to dependency file: /springboot/build.gradle

Dependency Hierarchy:

temporal-sdk-1.20.0-SNAPSHOT.jar (Root Library)
- ❌ guava-31.1-jre.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-2976

Release Date: 2023-06-14

Fix Resolution: com.google.guava:guava:32.0.1-jre,com.google.guava:guava:32.0.1-android

[Bug] Gradle task "execute" removed, and instructions still refer to it

The task was removed in this commit as appears an attempt to cleanup build script: 2a156ae , however the instructions still refer to it, e.g.

./gradlew -q execute -PmainClass=io.temporal.samples.hello.HelloActivity

[Feature Request] Default to Java 11

I was surprised to not have Java 11 features available while modifying some of the examples. Since Java 11 has become the standard these days I would suggest to make Java 11 the default for the samples.

I'd be happy to provide a PR

spring-boot-starter-test-2.7.9.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - spring-boot-starter-test-2.7.9.jar

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-test version)	Remediation Available
CVE-2023-1370	High	7.5	json-smart-2.4.8.jar	Transitive	2.7.10	✅

Details

CVE-2023-1370

Vulnerable Library - json-smart-2.4.8.jar

Library home page: https://urielch.github.io/

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar

Dependency Hierarchy:

spring-boot-starter-test-2.7.9.jar (Root Library)
- json-path-2.7.0.jar
  - ❌ json-smart-2.4.8.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2023-03-22

URL: CVE-2023-1370

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-22

Fix Resolution (net.minidev:json-smart): 2.4.9

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.7.10

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

jquery-3.3.1.min.js: 4 vulnerabilities (highest severity is: 6.1) - autoclosed

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jquery version)	Remediation Available
CVE-2020-11023	Medium	6.1	jquery-3.3.1.min.js	Direct	jquery - 3.5.0;jquery-rails - 4.4.0	❌
CVE-2020-11022	Medium	6.1	jquery-3.3.1.min.js	Direct	jQuery - 3.5.0	❌
CVE-2019-11358	Medium	6.1	jquery-3.3.1.min.js	Direct	jquery - 3.4.0	❌
CVE-2020-23064	Medium	6.1	jquery-3.3.1.min.js	Direct	jquery - 3.5.0	❌

Details

CVE-2020-11023

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

CVE-2020-11022

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

CVE-2019-11358

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

CVE-2020-23064

Vulnerable Library - jquery-3.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js

Path to dependency file: /springboot/src/main/resources/templates/fragments.html

Path to vulnerable library: /springboot/src/main/resources/templates/fragments.html

Dependency Hierarchy:

❌ jquery-3.3.1.min.js (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.

Publish Date: 2023-06-26

URL: CVE-2020-23064

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2023-06-26

Fix Resolution: jquery - 3.5.0

jaeger-client-1.8.0.jar: 13 vulnerabilities (highest severity is: 7.7) - autoclosed

Vulnerable Library - jaeger-client-1.8.0.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
WS-2021-0419	High	7.7	gson-2.8.6.jar	Transitive	N/A	❌
CVE-2022-25647	High	7.5	gson-2.8.6.jar	Transitive	N/A	❌
CVE-2019-17563	High	7.5	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2020-13934	High	7.5	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2021-25122	High	7.5	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2021-41079	High	7.5	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2021-25329	High	7.0	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2020-9484	High	7.0	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2021-24122	Medium	5.9	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2022-24329	Medium	5.3	kotlin-stdlib-1.4.10.jar	Transitive	N/A	❌
CVE-2021-33037	Medium	5.3	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2020-1935	Medium	4.8	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌
CVE-2020-13943	Medium	4.3	tomcat-embed-core-8.5.46.jar	Transitive	N/A	❌

Details

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-core-1.8.0.jar
  - ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

CVE-2022-25647

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-core-1.8.0.jar
  - ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

CVE-2019-17563

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Publish Date: 2019-12-23

URL: CVE-2019-17563

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563

Release Date: 2019-12-23

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.99,8.5.50,9.0.30;org.apache.tomcat:tomcat-catalina:7.0.99,8.5.50,9.0.30

