Dependency vulnerabilities

Description

mod-ncip ships with dependencies that have security vulnerabilities:

commons-collections:commons-collections@3.2.1 https://nvd.nist.gov/vuln/detail/CVE-2015-7501
log4j:log4j@1.2.14 (is a dependency of both org.slf4j:slf4j-log4j12@1.7.13 and org.extensiblecatalog.ncip.v2:common@2.0.0) https://nvd.nist.gov/vuln/detail/CVE-2019-17571 , https://nvd.nist.gov/vuln/detail/CVE-2022-23302 , https://nvd.nist.gov/vuln/detail/CVE-2022-23307
commons-beanutils:commons-beanutils@1.9.1 (is a dependency of net.sf.dozer:dozer@5.5.1) https://nvd.nist.gov/vuln/detail/CVE-2014-0114
com.fasterxml.jackson.core:jackson-databind@2.11.3 https://nvd.nist.gov/vuln/detail/CVE-2020-36518
org.apache.xmlbeans:xmlbeans@2.4.0 https://nvd.nist.gov/vuln/detail/CVE-2021-23926
io.netty:netty-codec@4.1.67.Final https://nvd.nist.gov/vuln/detail/CVE-2021-37136 , https://nvd.nist.gov/vuln/detail/CVE-2021-37137
org.springframework:spring-webmvc@2.5.6 https://nvd.nist.gov/vuln/detail/CVE-2016-9878
org.springframework:spring-core@2.5.6 https://nvd.nist.gov/vuln/detail/CVE-2011-2730
org.springframework:spring-web@2.5.6 https://nvd.nist.gov/vuln/detail/CVE-2011-2730

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

relates to

MODNCIP-46

Replace slf4j-log4j12 by log4j-slf4j-impl fixing vulns

FOLIO-4056

Create standalone repository of the NCIP2-Toolkit fork

Checklist

hide

TestRail: Results

Activity

Show:

David Crossley September 6, 2024 at 1:18 AM

See new ticket FOLIO-4056 -- Create standalone repository of the NCIP2-Toolkit fork

Michelle Suranofsky August 26, 2024 at 12:22 PM

I have no objection. thank you!

Jakub Skoczen August 26, 2024 at 7:41 AM

@Michelle Suranofsky @David Crossley The upstream NCIP2-Toolkit is inactive and looks abandonded. I think we should turn the FOLIO fork’s master branch into a proper trunk and merge all FOLIO changes (and versions) there. This will enable other projects outside of FOLIO to benefit from the changes, currently it’s very confusing how the releases are maintained in the fork. Any objections to this approach?

Michelle Suranofsky August 23, 2024 at 12:42 PM

@Jakub Skoczen - this Jira explains it - but FOLIO’s branch is folio-2441-internal-deploy

https://folio-org.atlassian.net/browse/FOLIO-2441
…also another explanation from David in the readme:
https://github.com/eXtensibleCatalog/NCIP2-Toolkit/blob/212d463d22fcf728bc629a97a7f6436ba1bf9fa4/README-FOLIO.md

Jakub Skoczen August 23, 2024 at 11:22 AM

@Michelle Suranofsky @Julian Ladisch It looks like those changes were released as version 4.0.0 but never merged back to master. Do you know why? We need to make changes to NCIP2-Toolkit and we’d like to do this starting from master but it looks like master is missing 18 commits compared to this branch.

Done

Details

Assignee

Michelle Suranofsky

Reporter

Julian Ladisch

Labels

securitysecurity-reviewed

Priority

Development Team

EBSCO - FSE

Parent

FOLREL-535 Morning Glory 2022 R2 - Bugfix Release - 12 Aug 2022

Fix versions

1.11.1

RCA Group

TBD

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created March 25, 2022 at 6:21 PM

Updated September 6, 2024 at 1:18 AM

Resolved August 29, 2022 at 9:16 PM

Configure

TestRail: Cases

TestRail: Runs

Dependency vulnerabilities

Description

CSP Request Details

CSP Rejection Details

Potential Workaround

Linked issues

relates to

Checklist

TestRail: Results

Activity

David Crossley September 6, 2024 at 1:18 AM

Michelle Suranofsky August 26, 2024 at 12:22 PM

Jakub Skoczen August 26, 2024 at 7:41 AM

Michelle Suranofsky August 23, 2024 at 12:42 PM

Jakub Skoczen August 23, 2024 at 11:22 AM

Details

Assignee

Reporter

Labels

Priority

Development Team

Parent

Fix versions

RCA Group

TestRail: Cases

TestRail: Runs

Flag notifications

Something's gone wrong