liquibase-core contains vulnerable UI libraries.

Description

During our software builds we perform vulnerability checking using this: https://jeremylong.github.io/DependencyCheck/dependency-check-maven

It has highlighted the following vulnerabilities in the embedded UI libraries jquery and bootstrap (in liquibase/sdk/watch).

[ERROR] liquibase-core-3.6.3.jar: bootstrap.js: CVE-2018-14042, CVE-2019-8331, CVE-2018-14041, CVE-2018-14040
[ERROR] liquibase-core-3.6.3.jar: bootstrap.min.js: CVE-2018-14042, CVE-2019-8331, CVE-2018-14041, CVE-2018-14040
[ERROR] liquibase-core-3.6.3.jar: jquery-1.11.0.min.js: CVE-2015-9251, CVE-2019-11358

Would it be possible to either:

  • upgrade to the latest versions (but new vulnerabilities will always appear)

  • remove them from the jar

  • remove them from the jar and move to another optional jar

 

Each vulnerability can be found at https://nvd.nist.gov/ for example:
https://nvd.nist.gov/vuln/detail/CVE-2018-14042/

 

For anyone else that uses the dependency checker (>5.0.0) these suppressions will eliminate the errors.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 <suppress> <notes><![CDATA[ file name: liquibase-core-3.6.3.jar: bootstrap.js reason: These are UI libraries embedded in liquibase. We do not use any UI in liquibase. ]]></notes> <sha1>93d7f31e5f733516785f23efbc16578cafa992ed</sha1> <cve>CVE-2018-14040</cve> <cve>CVE-2018-14041</cve> <cve>CVE-2018-14042</cve> <cve>CVE-2019-8331</cve> </suppress> <suppress> <notes><![CDATA[ file name: liquibase-core-3.6.3.jar: bootstrap.min.js reason: These are UI libraries embedded in liquibase. We do not use any UI in liquibase. ]]></notes> <sha1>9933cdc70c0047a3ea1a196f9320c36737b93c2a</sha1> <cve>CVE-2018-14040</cve> <cve>CVE-2018-14041</cve> <cve>CVE-2018-14042</cve> <cve>CVE-2019-8331</cve> </suppress> <suppress> <notes><![CDATA[ file name: liquibase-core-3.6.3.jar: jquery-1.11.0.min.js reason: These are UI libraries embedded in liquibase. We do not use any UI in liquibase. ]]></notes> <sha1>2439711705752fac5dd1a6a8d6b1be63ffcbc76d</sha1> <cve>CVE-2015-9251</cve> <cve>CVE-2019-11358</cve> </suppress>

 

Environment

production

Status

Assignee

Unassigned

Reporter

Mark Jeffrey

Labels

None

Affects versions

3.6.3

Priority

Major