CVE-2020-13934

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

Publish Date: 2020-07-14

URL: CVE-2020-13934

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2020-07-14

Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.57,9.0.37,10.0.0-M7;org.apache.tomcat.embed:tomcat-embed-core:8.5.57,9.0.37,10.0.0-M7

CVE-2021-25122

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Publish Date: 2021-03-01

URL: CVE-2021-25122

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-03-01

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:8.5.62,9.0.42,10.0.2;org.apache.tomcat:tomcat-coyote:8.5.62,9.0.42,10.0.2

CVE-2021-41079

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

Publish Date: 2021-09-16

URL: CVE-2021-41079

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2021-09-16

Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.64,9.0.44,10.0.4;org.apache.tomcat.embed:tomcat-embed-core:8.5.64,9.0.44,10.0.4

CVE-2021-25329

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Publish Date: 2021-03-01

URL: CVE-2021-25329

CVSS 3 Score Details (7.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-03-01

Fix Resolution: org.apache.tomcat:tomcat:7.0.108, org.apache.tomcat:tomcat:8.5.63, org.apache.tomcat:tomcat:9.0.43,org.apache.tomcat:tomcat:10.0.2

CVE-2020-9484

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Publish Date: 2020-05-20

URL: CVE-2020-9484

CVSS 3 Score Details (7.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484

Release Date: 2020-05-20

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.104,8.5.55,9.0.35,10.0.0-M5,org.apache.tomcat:tomcat-catalina:7.0.104,8.5.55,9.0.35,10.0.0-M5

CVE-2021-24122

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

Publish Date: 2021-01-14

URL: CVE-2021-24122

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122

Release Date: 2021-01-14

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.107,8.5.60,9.0.40,10.0.0-M10;org.apache.tomcat:tomcat-catalina:7.0.107,8.5.60,9.0.40,10.0.0-M10

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.4.10.jar

Kotlin Standard Library for JVM

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.10/ea29e063d2bbe695be13e9d044dcfb0c7add398e/kotlin-stdlib-1.4.10.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - okhttp-4.9.0.jar
    - ❌ kotlin-stdlib-1.4.10.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

CVE-2021-33037

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Publish Date: 2021-07-12

URL: CVE-2021-33037

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-07-12

Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.68, 9.0.48, 10.0.7, org.apache.tomcat.embed:tomcat-embed-core:8.5.68, 9.0.48, 10.0.7

CVE-2020-1935

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Publish Date: 2020-02-24

URL: CVE-2020-1935

CVSS 3 Score Details (4.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6v7p-v754-j89v

Release Date: 2020-02-24

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.100,8.5.51,9.0.31;org.apache.tomcat:tomcat-coyote:7.0.100,8.5.51,9.0.31

CVE-2020-13943

Vulnerable Library - tomcat-embed-core-8.5.46.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.46/5d686394334d143f48251827435ab086a161e75e/tomcat-embed-core-8.5.46.jar

Dependency Hierarchy:

jaeger-client-1.8.0.jar (Root Library)
- jaeger-thrift-1.8.0.jar
  - libthrift-0.14.1.jar
    - ❌ tomcat-embed-core-8.5.46.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

Publish Date: 2020-10-12

URL: CVE-2020-13943

CVSS 3 Score Details (4.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2020-10-12

Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.58,9.0.38,10.0.0-M8;org.apache.tomcat.embed:tomcat-embed-core:8.5.58,9.0.38,10.0.0-M8

Redirect url in readme of bookingsaga sample is outdated

redirect url for unit test in below readme is outdated:
https://github.com/temporalio/samples-java/blob/master/src/main/java/io/temporal/samples/bookingsaga/README.md

