Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #317
Description
Hi, In /source/test,there is a dependency com.thoughtworks.xstream:xstream:1.4.18 that calls the risk method.
The scope of this CVE affected version is [,1.4.19)
After further analysis, in this project, the main Api called is com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object,com.thoughtworks.xstream.converters.DataHolder)Ljava.lang.Object;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
org.bf2.test.k8s.cmdClient.BaseCmdKubeClient: delete(java.io.File[])Lorg.bf2.test.k8s.cmdClient.BaseCmdKubeClient; /download/apache-maven-3.6.3/repository_mount/io/quarkus/quarkus-fs-util/0.0.3/quarkus-fs-util-0.0.3.jar
com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy$XmlMapEntriesIterator$1: getValue()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy: access$600(com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy,java.io.File)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.persistence.AbstractFilePersistenceStrategy: readFile(java.io.File)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.XStream: fromXML(java.io.Reader)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar
com.thoughtworks.xstream.XStream: unmarshal(com.thoughtworks.xstream.io.HierarchicalStreamReader,java.lang.Object,com.thoughtworks.xstream.converters.DataHolder)Ljava.lang.Object;
Dependency tree--
[INFO] cloud.redhat.com:test:jar:1.0.0-SNAPSHOT
[INFO] +- io.quarkus:quarkus-kubernetes-client:jar:2.6.1.Final:compile
[INFO] | +- io.quarkus:quarkus-arc:jar:2.6.1.Final:compile
[INFO] | | +- io.quarkus.arc:arc:jar:2.6.1.Final:compile
[INFO] | | | \- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile
[INFO] | | \- org.eclipse.microprofile.context-propagation:microprofile-context-propagation-api:jar:1.2:compile
[INFO] | +- io.quarkus:quarkus-kubernetes-client-internal:jar:2.6.1.Final:compile
[INFO] | +- io.quarkus:quarkus-jackson:jar:2.6.1.Final:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6:compile
[INFO] | | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.12.6:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.12.6:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.12.6:compile
[INFO] | +- io.fabric8:kubernetes-client:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-core:jar:5.10.1:compile
[INFO] | | | \- io.fabric8:kubernetes-model-common:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-rbac:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-admissionregistration:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-apps:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-autoscaling:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-apiextensions:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-batch:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-certificates:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-coordination:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-discovery:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-events:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-extensions:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-flowcontrol:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-networking:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-metrics:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-policy:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-scheduling:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-storageclass:jar:5.10.1:compile
[INFO] | | +- io.fabric8:kubernetes-model-node:jar:5.10.1:compile
[INFO] | | +- com.squareup.okhttp3:okhttp:jar:3.14.9:compile
[INFO] | | | \- com.squareup.okio:okio:jar:1.17.2:compile
[INFO] | | +- com.squareup.okhttp3:logging-interceptor:jar:3.14.9:compile
[INFO] | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.6:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] | | +- io.fabric8:zjsonpatch:jar:0.3.0:compile
[INFO] | | \- com.github.mifmif:generex:jar:1.0.2:compile
