generator-jhipster: CVE-2019-16303 failing with latest JHipster 6.9.1
Overview of the issue
A docker image (created with the integrated Jib library) of a newly created application with the latest JHipster version 6.9.1 is showing a critical vulnerability that can’t be solved: CVE-2019-16303.
We firstly saw this vulnerability when we try to deploy the application to a stage environment with harbor. Then we also run a dependecy check using the OWASP plugin (https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html) and the same vulnerability was shown.
Motivation for or Use Case
We shouldn’t deploy such an application on a production environment with a critical vulnerability.
Reproduce the error
Just creating a new application with the latest version (selected options follow) and running a dependency check of the docker image.
Related issues
It was already reported and solution was stated here: https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html.
Suggest a Fix
According to your website this issue should have been solved after JHipster version 6.2.0 and I checked the generated class and it is already using SecureRandom.
But could it be that the vulnerabilities register has the wrong information?
JHipster Version(s)
Latest available version 6.9.1
JHipster configuration
INFO! Using JHipster version installed locally in current project’s node_modules INFO! Executing jhipster:info INFO! Options: from-cli: true Welcome to the JHipster Information Sub-Generator
JHipster Version(s)
test-jhipster@0.0.1-SNAPSHOT C:\testJhipster
`-- generator-jhipster@6.9.1
JHipster configuration, a .yo-rc.json file generated in the root folder
.yo-rc.json file
{
"generator-jhipster": {
"promptValues": {
"packageName": "com.mycompany.myapp",
"nativeLanguage": "de"
},
"jhipsterVersion": "6.9.1",
"applicationType": "monolith",
"baseName": "testJhipster",
"packageName": "com.mycompany.myapp",
"packageFolder": "com/mycompany/myapp",
"serverPort": "8080",
"authenticationType": "jwt",
"cacheProvider": "ehcache",
"enableHibernateCache": false,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "h2Disk",
"prodDatabaseType": "mysql",
"searchEngine": false,
"messageBroker": false,
"serviceDiscoveryType": false,
"buildTool": "maven",
"enableSwaggerCodegen": false,
"jwtSecretKey": "YourJWTSecretKeyWasReplacedByThisMeaninglessTextByTheJHipsterInfoCommandForObviousSecurityReasons",
"embeddableLaunchScript": false,
"useSass": true,
"clientPackageManager": "npm",
"clientFramework": "react",
"clientTheme": "flatly",
"clientThemeVariant": "primary",
"creationTimestamp": 1591108034543,
"testFrameworks": [],
"jhiPrefix": "jhi",
"entitySuffix": "",
"dtoSuffix": "DTO",
"otherModules": [],
"enableTranslation": true,
"nativeLanguage": "de",
"languages": ["de"],
"blueprints": []
}
}
JDL for the Entity configuration(s) entityName.json files generated in the .jhipster directory
JDL entity definitions
Environment and Tools
java version “1.8.0_221” Java™ SE Runtime Environment (build 1.8.0_221-b11) Java HotSpot™ 64-Bit Server VM (build 25.221-b11, mixed mode)
git version 2.24.1.windows.2
node: v12.17.0
npm: 6.14.4
Docker version 19.03.8, build afacb8b
docker-compose version 1.25.5, build 8a1c60f6
INFO! Congratulations, JHipster execution is complete!
Entity configuration(s) entityName.json files generated in the .jhipster directory
No entities created yet.
Browsers and Operating System
Not related to any browser
- Checking this box is mandatory (this is just to show you read everything)
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 1
- Comments: 20 (14 by maintainers)
OK so here is the issue:
-> as a result, our Maven packages are tagged with the CVE, which is wrong. And I confirm the issue is fixed, it’s the CVE that is wrong.
I don’t think we can edit a CVE once it’s published, at least it’s not easy.
But then, it would make more sense to have the same versions for the NPM and the Maven libraries. There could be some differences for patch releases, but for major and even minor releases, they could have the same version numbers. That would be more consistent and limit that kind of questions.
So my suggestion (cc @pascalgrimaud @deepu105 ) is to upgrade our Maven packages version to match the NPM packages version. This will solve this issue, but it will probably annoy a bit our users (they will have a sudden version bump, which might worry them).
WDYT?
@DanielFran : yes, we can close this
It looks like the information is wrong as the jhipster lib is not relased in log step with the main generator. At least from looking it at it looks like they are referring to jhipster lib > 6.2.0, while we the latest version is 3.8.0 (because of different version schema). Not sure how to proceed here.
https://nvd.nist.gov/vuln/detail/CVE-2019-16303#VulnChangeHistorySection
As you said it is fixed. Not sure where the plugin gets the vulnerability information from. I checked snyk’s database recently the issue you mention contains the correct version information.