Corrected it in below PR:
#78

Sample for a test verifying published metrics in unit tests

Temporal should provide a sample for users on how they may check the metrics in unit tests.
I propose to wire MetricsScope with our standard MicrometerClientStatsReporter initialized with SimpleMeterRegistry micrometer.
A little bit like micrometer does in one of their tests:
https://www.programcreek.com/java-api-examples/?code=micrometer-metrics%2Fmicrometer%2Fmicrometer-master%2Fmicrometer-test%2Fsrc%2Fmain%2Fjava%2Fio%2Fmicrometer%2Fcore%2Ftck%2FTimerTest.java

        MeterRegistry registry = new SimpleMeterRegistry();

        try (Timer.ResourceSample sample = Timer.resource(registry, "requests")
                .description("This is an operation")
                .publishPercentileHistogram()) {
            try {
                if (outcome.equals("error")) {
                    throw new IllegalArgumentException("boom");
                }
                sample.tag("outcome", "success");
            } catch (Throwable t) {
                sample.tag("outcome", "error");
            }
        }

        assertThat(registry.get("requests").tag("outcome", outcome).timer().count())
                .isEqualTo(1);

jackson-bom-2.13.4.20221013.pom: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - jackson-bom-2.13.4.20221013.pom

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar

Found in HEAD commit: 2a25bc291a9dc0b83b81cfcd2d1a5709d81de6bc

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jackson-bom version)	Remediation Available
CVE-2022-38752	Medium	6.5	snakeyaml-1.31.jar	Transitive	N/A*	❌

Details

CVE-2022-38752

Vulnerable Library - snakeyaml-1.31.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar

Dependency Hierarchy:

jackson-bom-2.13.4.20221013.pom (Root Library)
- jackson-dataformat-yaml-2.13.4.jar
  - ❌ snakeyaml-1.31.jar (Vulnerable Library)

Found in HEAD commit: 2a25bc291a9dc0b83b81cfcd2d1a5709d81de6bc

Found in base branch: main

Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

HelloCron - Unsupported field

I changed hellocron to print timestamp along with message

Caused by: io.temporal.failure.ApplicationFailure: message='Unsupported field: Year', >type='java.time.temporal.UnsupportedTemporalTypeException', nonRetryable=false

I see two issues

Date format is causing error : Caused by: io.temporal.failure.ApplicationFailure: message='Unsupported field: Year',
While the nature of error is fatal (no use retrying) I still see the wf executing<==========---> 80% EXECUTING [6m 35s]

Questions:

Why printing the below date time stamp did not work? If I choose to keep the date format code as-is, should I change any temporal-config to make the workflow execute without error?
Is "retry" an expected behavoir for an obvious non-retryable scenario like

  static class GreetingActivitiesImpl implements GreetingActivities {
    static final DateTimeFormatter MYDATE_FORMATTER = DateTimeFormatter.ISO_LOCAL_DATE_TIME;

    @Override
    public void greet(String greeting) {
      System.out.println(
          MYDATE_FORMATTER.format(Instant.now().truncatedTo(ChronoUnit.SECONDS))
              + "From "
              + Activity.getExecutionContext().getInfo().getWorkflowId()
              + ": "
              + greeting);
    }
  }

error:

14:34:07.311 [workflow-method] ERROR i.t.i.s.POJOWorkflowImplementationFactory - Workflow execution failure WorkflowId=HelloCron, RunId=f600d571-be09-4b4
6-a043-f8e1a5f28c78, WorkflowType=GreetingWorkflow
io.temporal.failure.ActivityFailure: scheduledEventId=5, startedEventId=6, activityType='Greet', activityId='2d407c54-4418-3158-a003-1de6c17cf62a', ident
ity='21484@TOHQLP922', retryState=RETRY_STATE_TIMEOUT
        at java.base/java.lang.Thread.getStackTrace(Thread.java:1606)
        at io.temporal.internal.sync.ActivityStubBase.execute(ActivityStubBase.java:48)
        at io.temporal.internal.sync.ActivityInvocationHandler.lambda$getActivityFunc$0(ActivityInvocationHandler.java:59)
        at io.temporal.internal.sync.ActivityInvocationHandlerBase.invoke(ActivityInvocationHandlerBase.java:65)
        at com.sun.proxy.$Proxy7.greet(Unknown Source)
        at io.temporal.samples.hello.HelloCron$GreetingWorkflowImpl.greet(HelloCron.java:75)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at io.temporal.internal.sync.POJOWorkflowImplementationFactory$POJOWorkflowImplementation$RootWorkflowInboundCallsInterceptor.execute(POJOWorkflo
wImplementationFactory.java:289)
        at io.temporal.internal.sync.POJOWorkflowImplementationFactory$POJOWorkflowImplementation.execute(POJOWorkflowImplementationFactory.java:253)
        at io.temporal.internal.sync.WorkflowExecuteRunnable.run(WorkflowExecuteRunnable.java:52)
        at io.temporal.internal.sync.SyncWorkflow.lambda$start$0(SyncWorkflow.java:119)
        at io.temporal.internal.sync.CancellationScopeImpl.run(CancellationScopeImpl.java:104)
        at io.temporal.internal.sync.WorkflowThreadImpl$RunnableWrapper.run(WorkflowThreadImpl.java:107)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: io.temporal.failure.ApplicationFailure: message='Unsupported field: Year', type='java.time.temporal.UnsupportedTemporalTypeException', nonRetryable=false
        at java.base/java.time.Instant.getLong(Instant.java:602)
        at java.base/java.time.format.DateTimePrintContext$1.getLong(DateTimePrintContext.java:205)
        at java.base/java.time.format.DateTimePrintContext.getValue(DateTimePrintContext.java:308)
        at java.base/java.time.format.DateTimeFormatterBuilder$NumberPrinterParser.format(DateTimeFormatterBuilder.java:2696)
        at java.base/java.time.format.DateTimeFormatterBuilder$CompositePrinterParser.format(DateTimeFormatterBuilder.java:2335)
        at java.base/java.time.format.DateTimeFormatterBuilder$CompositePrinterParser.format(DateTimeFormatterBuilder.java:2335)
        at java.base/java.time.format.DateTimeFormatter.formatTo(DateTimeFormatter.java:1843)
        at java.base/java.time.format.DateTimeFormatter.format(DateTimeFormatter.java:1817)
        at io.temporal.samples.hello.HelloCron$GreetingActivitiesImpl.greet(HelloCron.java:85)
        at jdk.internal.reflect.GeneratedMethodAccessor3.invoke(Unknown Source:0)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at io.temporal.internal.sync.POJOActivityTaskHandler$POJOActivityInboundCallsInterceptor.execute(POJOActivityTaskHandler.java:279)
        at io.temporal.internal.sync.POJOActivityTaskHandler$POJOActivityImplementation.execute(POJOActivityTaskHandler.java:218)
        at io.temporal.internal.sync.POJOActivityTaskHandler.handle(POJOActivityTaskHandler.java:183)
        at io.temporal.internal.worker.ActivityWorker$TaskHandlerImpl.handle(ActivityWorker.java:194)
        at io.temporal.internal.worker.ActivityWorker$TaskHandlerImpl.handle(ActivityWorker.java:154)
        at io.temporal.internal.worker.PollTaskExecutor.lambda$process$0(PollTaskExecutor.java:73)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)
<==========---> 80% EXECUTING [6m 35s]
> :execute

error_prone_core-2.10.0.jar: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - error_prone_core-2.10.0.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (error_prone_core version)	Remediation Available
CVE-2022-3171	High	7.5	protobuf-java-3.4.0.jar	Transitive	N/A*	❌
CVE-2021-22569	Medium	5.5	protobuf-java-3.4.0.jar	Transitive	2.11.0	✅

Details

CVE-2022-3171

Vulnerable Library - protobuf-java-3.4.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar

Dependency Hierarchy:

error_prone_core-2.10.0.jar (Root Library)
- ❌ protobuf-java-3.4.0.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

Publish Date: Oct 12, 2022 11:15:00 PM

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: Oct 12, 2022 11:15:00 PM

CVE-2021-22569

Vulnerable Library - protobuf-java-3.4.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar

Dependency Hierarchy:

error_prone_core-2.10.0.jar (Root Library)
- ❌ protobuf-java-3.4.0.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: Jan 10, 2022 2:10:00 PM

URL: CVE-2021-22569

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: Jan 10, 2022 2:10:00 PM

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1

Direct dependency fix Resolution (com.google.errorprone:error_prone_core): 2.11.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

[Feature Request] Sample for Using Local Activity to Notify

Is your feature request related to a problem? Please describe.

