Android App template
License: The Unlicense
And more...
|
|
|
|
|
|
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Vulnerable Library - databinding-compiler-7.3.1.jarPath to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (databinding-compiler version) | Remediation Available |
|---|---|---|---|---|---|---|
| WS-2021-0419 |  High |
7.7 | gson-2.8.6.jar | Transitive | N/A* | β |
| CVE-2022-25647 | High |
7.5 | gson-2.8.6.jar | Transitive | N/A* | β |
| WS-2019-0379 |  Medium |
6.5 | commons-codec-1.11.jar | Transitive | N/A* | β |
| CVE-2022-24329 | Medium |
5.3 | kotlin-stdlib-1.5.31.jar | Transitive | N/A* | β |
| CVE-2021-29425 | Medium |
4.8 | commons-io-2.4.jar | Transitive | N/A* | β |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
WS-2021-0419Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
Found in base branch: main
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Step up your Open Source Security Game with Mend here
CVE-2022-25647Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
Found in base branch: main
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9
Step up your Open Source Security Game with Mend here
WS-2019-0379The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
Found in base branch: main
Apache commons-codec before version βcommons-codec-1.13-RC1β is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with Mend here
CVE-2022-24329Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.5.31/6628d61d0f5603568e72d2d5915d2c034b4f1c55/kotlin-stdlib-1.5.31.jar
Dependency Hierarchy:
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
Found in base branch: main
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0
Step up your Open Source Security Game with Mend here
CVE-2021-29425The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.4/b1b6ea3b7e4aa4f492509a4952029cd8e48019ad/commons-io-2.4.jar
Dependency Hierarchy:
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
Found in base branch: main
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - moshi-kotlin-codegen-1.14.0.jarPath to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (moshi-kotlin-codegen version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-2976 |  High |
7.1 | detected in multiple dependencies | Transitive | N/A* | β |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-2976
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Library home page: https://github.com/google/guava
Path to dependency file: /core-network/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/30.1.1-jre/87e0fd1df874ea3cbe577702fe6f17068b790fd8/guava-30.1.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/30.1.1-jre/87e0fd1df874ea3cbe577702fe6f17068b790fd8/guava-30.1.1-jre.jar
Dependency Hierarchy:
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Path to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
Found in base branch: main
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
Step up your Open Source Security Game with Mend here
Vulnerable Library - guava-30.1.1-android.jarGuava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Library home page: https://github.com/google/guava
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/30.1.1-android/5963ed171d561cca6f14659f3439b46a1633ab13/guava-30.1.1-android.jar
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (guava version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-2976 | High |
7.1 | guava-30.1.1-android.jar | Direct | 32.0.1-android | β |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-2976Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Library home page: https://github.com/google/guava
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/30.1.1-android/5963ed171d561cca6f14659f3439b46a1633ab13/guava-30.1.1-android.jar
Dependency Hierarchy:
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
Found in base branch: main
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: 32.0.1-android
Step up your Open Source Security Game with Mend here
Vulnerable Library - databinding-compiler-7.4.0.jarPath to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (databinding-compiler version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-2976 | High |
7.1 | detected in multiple dependencies | Transitive | N/A* | β |
| WS-2019-0379 |  Medium |
6.5 | commons-codec-1.11.jar | Transitive | N/A* | β |
| CVE-2021-29425 | Medium |
4.8 | commons-io-2.4.jar | Transitive | N/A* | β |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-2976
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Library home page: https://github.com/google/guava
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/30.1-jre/d0c3ce2311c9e36e73228da25a6e99b2ab826f/guava-30.1-jre.jar
Dependency Hierarchy:
Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.
