WS-2021-0419 - High Severity Vulnerability

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: Conquer/auxiliary/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar,gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

• ❌ gson-2.8.6.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: N/A
  • Attack Complexity: N/A
  • Privileges Required: N/A
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

Step up your Open Source Security Game with WhiteSource here

As a casual passer-by I still have no idea what does this game look like?

Currently, only the binaries can only be built for the current system.

Conquer should be cross compileable. This means in all of these directions.

• Linux->Windows
• Linux->Linux (Other architecture)
• Windows->Windows (Other architecture)

This would allow faster builds for more targets, as only conquer.deb and Installer.exe changes.

Steps for Java 16:

• Gradle 7 is released
• Update java version in gradle
• Convert .collect(Collectors.toList()) to .toList()
• Update GitHub Actions
• Update java version in launcher
• Update java version for .deb files (Recommendation)
• Update java version in .pom files
• Update instructions

Currently, you would have to check manually for an update, download it and install it.
This takes a lot of time.

It would be better, if the launcher (At least on windows, as on linux there is a package manager) would check, if a new version is available, if yes it would download the installer and install the new version.

A list of locations for cleanup:

• Launcher/src/gtkmain.c: Remove global variables Will be rewritten.
• buildConquer: Replace with another build system: make? gradle? ant?
• ConquerFrontend: Cleanup of the entire GUI.
• gradle scripts: These are a total mess, as it was my first time to use gradle. (They improved a lot, but are still sometimes a bit messy)
• Launcher: The launcher is now quite messy, because of many #ifdefs WIll be rewritten

Currently you can't save your progress, so you have to either stop the game and lose all your progress or play until the game has ended.

Some functionality is currently implemented in SavedGame, but it is untested and not exposed.

Conquer on linux has to be started from the commandline at the moment.

This is not comfortable. An .desktop file should be provided, so it can be started from the start menu.

In the clan info tab, when you want to upgrade the soldiers, sometimes the button that is responsible for the maximum upgrade shows a wrong value, like Upgrade to level 51, but if you press it, it sometimes upgrades to level 50 or level 52.

Furthermore, sometimes the buttons are enabled although you can't upgrade because you don't have enough coins.

The makefile for the launcher is quite messy, and the "standard" build tool seems to be vala. Using meson would improve the quality of the project.

Currently this project uses a custom shellscript.

The problem with it is, that it is getting a bit too complex.

It has to be replaced by another, real buildsystem that is able to master every complexity.

The best one for this task would be with a high probability, gradle.

• Change project structure
• Write build.gradle for each subproject (E.g. Conquer, ConquerFrontend, ...)
• Implement the building of music with gradle.
• Integrate Makefile builds
• Build .deb files
• Put it all together
• Change CI

Currently, if you run the game, the console window will always be visible. This is distracting and closing it, closes the entire game.

The window should be hidden, like in other applications, too.

Gradle 7.0 was released. (Release Notes). Older features should be replaced by newer ones in order to improve the efficiency/performance of the build.

• Type-safe project accessors
• Using dynamic versions in the plugins block
• Use plugins {} instead of apply plugin:
• Add inputs/outputs to all custom tasks explicitly

At time of writing the code coverage based on the unit tests is around 15%. This is far too low.
More tests are needed.

At least 85% should be reached. (This can be done by different people with multiple PRs)

At the time of writing, there are several sources where Java is downloaded.

1. https://mirrors.huaweicloud.com/openjdk/15/openjdk-15_linux-x64_bin.tar.gz for linux,x64
2. https://mirrors.huaweicloud.com/openjdk/15/openjdk-15_linux-aarch64_bin.tar.gz for linux,aarch64
3. https://mirrors.huaweicloud.com/openjdk/15/openjdk-15_windows-x64_bin.zip for windows,x64

Furthermore, the following locations on linux are checked, whether they exist:

1. /usr/lib/jvm/java-15-openjdk-amd64/ for linux,amd64
2. /usr/lib/jvm/java-15-openjdk-i386/ for linux,i386
3. /usr/lib/jvm/java-15-openjdk-arm64/ for linux,aarch64
4. $JAVA_HOME

From these URLs Java could be downloaded:

1. http://jdk.java.net/15/ (OpenJDK binaries)
2. https://adoptopenjdk.net/releases.html?variant=openjdk15&jvmVariant=hotspot (AdoptOpenJDK)
3. https://bell-sw.com/pages/downloads/#/java-15-current (Liberica JDK)

Pro:
-More up-to-date java version.
-More supported architectures
Contra:
-Each site would have to be parsed. (HTML-Parser) Either use a library or write one simplied yourself.
-Really fragile

Liberica JDK and Adoptopenjdk provide a REST API for getting java.

Alternative:
-Host binaries for every supported architecture on github releases.

Currently a whole JDK (~300MB) is downloaded for each user in:

C:\Users\<name>\Appdata\Roaming\.conquer\java-15

If there are many users, this will stack up.
It would be better, if Java is downloaded and extracted to

C:\Program Files\Conquer\java-15

So it is shared. This could be done for example while installing (With Installer.exe)