Raising a feature request here as recommeded in https://community.temporal.io/t/signalling-system-human-driven-workflows/160/22?u=hrishikesh_chappadi

This is regarding simulating synchronous updates using local activites.

Describe the solution you'd like

Please refer to the comment here https://community.temporal.io/t/signalling-system-human-driven-workflows/160/3?u=hrishikesh_chappadi

Additional context

None.

error_prone_core-2.18.0.jar: 4 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - error_prone_core-2.18.0.jar

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.0.1-jre/119ea2b2bc205b138974d351777b20f02b92704b/guava-31.0.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.0.1-jre/119ea2b2bc205b138974d351777b20f02b92704b/guava-31.0.1-jre.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (error_prone_core version)	Remediation Available
CVE-2022-3510	High	7.5	protobuf-java-3.19.2.jar	Transitive	2.20.0	✅
CVE-2022-3509	High	7.5	protobuf-java-3.19.2.jar	Transitive	2.20.0	✅
CVE-2022-3171	High	7.5	protobuf-java-3.19.2.jar	Transitive	2.20.0	✅
CVE-2023-2976	Medium	5.5	guava-31.0.1-jre.jar	Transitive	N/A*	❌

Details

CVE-2022-3510

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /springboot/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

error_prone_core-2.18.0.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-12-12

URL: CVE-2022-3510

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gg5-vx3j-xwc7

Release Date: 2022-12-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.19.6

Direct dependency fix Resolution (com.google.errorprone:error_prone_core): 2.20.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-3509

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /springboot/build.gradle

Dependency Hierarchy:

error_prone_core-2.18.0.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.19.6

Direct dependency fix Resolution (com.google.errorprone:error_prone_core): 2.20.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-3171

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /springboot/build.gradle

Dependency Hierarchy:

error_prone_core-2.18.0.jar (Root Library)
- ❌ protobuf-java-3.19.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.19.6

Direct dependency fix Resolution (com.google.errorprone:error_prone_core): 2.20.0

⛑️ Automatic Remediation is available for this issue

CVE-2023-2976

Vulnerable Library - guava-31.0.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Library home page: https://github.com/google/guava

Path to dependency file: /core/build.gradle

Dependency Hierarchy:

error_prone_core-2.18.0.jar (Root Library)
- ❌ guava-31.0.1-jre.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-2976

Release Date: 2023-06-14

Fix Resolution: com.google.guava:guava:32.0.1-jre,com.google.guava:guava:32.0.1-android

⛑️ Automatic Remediation is available for this issue.

[Bug] README.md missing for ssl sample

Just need to add a README.md with the gradlew command to run it along with perhaps some additional contextual information about environment variables

[Feature Request] mTLS sample

This sample exists but we need one for mtls for both worker and "starter".

https://github.com/temporalio/samples-java/tree/main/src/main/java/io/temporal/samples/ssl

The sample should be modeled after https://github.com/temporalio/samples-typescript/tree/main/hello-world-mtls

Add new sample showing per-activity option configuration

Show use of
WorkflowImplementationOptions-> setActivityOptions

[Bug] HelloCancellationScope example has different behaviour when running the test vs when running the workflow through the main method

What are you really trying to do?

I am trying to understand how cancellation scopes work, and for that I am looking at HelloCancellationScope and HelloDetachedCancellationScope

Describe the bug

I was looking at the code in the HelloCancellationScope class.