Library home page: https://github.com/google/guava
Path to dependency file: /core-data/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.0.1-jre/119ea2b2bc205b138974d351777b20f02b92704b/guava-31.0.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.0.1-jre/119ea2b2bc205b138974d351777b20f02b92704b/guava-31.0.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.0.1-jre/119ea2b2bc205b138974d351777b20f02b92704b/guava-31.0.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.0.1-jre/119ea2b2bc205b138974d351777b20f02b92704b/guava-31.0.1-jre.jar
Dependency Hierarchy:
Found in base branch: main
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
Step up your Open Source Security Game with Mend here
WS-2019-0379The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Dependency Hierarchy:
Found in base branch: main
Apache commons-codec before version βcommons-codec-1.13-RC1β is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with Mend here
CVE-2021-29425The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.4/b1b6ea3b7e4aa4f492509a4952029cd8e48019ad/commons-io-2.4.jar
Dependency Hierarchy:
Found in base branch: main
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - guava-28.1-android.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.1-android/c2526f8fad32a65a6d7032dd8e9524eb276b108b/guava-28.1-android.jar
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (guava version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-8908 |  Low |
3.3 | guava-28.1-android.jar | Direct | 30.0-android | β |
CVE-2020-8908Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.1-android/c2526f8fad32a65a6d7032dd8e9524eb276b108b/guava-28.1-android.jar
Dependency Hierarchy:
Found in HEAD commit: 8ba6db23242d49134473e659ca0e8a9d7f79894e
Found in base branch: main
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: 30.0-android
Step up your Open Source Security Game with Mend here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
com.squareup.retrofit2:converter-moshi, com.squareup.retrofit2:converter-gson)Warning
Renovate failed to look up the following dependencies: Failed to look up maven package dagger.hilt.android.plugin:dagger.hilt.android.plugin.gradle.plugin.
Files affected: gradle/libs.versions.toml
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
org.jetbrains.kotlin.plugin.parcelize, org.jetbrains.kotlin.kapt, org.jetbrains.kotlin.android, org.jetbrains.kotlin:kotlin-gradle-plugin)com.google.devtools.ksp, com.google.devtools.ksp:symbol-processing)com.squareup.moshi:moshi-kotlin-codegen, com.squareup.moshi:moshi-kotlin)com.android.library, com.android.application, com.android.tools.build:gradle)org.jetbrains.kotlinx:kotlinx-coroutines-test, org.jetbrains.kotlinx:kotlinx-coroutines-android)com.google.dagger:hilt-android-testing, com.google.dagger:hilt-compiler, com.google.dagger:hilt-android, com.google.dagger:hilt-android-gradle-plugin)buildSrc/src/main/kotlin/com/mx/rockstar/mytemplate/Configuration.kt
gradle.properties
settings.gradle.kts
build.gradle.kts
app/build.gradle.kts
buildSrc/build.gradle.kts
core-data/build.gradle.kts
core-database/build.gradle.kts
core-model/build.gradle.kts
core-network/build.gradle.kts
core-test/build.gradle.kts
gradle/libs.versions.toml
com.android.tools.build:gradle 8.2.1org.jetbrains.kotlin:kotlin-gradle-plugin 1.9.22com.google.dagger:hilt-android-gradle-plugin 2.50com.google.devtools.ksp:symbol-processing 1.9.22-1.0.16com.google.android.material:material 1.11.0androidx.constraintlayout:constraintlayout 2.1.4androidx.core:core-ktx 1.12.0androidx.appcompat:appcompat 1.6.1androidx.fragment:fragment-ktx 1.6.2androidx.lifecycle:lifecycle-viewmodel-ktx 2.7.0androidx.startup:startup-runtime 1.1.1androidx.arch.core:core-testing 2.2.0androidx.room:room-runtime 2.6.1androidx.room:room-ktx 2.6.1androidx.room:room-compiler 2.6.1com.github.skydoves:bindables 1.1.0com.google.dagger:hilt-android 2.50com.google.dagger:hilt-compiler 2.50com.google.dagger:hilt-android-testing 2.50org.jetbrains.kotlinx:kotlinx-coroutines-android 1.7.3com.github.skydoves:whatif 1.1.4com.jakewharton.timber:timber 5.0.1com.github.skydoves:bundler 1.0.4com.squareup.retrofit2:converter-gson 2.9.0com.squareup.retrofit2:converter-moshi 2.9.0com.squareup.okhttp3:logging-interceptor 4.12.0com.squareup.okhttp3:mockwebserver 4.12.0com.squareup.moshi:moshi-kotlin 1.15.0com.squareup.moshi:moshi-kotlin-codegen 1.15.0com.github.skydoves:sandwich 2.0.5androidx.recyclerview:recyclerview 