我正在尝试创建一个Spring Boot项目。当我修改了一些依赖项并使用Maven重新加载项目时,会出现这些警告。
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.hank</groupId>
<artifactId>springboot-mall</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>springboot-mall</name>
<description>springboot-mall</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
<version>8.0.22</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
警告
Warning:(20, 3) Provides transitive vulnerable dependency ch.qos.logback:logback-classic:1.2.3 CVE-2021-42550 6.6 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency ch.qos.logback:logback-core:1.2.3 CVE-2021-42550 6.6 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-beans:5.2.12.RELEASE CVE-2022-22965 9.8 Improper Control of Generation of Code ('Code Injection') vulnerability pending CVSS allocation CVE-2022-22970 5.3 Allocation of Resources Without Limits or Throttling vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-context:5.2.12.RELEASE CVE-2022-22968 5.3 Improper Handling of Case Sensitivity vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-core:5.2.12.RELEASE CVE-2021-22060 4.3 Improper Output Neutralization for Logs vulnerability pending CVSS allocation CVE-2021-22096 4.3 Improper Output Neutralization for Logs vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency com.fasterxml.jackson.core:jackson-databind:2.11.3 Cxced0c06c-935c 5.9 Uncontrolled Resource Consumption vulnerability pending CVSS allocation CVE-2020-36518 7.5 Out-of-bounds Write vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.apache.tomcat.embed:tomcat-embed-core:9.0.41 CVE-2021-25329 7.0 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-25122 7.5 Exposure of Sensitive Information to an Unauthorized Actor vulnerability pending CVSS allocation CVE-2021-33037 5.3 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability pending CVSS allocation CVE-2021-41079 7.5 Improper Input Validation vulnerability pending CVSS allocation CVE-2021-30639 7.5 Improper Handling of Exceptional Conditions vulnerability pending CVSS allocation CVE-2021-30640 6.5 Improper Encoding or Escaping of Output vulnerability pending CVSS allocation CVE-2022-23181 7.0 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.glassfish:jakarta.el:3.0.3 CVE-2021-28170 5.3 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.apache.tomcat.embed:tomcat-embed-websocket:9.0.41 CVE-2021-42340 7.5 Missing Release of Resource after Effective Lifetime vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-web:5.2.12.RELEASE CVE-2016-1000027 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-22118 7.8 Improper Privilege Management vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-webmvc:5.2.12.RELEASE CVE-2016-1000027 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-expression:5.2.12.RELEASE CVE-2022-22950 6.5 Allocation of Resources Without Limits or Throttling vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(29, 3) Dependency com.h2database:h2:1.4.200 is vulnerable CVE-2018-14335 6.5 Improper Link Resolution Before File Access ('Link Following') vulnerability pending CVSS allocation CVE-2021-42392 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-23463 9.1 Improper Restriction of XML External Entity Reference vulnerability pending CVSS allocation CVE-2022-23221 9.8 Improper Control of Generation of Code ('Code Injection') vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(34, 3) Dependency mysql:mysql-connector-java:8.0.22 is vulnerable CVE-2021-2471 5.9 Improper Restriction of XML External Entity Reference vulnerability with medium severity found CVE-2022-21363 6.6 Improper Input Validation vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(40, 3) Provides transitive vulnerable dependency net.minidev:json-smart:2.3 CVE-2021-27568 9.1 Improper Check for Unusual or Exceptional Conditions vulnerability pending CVSS allocation CVE-2021-31684 7.5 Out-of-bounds Write vulnerability pending CVSS allocation Results powered by Checkmarx(c)
这些信息到底是什么意思?这似乎是个安全问题,但我不知道该怎么解决。我试着在谷歌上搜索警告,但没有任何信息可以参考。
这些消息告诉您,您使用的依赖项具有一些已知的vurnerability,可以直接或传递到其他依赖项。
例如spring-boot版本2.3.7.RELEASE,您可以在maven存储库网站上查看该依赖的已知vurnerability列表
因此,您要么升级依赖性版本,要么检查已知漏洞的缓解情况,以了解更多详细信息。
试试这个,
<dependency>
<groupId>org.foo.bar</groupId>
<artifactId>foo-bar</artifactId>
</dependency>
而不是
<dependency>
<groupId>org.foo.bar</groupId>
<artifactId>foo-bar</artifactId>
<version>1.3.56</version>
</dependency>