If I run the example through the main method, this is the output:

Activity for Oi going to take 23 seconds
Activity for Привет going to take 8 seconds
Activity for Hallo going to take 16 seconds
Activity for Bye going to take 28 seconds
Activity for Hola going to take 11 seconds
Activity for Hello going to take 19 seconds
Activity for Привет completed
Activity for Oi was cancelled. Cleanup is expected to take 2 seconds.
Activity for Hallo was cancelled. Cleanup is expected to take 4 seconds.
Activity for Bye was cancelled. Cleanup is expected to take 1 seconds.
Activity for Hola was cancelled. Cleanup is expected to take 2 seconds.
Activity for Hello was cancelled. Cleanup is expected to take 1 seconds.
Activity for Bye finished cancellation
13:26:44.374 {HelloCancellationScopeWorkflow dd9e08dd-9b26-3f67-a226-396d0fa9c2df} [Activity Executor taskQueue="HelloCancellationScopeTaskQueue", namespace="default": 4] INFO  i.t.i.a.ActivityTaskExecutors$ActivityTaskExecutor - Activity canceled. ActivityId=dd9e08dd-9b26-3f67-a226-396d0fa9c2df, activityType=ComposeGreeting, attempt=1 
Activity for Hello finished cancellation
13:26:44.387 {HelloCancellationScopeWorkflow be5eaced-ee7f-34ee-9e18-1bc0de1bc344} [Activity Executor taskQueue="HelloCancellationScopeTaskQueue", namespace="default": 6] INFO  i.t.i.a.ActivityTaskExecutors$ActivityTaskExecutor - Activity canceled. ActivityId=be5eaced-ee7f-34ee-9e18-1bc0de1bc344, activityType=ComposeGreeting, attempt=1 
Activity for Oi finished cancellation
13:26:45.355 {HelloCancellationScopeWorkflow 42c07d6b-7f8d-3638-b408-6045e5eee15d} [Activity Executor taskQueue="HelloCancellationScopeTaskQueue", namespace="default": 1] INFO  i.t.i.a.ActivityTaskExecutors$ActivityTaskExecutor - Activity canceled. ActivityId=42c07d6b-7f8d-3638-b408-6045e5eee15d, activityType=ComposeGreeting, attempt=1 
Activity for Hola finished cancellation
13:26:45.383 {HelloCancellationScopeWorkflow 7c33e886-500d-3711-8d81-8c0d84d6291e} [Activity Executor taskQueue="HelloCancellationScopeTaskQueue", namespace="default": 5] INFO  i.t.i.a.ActivityTaskExecutors$ActivityTaskExecutor - Activity canceled. ActivityId=7c33e886-500d-3711-8d81-8c0d84d6291e, activityType=ComposeGreeting, attempt=1 
Activity for Hallo finished cancellation
13:26:47.366 {HelloCancellationScopeWorkflow b1ec9997-52bc-3c81-8a4c-2be9f2506e41} [Activity Executor taskQueue="HelloCancellationScopeTaskQueue", namespace="default": 3] INFO  i.t.i.a.ActivityTaskExecutors$ActivityTaskExecutor - Activity canceled. ActivityId=b1ec9997-52bc-3c81-8a4c-2be9f2506e41, activityType=ComposeGreeting, attempt=1 
Привет World!

After the first activity is completed all the remaining activities are cancelled as expected.

If I run the test (HelloCancellationScopeTest), this is the output:

Activity for Hello going to take 9 seconds
Activity for Hola going to take 16 seconds
Activity for Bye going to take 9 seconds
Activity for Hallo going to take 11 seconds
Activity for Привет going to take 8 seconds
Activity for Oi going to take 16 seconds
Activity for Привет completed
Activity for Bye completed
Activity for Hello completed
Activity for Hallo completed
Activity for Hola completed
Activity for Oi completed

After the first activity is completed all the remaining activities are not cancelled.

Minimal Reproduction

Environment/Versions

OS and processor: [e.g. M1 Mac, x86 Windows, Linux]
Temporal Version: [e.g. 1.14.0?] and/or SDK version
Are you using Docker or Kubernetes or building Temporal from source?