1.3.2com.github.skydoves:baserecyclerviewadapter 1.0.4com.github.skydoves:progressview 1.1.3com.github.skydoves:transformationlayout 1.1.3junit:junit 4.13.2app.cash.turbine:turbine 1.0.0androidx.test:core 1.5.0com.nhaarman.mockitokotlin2:mockito-kotlin 2.2.0org.mockito:mockito-inline 5.2.0org.jetbrains.kotlinx:kotlinx-coroutines-test 1.7.3com.google.truth:truth 1.2.0org.robolectric:robolectric 4.11.1androidx.test.ext:junit 1.1.5androidx.test.espresso:espresso-core 3.5.1com.android.support.test:runner 1.3.0-beta01com.diffplug.spotless 6.24.0com.android.application 8.2.1org.jetbrains.kotlin.android 1.9.22org.jetbrains.kotlin.kapt 1.9.22org.jetbrains.kotlin.plugin.parcelize 1.9.22com.android.library 8.2.1dagger.hilt.android.plugin hiltcom.google.devtools.ksp 1.9.22-1.0.16
gradle/wrapper/gradle-wrapper.properties
gradle 8.5
Vulnerable Library - core-testing-2.1.0.aarPath to dependency file: /core-network/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.13/e49ccba652b735c93bd6e6f59760d8254cf597dd/junit-4.13.jar
Found in HEAD commit: f4f6d1fd7b9e879899758c043bd6df69badce021
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (core-testing version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2020-15250 | Medium |
5.5 | junit-4.13.jar | Transitive | N/A* | β |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2020-15250JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Path to dependency file: /core-network/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.13/e49ccba652b735c93bd6e6f59760d8254cf597dd/junit-4.13.jar
Dependency Hierarchy:
Found in HEAD commit: f4f6d1fd7b9e879899758c043bd6df69badce021
Found in base branch: main
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - databinding-compiler-7.4.1.jarPath to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Found in HEAD commit: f4f6d1fd7b9e879899758c043bd6df69badce021
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (databinding-compiler version) | Remediation Available |
|---|---|---|---|---|---|---|
| WS-2019-0379 | Medium |
6.5 | commons-codec-1.11.jar | Transitive | N/A* | β |
| CVE-2021-29425 | Medium |
4.8 | commons-io-2.4.jar | Transitive | N/A* | β |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
WS-2019-0379The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: f4f6d1fd7b9e879899758c043bd6df69badce021
Found in base branch: main
Apache commons-codec before version βcommons-codec-1.13-RC1β is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with Mend here
CVE-2021-29425The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /app/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.4/b1b6ea3b7e4aa4f492509a4952029cd8e48019ad/commons-io-2.4.jar
Dependency Hierarchy:
Found in HEAD commit: f4f6d1fd7b9e879899758c043bd6df69badce021
Found in base branch: main
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk15on-1.65.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.65/f96180e47cf5d4e7e911f7d958e5dff0043427a9/bcprov-jdk15on-1.65.pom
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (bcprov-jdk15on version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2020-28052 | High |
8.1 | bcprov-jdk15on-1.65.jar | Direct | 1.67 | β |
| CVE-2020-15522 | Medium |
5.9 | bcprov-jdk15on-1.65.jar | Direct | 1.66 | β |
| CVE-2023-33201 | Medium |
5.3 | bcprov-jdk15on-1.65.jar | Direct | org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74 | β |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2020-28052The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.65/f96180e47cf5d4e7e911f7d958e5dff0043427a9/bcprov-jdk15on-1.65.pom
Dependency Hierarchy:
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
Found in base branch: main
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
Publish Date: 2020-12-18
URL: CVE-2020-28052
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-12-18
Fix Resolution: 1.67
Step up your Open Source Security Game with Mend here
CVE-2020-15522The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.65/f96180e47cf5d4e7e911f7d958e5dff0043427a9/bcprov-jdk15on-1.65.pom
Dependency Hierarchy:
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
Found in base branch: main
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Publish Date: 2021-05-20
URL: CVE-2020-15522
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522
Release Date: 2021-05-20
Fix Resolution: 1.66
Step up your Open Source Security Game with Mend here