[INFO] | | \- dk.brics.automaton:automaton:jar:1.11-8:compile
[INFO] | +- org.apache.commons:commons-compress:jar:1.21:compile
[INFO] | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | +- org.jboss.spec.javax.xml.bind:jboss-jaxb-api_2.3_spec:jar:2.0.0.Final:compile
[INFO] | \- io.smallrye.config:smallrye-config-source-yaml:jar:2.7.0:compile
[INFO] | +- org.yaml:snakeyaml:jar:1.29:compile
[INFO] | +- io.smallrye.config:smallrye-config-common:jar:2.7.0:compile
[INFO] | | +- org.eclipse.microprofile.config:microprofile-config-api:jar:2.0:compile
[INFO] | | \- io.smallrye.common:smallrye-common-classloader:jar:1.8.0:compile
[INFO] | +- io.smallrye.config:smallrye-config:jar:2.7.0:compile
[INFO] | | \- io.smallrye.config:smallrye-config-core:jar:2.7.0:compile
[INFO] | | +- io.smallrye.common:smallrye-common-annotation:jar:1.8.0:compile
[INFO] | | \- io.smallrye.common:smallrye-common-expression:jar:1.8.0:compile
[INFO] | | \- io.smallrye.common:smallrye-common-function:jar:1.8.0:compile
[INFO] | \- io.smallrye.common:smallrye-common-constraint:jar:1.8.0:compile
[INFO] +- io.fabric8:kubernetes-server-mock:jar:5.10.1:compile
[INFO] | +- io.fabric8:mockwebserver:jar:0.2.2:compile
[INFO] | | \- com.squareup.okhttp3:mockwebserver:jar:3.12.12:compile
[INFO] | | \- junit:junit:jar:4.12:compile
[INFO] | | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] | \- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:compile
[INFO] | +- org.opentest4j:opentest4j:jar:1.2.0:compile
[INFO] | +- org.junit.platform:junit-platform-commons:jar:1.8.2:compile
[INFO] | \- org.apiguardian:apiguardian-api:jar:1.1.2:compile
[INFO] +- io.quarkus:quarkus-test-common:jar:2.6.1.Final:compile
[INFO] | +- io.quarkus:quarkus-core-deployment:jar:2.6.1.Final:compile
[INFO] | | +- org.aesh:readline:jar:2.1:compile
[INFO] | | | \- org.fusesource.jansi:jansi:jar:1.18:compile
[INFO] | | +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] | | +- org.wildfly.common:wildfly-common:jar:1.5.4.Final-format-001:compile
[INFO] | | +- io.quarkus.gizmo:gizmo:jar:1.0.10.Final:compile
[INFO] | | | \- org.ow2.asm:asm-util:jar:9.2:compile
[INFO] | | +- org.ow2.asm:asm:jar:9.2:compile
[INFO] | | +- org.ow2.asm:asm-commons:jar:9.2:compile
[INFO] | | | +- org.ow2.asm:asm-tree:jar:9.2:compile
[INFO] | | | \- org.ow2.asm:asm-analysis:jar:9.2:compile
[INFO] | | +- io.quarkus:quarkus-development-mode-spi:jar:2.6.1.Final:compile
[INFO] | | +- io.quarkus:quarkus-class-change-agent:jar:2.6.1.Final:compile
[INFO] | | +- io.quarkus:quarkus-devtools-utilities:jar:2.6.1.Final:compile
[INFO] | | +- io.quarkus:quarkus-builder:jar:2.6.1.Final:compile
[INFO] | | +- org.graalvm.sdk:graal-sdk:jar:21.3.0:compile
[INFO] | | \- org.junit.platform:junit-platform-launcher:jar:1.8.2:compile
[INFO] | | \- org.junit.platform:junit-platform-engine:jar:1.8.2:compile
[INFO] | +- io.quarkus:quarkus-jsonp-deployment:jar:2.6.1.Final:compile
[INFO] | | \- io.quarkus:quarkus-jsonp:jar:2.6.1.Final:compile
[INFO] | | \- org.glassfish:jakarta.json:jar:1.1.6:compile
[INFO] | +- org.jboss:jandex:jar:2.4.1.Final:compile
[INFO] | \- org.jboss.logging:commons-logging-jboss-logging:jar:1.0.0.Final:compile
[INFO] | \- org.jboss.logging:jboss-logging:jar:3.4.2.Final:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] \- io.quarkus:quarkus-junit5:jar:2.6.1.Final:compile
[INFO] +- io.quarkus:quarkus-bootstrap-core:jar:2.6.1.Final:compile
[INFO] | +- io.quarkus:quarkus-bootstrap-app-model:jar:2.6.1.Final:compile
[INFO] | +- io.quarkus:quarkus-bootstrap-maven-resolver:jar:2.6.1.Final:compile
[INFO] | | +- org.apache.maven:maven-embedder:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven:maven-settings:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven:maven-core:jar:3.8.4:compile
[INFO] | | | | +- org.apache.maven:maven-artifact:jar:3.8.4:compile
[INFO] | | | | \- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:compile