CVE-2023-33201The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.65/f96180e47cf5d4e7e911f7d958e5dff0043427a9/bcprov-jdk15on-1.65.pom
Dependency Hierarchy:
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
Found in base branch: main
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Publish Date: 2023-07-05
URL: CVE-2023-33201
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-07-05
Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74
Step up your Open Source Security Game with Mend here
Vulnerable Library - room-compiler-2.5.2.jarPath to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xerial/sqlite-jdbc/3.36.0/9622d230dbf702bb5fb4d8d754894fd5560ad2ac/sqlite-jdbc-3.36.0.jar
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (room-compiler version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-32697 |  Critical |
9.8 | sqlite-jdbc-3.36.0.jar | Transitive | N/A* | β |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-32697SQLite JDBC library
Path to dependency file: /core-database/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xerial/sqlite-jdbc/3.36.0/9622d230dbf702bb5fb4d8d754894fd5560ad2ac/sqlite-jdbc-3.36.0.jar
Dependency Hierarchy:
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
Found in base branch: main
SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.
Publish Date: 2023-05-23
URL: CVE-2023-32697
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6phf-6h5g-97j2
Release Date: 2023-05-23
Fix Resolution: org.xerial:sqlite-jdbc:3.41.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - okio-jvm-3.0.0.jarA modern I/O API for Java
Path to dependency file: /core-network/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/63dca88e80ade884bc68585baa9940f5c8027bfa/okio-jvm-3.0.0.pom,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/63dca88e80ade884bc68585baa9940f5c8027bfa/okio-jvm-3.0.0.pom,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/63dca88e80ade884bc68585baa9940f5c8027bfa/okio-jvm-3.0.0.pom
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (okio-jvm version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-3635 | High |
7.5 | okio-jvm-3.0.0.jar | Direct | 3.4.0 | β |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-3635A modern I/O API for Java
Path to dependency file: /core-network/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/63dca88e80ade884bc68585baa9940f5c8027bfa/okio-jvm-3.0.0.pom,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/63dca88e80ade884bc68585baa9940f5c8027bfa/okio-jvm-3.0.0.pom,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/63dca88e80ade884bc68585baa9940f5c8027bfa/okio-jvm-3.0.0.pom
Dependency Hierarchy:
Found in base branch: main
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Publish Date: 2023-07-12
URL: CVE-2023-3635
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635
Release Date: 2023-07-12
Fix Resolution: 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - okio-2.10.0.jarA modern I/O API for Java
Library home page: https://github.com/square/okio/
Path to dependency file: /core-network/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.10.0/accaddddbb597fb70290fd40358b1ce66b8c2b3d/okio-jvm-2.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.10.0/accaddddbb597fb70290fd40358b1ce66b8c2b3d/okio-jvm-2.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.10.0/accaddddbb597fb70290fd40358b1ce66b8c2b3d/okio-jvm-2.10.0.jar
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (okio version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-3635 | High |
7.5 | okio-2.10.0.jar | Direct | 3.0.0-alpha.10 | β |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-3635A modern I/O API for Java
Library home page: https://github.com/square/okio/
Path to dependency file: /core-network/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.10.0/accaddddbb597fb70290fd40358b1ce66b8c2b3d/okio-jvm-2.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.10.0/accaddddbb597fb70290fd40358b1ce66b8c2b3d/okio-jvm-2.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio/2.10.0/accaddddbb597fb70290fd40358b1ce66b8c2b3d/okio-jvm-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 9c77246d2708305db41932d7fe5df47b59b485a5
Found in base branch: main
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Publish Date: 2023-07-12
URL: CVE-2023-3635
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635
Release Date: 2023-07-12
Fix Resolution: 3.0.0-alpha.10
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.