[INFO] | | | +- org.apache.maven:maven-plugin-api:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven:maven-model:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven:maven-model-builder:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven:maven-builder-support:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven.resolver:maven-resolver-api:jar:1.6.3:compile
[INFO] | | | +- org.apache.maven.resolver:maven-resolver-util:jar:1.6.3:compile
[INFO] | | | +- org.apache.maven.shared:maven-shared-utils:jar:3.3.4:compile
[INFO] | | | | \- commons-io:commons-io:jar:2.11.0:compile
[INFO] | | | +- com.google.inject:guice:jar:no_aop:4.2.2:compile
[INFO] | | | | \- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] | | | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | | | \- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | | +- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[INFO] | | | +- org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:compile
[INFO] | | | +- org.codehaus.plexus:plexus-cipher:jar:2.0:compile
[INFO] | | | \- commons-cli:commons-cli:jar:1.4:compile
[INFO] | | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.5:compile
[INFO] | | +- org.apache.maven:maven-settings-builder:jar:3.8.4:compile
[INFO] | | | \- org.codehaus.plexus:plexus-interpolation:jar:1.26:compile
[INFO] | | +- org.apache.maven:maven-resolver-provider:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven:maven-repository-metadata:jar:3.8.4:compile
[INFO] | | | +- org.apache.maven.resolver:maven-resolver-spi:jar:1.6.3:compile
[INFO] | | | +- org.apache.maven.resolver:maven-resolver-impl:jar:1.6.3:compile
[INFO] | | | \- org.codehaus.plexus:plexus-utils:jar:3.3.0:compile
[INFO] | | +- org.apache.maven.resolver:maven-resolver-connector-basic:jar:1.6.3:compile
[INFO] | | +- org.apache.maven.resolver:maven-resolver-transport-wagon:jar:1.6.3:compile
[INFO] | | +- org.apache.maven.wagon:wagon-http:jar:3.4.3:compile
[INFO] | | | +- org.apache.maven.wagon:wagon-http-shared:jar:3.4.3:compile
[INFO] | | | | \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO] | | | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] | | | | \- commons-codec:commons-codec:jar:1.15:compile
[INFO] | | | +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] | | | \- org.apache.maven.wagon:wagon-provider-api:jar:3.4.3:compile
[INFO] | | \- org.apache.maven.wagon:wagon-file:jar:3.4.3:compile
[INFO] | +- io.quarkus:quarkus-bootstrap-gradle-resolver:jar:2.6.1.Final:compile
[INFO] | +- io.quarkus:quarkus-fs-util:jar:0.0.3:compile
[INFO] | \- io.smallrye.common:smallrye-common-io:jar:1.8.0:compile
[INFO] +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.5:runtime
[INFO] +- io.quarkus:quarkus-junit5-properties:jar:2.6.1.Final:compile
[INFO] +- org.junit.jupiter:junit-jupiter:jar:5.8.2:compile
[INFO] | +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:compile
[INFO] | \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:runtime
[INFO] +- io.quarkus:quarkus-core:jar:2.6.1.Final:compile
[INFO] | +- jakarta.enterprise:jakarta.enterprise.cdi-api:jar:2.0.2:compile
[INFO] | | +- jakarta.el:jakarta.el-api:jar:3.0.3:compile
[INFO] | | \- jakarta.interceptor:jakarta.interceptor-api:jar:1.2.5:compile
[INFO] | +- jakarta.inject:jakarta.inject-api:jar:1.0:compile
[INFO] | +- io.quarkus:quarkus-ide-launcher:jar:2.6.1.Final:compile
[INFO] | +- org.jboss.logmanager:jboss-logmanager-embedded:jar:1.0.9:compile
[INFO] | +- org.jboss.logging:jboss-logging-annotations:jar:2.2.1.Final:compile
[INFO] | +- org.jboss.threads:jboss-threads:jar:3.4.2.Final:compile
[INFO] | +- org.jboss.slf4j:slf4j-jboss-logmanager:jar:1.1.0.Final:compile
[INFO] | \- io.quarkus:quarkus-bootstrap-runner:jar:2.6.1.Final:compile
[INFO] \- com.thoughtworks.xstream:xstream:jar:1.4.18:compile
[INFO] \- io.github.x-stream:mxparser:jar:1.2.2:compile
[INFO] \- xmlpull:xmlpull:jar:1.1.3.1:compile
Suggested solutions:
Update dependency version
Thank you very much.